Security rules only enforce security and cannot be used as translators or filters. Thus, you'll have to manipulate the keys before sending them to Firebase.
It doesn't look like you are forced to use the email as the key, since you can structure the URL to which context.io sends your requests. Could you save the effort of a proxy by using the context.io unique ids or some other unique id instead of email address?