Emails have become the most important method of communication for businesses. They’re also the weakest link for cybercriminals to target. As means of attacking emails grow, it’s essential to ensure you take the necessary actions to secure your emails and business. This is where you’ll hear about a secure email gateway.
In this article, I’ll explain what a secure email gateway is and dig deeper into the benefits and drawbacks of its two types: on-site and cloud-based. I’ll also detail the features you should look for when selecting an SEG and how to fit it into your business.
Before I go into much detail, let me first break down what a secure email gateway is and how it works.
What Is a Secure Email Gateway?
A secure email gateway (SEG) is either a hardware or software barrier between your business and the outside world sending you emails. You can describe a secure email gateway as a piece of tech, digital or physical. It collects all of the emails you receive, tests them for safety, and only then forwards them to the recipient.
It ultimately protects all your devices from malicious emails. These devices include your computers, tablets, and phones. It also prevents malicious emails from entering the company. Without it, your business is more likely to fall victim to phishing and ransomware attacks.
Originally, SEGs were physical devices that served as dedicated mail servers. Today, though, you’ll mostly find them as software solutions. When looking for a secure email gateway for your business, you’ll need to consider all your firm’s needs and capabilities. You also need to take the risks into account. Once you complete the assessment, the process isn’t complex at all.
Now, let me explain the 2 types of secure email gateway.
Secure Email Gateway Types
When selecting a secure email gateway, you have 2 types to choose from:
Each of these has its benefits and drawbacks that depend on the type of business you have.
Statistically, most companies will use a cloud-based system since it’s an easier solution to implement and maintain, especially for a smaller company. Huge companies will also use these solutions for legal reasons as they might blame a hack or breach on a third-party.
If you have a company dedicated to, for instance, customer support, data security, or any type of financial management, this solution won’t be ideal. You’ll then need a higher standard of protection.
For now, let’s see what both types bring to the table.
1. On-Site Secure Email Gateway
You probably heard the saying: if you want something done right, you need to do it yourself. That’s only true, though, if you know what you’re doing. A similar principle works with on-premises or on-site secure email gateways and email security in general.
This SEG can be a physical device or a program working inside your company’s server. It receives incoming emails and sorts them out. Once the server checks its risk list and scans the email, it’ll either filter the email out or forward it to the intended recipient.
The best examples of such gateways are the POP3 (Post Office Protocol 3) programs, like the AOL email or the Microsoft Outlook computer program. Here, the email downloads to your server, and only then does the SEG check for security issues.
Conflicted if the on-site security email gateway is the one for you? Check out the following pros and cons table.
|Gives you more control over what it can protect you from. For example, you can prevent emails with words that signify harassment.||Requires expertise. You’ll need to hire someone to overview, update, and maintain SEG daily.|
|Offers better oversight, which expands your company’s capabilities. For example, you can screen and flag certain keywords in emails.||Is more expensive since it includes the costs of hiring employees to monitor it.|
|Gives you control over the updates. You can ensure your risk list is downloaded regularly.||Needs constant oversight since liabilities in your email security can bring more problems.|
|Allows you to program many features, like email tracking and integration with a CRM.|
2. Cloud-Based Secure Email Gateway
Most people are familiar with cloud-based email gateway solutions without them being aware of it. Services like Gmail or Office 365 Outlook are perfect examples of cloud-based services. These services protect your emails and only send you messages after ensuring they’re safe.
Cloud-based SEG gives the reins to a third party to secure your email. Some emailing services offer a lot when it comes to both protection and features, but you’ll always encounter some out-of-hand issues.
Next, I’ll give you a quick overview of the cloud-based SEG’s pros and cons.
|Provides easy installation and use and has automatic updates.||Doesn’t give you control over email security. You can’t decide which updates to use or exclude.|
|Doesn’t need any tech knowledge to maintain it.||Grants third parties access to data.|
|Is cheap and modular.||Doesn’t have customization.|
|Is accessible for remote teams. Any person with an internet connection can get an email and automatically get an SEG with it.||Doesn’t protect against cyberattacks targeting the SEG provider.|
I can’t, in good faith, tell you which type of secure email gateway is objectively better. Your choice depends on your business and how it works. That said, if you’re at the point where you need to ask, a cloud-based service might be the one for you.
You can use something like Office 365, use it jointly with OneSpot for engagement and you’ll have quick and efficient email funnels. It’s objectively easier for virtually everyone except people developing security software. Next, let me guide you through what you need to look for when selecting a secure email gateway.
6 Features to Look for in a Secure Email Gateway
A secure email gateway is very useful for every business. It’s not as equally useful to everyone, though.
In some cases, you want something to check if you’re receiving malware and remove spam from your inbox. For some businesses, like ones in IT, finance, and especially fintech industries, leaving anything to chance can spell disaster. You’d also want to have full in-house control over all sensitive information.
