One way, used by smarsh.com is that everything stays on one server.  Non-client recipients don't get a real email, instead they get a placeholder message to "click here to log in and retrieve your message."  I would guess that ProtonMail is doing the same thing.  

Any solution that accepts inbound email from the internet cannot ensure that it arrives with end-to-end encryption, so the boast applies to outbound email only.

The other technique to use S/MIME or PGP to encrypt the body of the message.  This technology is lightly used in the commercial space, because it has a complex setup and requires both sender and receiver to participate.   Worse yet, because content is end-to-end encrypted, it bypasses your email filtering system.  That seems to require tracking which senders are sufficiently trusted to allow usage of the public key.  Unrecognized senders should not be allowed to send encrypted messages.

A half-way solution uses S/MIME or PGP, but the encryption keys are stored at the email gateway, so encryption and decryption occurs there, allowing the gateway to enforce email filtering rules.   It still requires a cooperating sender, so it does not work for consumer use.

We've supported Cisco Ironport with SES (secure email service) as well as Exchange 365.  The Ironport component was triggered by a keyword put at the beginning of the subject line.  If the subject line started with "SECURE: " the message would be encrypted and the recipient sent a placeholder email with a link to Cisco SES that would display the message, and give the recipient the opportunity to securely reply back.

With Exchange 365, it's a similar process.  We trigger the encryption with a subject keyword OR by selecting a "Sensitivity" setting in Outlook.  But then it's basically the same-- recipient gets a placeholder message that references a web link where the user reads the message in a browser (and can respond securely).

We have seen other solutions, too-- like the Zix plugin for Outlook, which some users love and others really hate.

Some of our clients have asked about this, and we'd REALLY love to be able to offer email encryption via Smartermail, instead of having to tell someone to subscribe to Zix.  Ideally, we'd like it to be similar to Cisco SES-- web link referral to a hosted (browser viewed) copy of the message, with the option to Reply / Reply-All / Forward securely, like Cisco SES.  Ideally, there would be a finite lifespan for the user to read (and print or save) so we don't end up with hundreds of GB of old messages long since forgotten... maybe 15 or 30 days, then gets auto-purged.  The lifespan should be admin-configurable on a per-domain basis.

Since Smartermail Enterprise edition is marketed as the world's only true Exchange alternative, it does need to support these kinds of essential features already found in Exchange 365.