Migrate ProtonMail to Fastmail (2026 Guide)

ProtonMail to Fastmail is a migration between two privacy-leaning providers, but the mechanics are unusual because ProtonMail doesn't expose IMAP directly. Every message lives encrypted on Proton's servers, and the only way to get them out at scale is via the ProtonMail Bridge — a local app that decrypts on your machine and re-exposes the mailbox as a localhost IMAP server. The bridge works, but it's slower than direct IMAP and introduces a few specific failure modes that don't exist in normal IMAP-to-IMAP migrations. This guide walks the path with the Bridge-specific notes you'll need.

How Proton Bridge changes the migration#

Standard IMAP migrations connect a tool to the source server, the tool issues IMAP commands, the server returns messages over the wire. ProtonMail's encryption design breaks this assumption. Messages on Proton's servers are encrypted with your account key — Proton servers can't read them, and neither can any tool connecting directly. The Bridge solves this by running locally:

1. Bridge authenticates to Proton servers as you.
2. Bridge pulls encrypted messages to local cache.
3. Bridge decrypts locally with your stored key.
4. Bridge exposes the decrypted mailbox as a localhost IMAP server at 127.0.0.1:1143 (default).
5. Migration tools connect to localhost:1143 as if it were any IMAP server.

This works, but it means:

• Throughput is bounded by Bridge's decryption rate (typically 5–10 GB per day per mailbox).
• The migration machine must stay awake and have Bridge running for the duration.
• Bridge crashes or disconnections halt migration; you need to monitor.
• Concurrency is limited — Bridge wasn't built for high-parallelism IMAP load.

Setting up Proton Bridge#

This is the first real step and the one most likely to trip you up.

Install Bridge#

Download Bridge from proton.me/mail/bridge. It's available for Windows, Mac, and Linux. Install with admin privileges.

After install, launch Bridge and sign in with your ProtonMail credentials. If you have 2FA enabled (you should), provide the 2FA code. Bridge will store an authentication token on the machine and use that going forward.

Wait for the initial sync#

Bridge needs to pull and decrypt the entire mailbox to its local cache before IMAP serves any messages. For a 25 GB mailbox, this initial sync can take 12–24 hours. Don't try to start migration during the initial sync — the migration tool will see an incomplete mailbox.

Watch Bridge's status indicator. It progresses through "Connecting", "Syncing", and finally "Ready". Wait for Ready.

Capture the IMAP credentials#

In Bridge → Settings (or your account's row in the Bridge UI), copy the IMAP server, port, username, and password. Default config is:

• Host: 127.0.0.1
• Port: 1143
• Username: your-proton-email@proton.me (or your custom domain)
• Password: Bridge-generated, NOT your ProtonMail password
• Security: STARTTLS

If you encounter connection issues here, our fix ProtonMail Bridge connection guide covers common Bridge-specific errors.

Multi-user organizations#

Each user needs their own Bridge installation, on their own machine, with their own ProtonMail credentials. There's no admin-side multi-user Bridge — Proton's encryption model makes that impossible. For organizations with 10+ users, this is the biggest scaling challenge of the migration.

The workaround most MSPs use: a single dedicated migration workstation that gets logged into each user's ProtonMail one at a time, runs the migration for that user, then switches to the next. Slow but doable.

Setting up Fastmail#

While Bridge is doing its initial sync, get Fastmail ready.

Create accounts#

Sign up at fastmail.com. Add user accounts matching the ProtonMail addresses. Verify your custom domain via TXT record. Leave MX pointed at Proton for now.

For storage, plan on Fastmail mailbox sizes being 20–40% larger than ProtonMail because labels become folders and messages with multiple labels get duplicated. If a ProtonMail mailbox is 25 GB, plan for 30–35 GB on Fastmail.

Generate Fastmail app passwords#

For each user, log into Fastmail → Settings → Privacy & Security → App Passwords → New App Password. Give it a name like "Migration". Save the generated password — Fastmail shows it once and never again.