A good thing about picking out a secure email gateway is that most of the core features you’re looking for are available with all major choices.
If you’re using an on-site SEG, these features will also be up to you. If you’re using a cloud-based/SaaS option, you often won’t know if they have these features. Still, you could benefit from knowing what these features are. Here are the 6 features you must look for.
1. Content Disarm and Reconstruction (CDR)
The CDR is a piece of artificial intelligence that can discern both digital and human languages. It scans an email and deconstructs it entirely. It then builds it up again for you to read it, but with completely new code. In effect, no malware will remain in the email.
For example, a human can’t see a difference between symbols ‘’P’’ and ’’Р”, but a computer will know the second one is a Cyrillic R. The same thing happens inside the secure email gateway where the software will change the digital data completely but leave the message intact.
This process will disable anything malicious that might have been inside the email, including the visuals and attachments. The visual representation and even safe links will remain, but it’ll destroy all executables behind the code. You’ll get a clean email without any security risks.
2. Message Authentication
DMARC (short for Domain-based Message Authentication, Reporting, and Conformance) is a very simple solution for domain name spoofing. If a domain has enabled DMARC protection, you can’t receive any emails pretending to come from the domain but are malicious instead.
In simple terms, DMARC uses a small confirmation key a domain sends like Google, Facebook, or irs.gov. This key checks if the email is sent from such an address or if it’s fake. If the email passes the DMARC test, it’ll show up in the recipient’s inbox. If it fails, it wouldn’t appear and the domain owner will also get a notification.
The best example would be someone spoofing an email from Google. If Google didn’t have a DMARC, the cybercriminal could make a ‘’[email protected]’’ email and target you with a phishing attack. It can also send you a message with open requests to send your username and password. If you’re not paying attention, you can fall for it.
DMARC makes such attacks impossible. The process protects you from falling a victim to spoofing domains, phishing, and unauthorized data retrieval.
3. Post Delivery Protection
Post Delivery Protection, or PDP, refers to the security code in the background of the email server. This code works as part of the secure email gateway. In effect, it surveys all emails, including the ones already received, based on the newest threat list it has.
In many cases, it’ll be impossible for the email gateway to detect malware in the email. That’s because the threat wasn’t added to the list at the time of receiving it. PDP makes the gateway work after the fact and continuously checks all emails against the newest threat list. If it finds something malicious, it’ll remove it from the inbox.
For example, if you receive a malicious email with malware not recognized by the SEG, it’ll appear in your inbox. If you update the malware list overnight, though, you won’t see the same email tomorrow morning. This way you protect your company against emerging threats.
4. Phishing Protection
Phishing is a common type of cyber-attack that has been very successful frequently. This is why all good SEG solutions must have some type of anti-phishing software. An anti-phishing software will identify malicious links and test them against a database.
Currently, the best type of phishing protection is the one using two methods: allowlisting and blocklisting. If the links inside the email have malware, the email itself won’t appear in the recipient’s inbox. If it isn’t on the allowlist, though, a notice will appear to indicate the link isn’t trusted.
That way, most people will at least check twice if the link they receive is okay or if it might be a trick. In return, you’ll protect your company against phishing attacks.
5. Data Loss Prevention
Data Loss Prevention (DLP) is a feature that scans the emails you receive and send. It, then, matches the scanned content with available intellectual property, proprietary information, and sensitive data. The purpose of this scan is to detect if you’re sending or receiving something you shouldn’t share/get.
In simpler words, DLP protects the transmission of your data to unauthorized parties. For instance, you can’t share private files and banking information with emails outside of the company or download them to any device.
DLP also helps you avoid the dire consequences for the business if you ever encounter a security breach or human error.
Sandboxing is a catch-all term for solutions working inside the secure email gateway. These solutions also test codes and links included in the email. This feature will make a secure environment to execute the file in or follow the link even if it isn’t a listed threat.
If the program detects zero issues, the SEG will pass the email to the recipient’s inbox. If it detects a threat, though, it’ll remove it and add it to the list of threats. This feature is especially important to protect the system from zero-day threats or any threats you still don’t know.
When selecting a product, look for the list of features. These may come built-in if you’re using a dedicated device. If not, you’ll either need to program them or find an online service that includes them in the offer. Ensure all 6 features, or at least the ones crucial to your business, are available. You can then test if the SEG you’re considering will fit your business.
Next, I’ll go through the most common business attributes and how they can influence your choice.
4 Things to Consider When Fitting the SEG to Your Business
When assessing cybersecurity and the business itself, you’ll often feel like it’s a war. It isn’t enough to know the threat. You also need to prepare your business to defend itself against an attack. This applies to all gateways, including email. Here are 4 things you should keep in mind when fitting SEG to your business.
1. Business Size
For a micro-business or a small business, the question of which type of SEG you’ll choose depends on:
- Core business
- Number of employees
- Reasonable options for new hires
If the core business you already have includes a cybersecurity specialist to develop, maintain, and update email security solutions, you’ll be much better off with an on-site gateway and server.