The migration tool uses this app password to authenticate to Fastmail's IMAP server (imap.fastmail.com:993).

For background on what app passwords do and why they're needed, see our app password glossary entry.

Lower DNS TTL#

24 hours before MX cutover, drop the MX record TTL in your DNS provider to 300 seconds. Standard procedure.

Choosing your tool#

Fastmail's built-in importer#

Fastmail's Import tool (Settings → Import) supports IMAP sources. Point it at the local Bridge instance (127.0.0.1:1143) with the Bridge-generated credentials. Fastmail's importer will pull messages from Bridge over your local network.

The catch: Fastmail's import servers need to reach your local Bridge instance. This means either:

• Run the import while Bridge is running on a publicly-reachable machine (with proper firewall config), or
• Tunnel Fastmail's reach through SSH or VPN (complex).

In practice, most users opt for option 2: a desktop migration tool.

Desktop IMAP tool#

A local tool running on the same machine as Bridge connects to both Bridge (localhost IMAP) and Fastmail (imap.fastmail.com:993). Mailbox Taxi handles this cleanly — desktop-first, no tunneling needed.

This is the recommended path for almost every ProtonMail-to-Fastmail migration. Run Bridge and the migration tool on the same machine; Bridge serves localhost; the tool reads localhost and writes to Fastmail. No firewall holes.

Step-by-step#

1. Wait for Bridge initial sync

   After installing Bridge and signing in, wait for the initial sync to complete. Don't skip this. Bridge will show "Syncing" until it's done; once it shows "Ready", you can proceed.

   For a 25 GB ProtonMail mailbox, expect 12–24 hours. For a 5 GB mailbox, expect 2–4 hours. Plan the migration timeline backwards from your cutover date including this initial sync.

2. Pilot two mailboxes

   If you're migrating multiple users, run the pilot on two — one light, one heavy. Validate:

   • All ProtonMail folders/labels appear as expected on Fastmail.
   • Message counts match within 1% per folder.
   • Sent mail is in the Sent folder, not duplicated.
   • Custom labels became proper folders on Fastmail.
   • Storage on Fastmail matches your 20–40% growth estimate.

   The pilot is also where you discover Bridge-specific issues. Common ones: Bridge crashes during long syncs, certificate validation warnings on localhost, occasional Disconnected for inactivity errors when Bridge pauses to handle Proton API rate limits.

3. Run the bulk migration

   Start 5–7 days before MX cutover. Yes, that long — Bridge is slow.

   Cap concurrency at 2–3 threads per mailbox. Bridge's localhost IMAP server can technically handle more, but the underlying Proton API rate-limits the Bridge's ability to fetch new content, so high concurrency just means waiting on Bridge.

   Monitor:

   • Bridge's status (should stay Ready, not flap to Syncing).
   • Migration tool's per-message log for STARTTLS handshake failed (Bridge restart fixed mid-migration), Disconnected for inactivity (Bridge backpressure — slow down), or AUTHENTICATIONFAILED (Bridge credentials changed; reload from Bridge settings).
4. Set up forwarding from ProtonMail

   24 hours before MX cutover, set up forwarding from each ProtonMail account to the matching Fastmail address. From ProtonMail web → Settings → Filters → Add forwarding rule. ProtonMail will require you to verify the destination address (Fastmail will receive a verification email).

   This gives you belt-and-suspenders coverage for the 48-hour window around MX cutover when stragglers may still arrive at ProtonMail.

5. Cut MX to Fastmail

   At your cutover time, update MX records at your DNS provider to Fastmail's published values:

   • Priority 10: in1-smtp.messagingengine.com
   • Priority 20: in2-smtp.messagingengine.com

   (Always verify the exact records in your Fastmail admin console.)

   Verify propagation with dig MX yourdomain.com @8.8.8.8. Send a test message from external accounts.