Large businesses with tens or hundreds of people progressively are also a more attractive target. At one point, it’s reasonable to anticipate an attack. Public companies mostly have such trouble with cyberattacks since their workforce doesn’t focus on cybersecurity.
You’ll want your lawyer, security chief, and cybersecurity manager to resolve if it would be better to outsource and have a custom SEG on-site. You also need to bring in talent to make and maintain it. Otherwise, use a cloud-based solution offering the features you want.
That said, if you’re a non-tech business and you have less than 10 employees, it’ll be too costly to have someone on board full-time to maintain an on-site system.
- Email security is often more about the people than the software. Consider investing in training and awareness the same way you do in software.
2. Communication Prevalence
A complex SEG only serves its purpose if you use it often. If your employees don’t open or receive emails at all, the risk of opening a malicious email is zero.
That said, if you’re in fintech or sales where each employee opens dozens of emails every day, you must ensure they don’t compromise your security if they let their guard down.
SEG removes all spam, informs you about any missed emails, and prevents you from even receiving emails that have viruses and malware. When you add this software, you’ll save yourself dozens of working hours. It’ll also save you thousands of dollars in losses due to hacks.
- If your employees have many people contacting them, they won’t notice a strange email. In those situations, you need an advanced solution. You’d better pay extra on the cloud, or use an on-site SEG if you have the resources.
3. Operational Capacity
This circles back to the number of people and type of business I mentioned above. The question here is if your business can make an on-site custom solution?
If the answer is yes, or if you have a large business where one more manager won’t add significant cost, then it’s always better to do it yourself. To achieve this, you’ll need a dedicated SEG engineer and an in-house system. Otherwise, subscribe to someone else’s set of solutions.
- If you don’t already have a dedicated cybersecurity software developer, chances are your company won’t need one. Better to buy good software than to hire people who have nothing to do with your branch.
4. Private Business Information Segmentation
Finally, you have to know if your company can segment private business information. You’d want to segment the parts of the business communicating a lot, especially with customers, from the business information you share internally.
Ideally, you’ll want your departments, like customer support and sales, detached. Your departments also shouldn’t have access to the same information.
If this isn’t an option, most cloud-based solutions can’t offer enough security. You’ll then need to make a custom solution that ensures nobody can gain access to your company’s server through customer support emails.
- Separate devices for sales and customer support that deal with proprietary information regularly and can’t be divided from it. You can use fresh devices for external communication and smartphones or tablets for internal communication.
A secure email gateway is very common and you might not even know you’re using one. That said, for a business, more security is necessary.
You have 2 SEG types to choose from: an on-site or a cloud-based system. The former is more expensive but gives you full control. The latter is less costly and simpler and easier to use. Still, you won’t have much say about software development. In the end, you can’t guarantee to never receive a doggy email. You can do everything in your power, though, to protect your business from attacks through email.
Do you have more questions about SEG? Check out the FAQ and Resources sections below.
Do I need a secure email gateway for my business?
Yes. Even micro-businesses that only have a few people working should incorporate a secure email gateway into their cybersecurity strategy. Basic options are cheap and will help you protect yourself from the sea of malicious emails floating every day through the internet.
How do I secure my email?
If you own a domain, you can make a secured email from your domain. You can also create an Outlook profile that the company will control and get all protections included in the package. Additionally, you can opt-in for Advanced Threat Protection (ATP) with Outlook 365. In this case, you can include options like sandboxing, data protection, and phishing protection.
Does Office 365 offer a secure email gateway?
Yes. You’ll receive the EOP, or Exchange Online Protection, with your Office 365 subscription license. You can also prevent users from permitting apps to access data to ensure information segmentation. Additionally, you can subscribe to Advanced Threat Protection (ATP) which will allow more security features. It’ll also be a basis for customized layered protection against high-level attacks.
Can I get hacked through email?
Yes. Phishing attacks and email scams are two of the most common types of hacking in general. Most types of malware, spyware, Trojans, and similar types of malicious code against a business go through email.
Should I have a secure email gateway device?
Not necessarily. Dedicated devices can allow easier maintenance and oversight for the most advanced users. That said, using a cloud-based service or simply mail gateway software inside your existing server is more than enough for your enterprise environment.
TechGenix: Article on Microsoft 365 Login
Find out how to detect Microsoft 365 login issues.
TechGenix: Guide on Exchange Web Services
Learn more about EWS and all the ways to use it.
TechGenix: Article on Why Is Cybersecurity a Problem with Public Companies
TechGenix: Article on LinkedIn Scams
Learn about LinkedIn scams and what you can do to combat them.
TechGenix: Article on Implementing Allowlisting to Boost Your Cybersecurity
Explore what allowlisting is and how it can help your cybersecurity strategy.