6. Run the delta sync

   48–72 hours after MX cutover, run a delta against each ProtonMail mailbox (via Bridge). With forwarding configured, the delta should be tiny. Without forwarding, expect a few percent of total volume.

   After delta, no new mail should land at ProtonMail. Verify by checking ProtonMail web for any messages in INBOX after the cutover timestamp.

7. Import contacts and calendars

   Per-user, from ProtonMail web:

   • Contacts → settings → Export → vCard. Save the file.
   • Calendar → settings → Export → iCal. Save each calendar.

   Then in Fastmail:

   • Contacts → Import → upload the vCard.
   • Calendar → Import → upload each .ics.

   This is genuinely per-user and unavoidable. Plan 15–30 minutes per user.

8. Update SPF, DKIM, DMARC

   SPF: v=spf1 include:spf.messagingengine.com ~all. Remove any Proton-specific includes (uncommon but possible if you'd set up Proton outbound on your domain).

   DKIM: enable in Fastmail admin (Settings → Domains → DKIM) and copy the CNAME records into DNS.

   DMARC: keep your existing record or update to reflect new authentication.

9. Decommission ProtonMail

   After 30 days of clean operation:

   • Cancel the ProtonMail subscription.
   • Uninstall Bridge from migration workstations.
   • Delete local Bridge caches (they contain decrypted mail).

   The Bridge cache is the often-overlooked security item: those files are unencrypted copies of your old mail. If the workstation isn't full-disk-encrypted, delete the cache before retiring the machine.

Specific failure modes#

Bridge shows "Connecting" forever#

ProtonMail server-side issues or network blocking outbound connections from Bridge. Check status.proton.me. Restart Bridge. If still stuck, check firewall settings — Bridge needs outbound HTTPS to api.proton.me.

STARTTLS handshake failed on localhost#

Bridge uses a self-signed cert for its localhost IMAP listener. Most tools handle this by accepting any cert on 127.0.0.1. If your tool strictly validates, configure it to skip cert validation for localhost (acceptable because the traffic never leaves your machine).

Mail counts don't match#

ProtonMail's "All Mail" view shows every message including those that have been deleted but not purged. Bridge may or may not expose deleted-but-not-purged messages depending on Bridge version. Spot-check your pilot results against the ProtonMail web UI's per-folder counts.

Folders nested deeply#

ProtonMail allows nested labels. Bridge exposes them as IMAP folders with / as the hierarchy separator (or . depending on config). Fastmail accepts nested folders. Most tools handle this transparently, but spot-check that a 3-level-deep label like Projects/Q1/Reports shows up as a nested folder on Fastmail.

Bridge stops mid-migration#

Bridge is software and software crashes. If Bridge stops, the migration tool will see disconnects on the IMAP connection. Restart Bridge, wait for Ready, resume the migration. Tools with UID-based resume will pick up where they left off without reimporting.

Comparing alternatives#

For organizations not committed to Fastmail, the ProtonMail to Gmail path uses the same Bridge mechanism with Google Workspace or personal Gmail as the destination.

For the reverse direction — Fastmail to Gmail — see the Fastmail to Gmail walkthrough.

For a wider view of email migration concepts including Bridge-based providers, the complete email migration guide covers the broader landscape and helps decide whether Fastmail is the right destination at all.

Validation#

Per-user:

• Bridge shows Ready throughout migration window.
• Folder count on Fastmail matches expected label-to-folder mapping.
• Message counts per folder within 1% of ProtonMail source counts.
• Sent items in Sent folder only.
• Mobile clients connect to Fastmail successfully.

Per-tenant:

• SPF includes Fastmail, excludes any Proton entries.
• DKIM signing outbound from Fastmail.
• DMARC reports arriving.
• Test mail from external accounts reaches Fastmail.

If validation passes, you're done. Wait 30 days, cancel ProtonMail, uninstall Bridge, delete Bridge caches.