Why should I choose a secure email gateway over an API point solution?


If you read no further, this article can be summarized in the following statement: Secure Email Gateways (SEGs) are far more secure and provide more visibility and control to administrators than the API point solutions. Email security point solutions want to convince you that you don’t need an email security gateway to be secure. In reality, they are doing this because it was easier to build their solution without a gateway. These point solutions leave users unprotected in a variety of ways including exposed MX records, zero protection over outbound email and inability to encrypt.

Over the course of this article, we will dispel the myth that you don’t need a gateway to be secure. We expose the vulnerabilities created by API point solutions and we will lay out a recommendation for why you are much more secure when you choose to implement a full email security platform with an inbound gateway, outbound filtering (for reputation protection, DLP, and compliance), and email encryption.

Let’s start with inbound email routing:

API point solutions are leaving your MX records exposed

Main Takeaway: API point solutions are broadcasting to hackers where an organization’s email is hosted.

Weighing email security gateways versus point solutions? Let’s start with MX records. An MX record (mail exchange record) publishes where to route an organization’s email to the public internet. API point solutions offer a less secure approach because the organization’s MX will be pointed directly to the email host. This is essentially broadcasting to the public where an organization’s most valuable communication data is kept. There’s nothing between the organization and the Internet, leaving an organization’s MX records exposed. An inbound email gateway protects the location of your email hosting by preventing exposure via your MX records.

When an organization doesn’t have its MX records pointed to a gateway, they are broadcasting to hackers where their email is hosted. Knowing where an organization hosts their email just makes the hackers’ job easier. A secure email platform with an inbound gateway in place masks the hosting information so the organization’s email setup isn’t exposed to a third party.

Mailprotector is the easiest place to deploy MX records. You should be pointing your MX records somewhere other than where you are hosting your email. We have made that a simple process that only takes a few minutes.

Don't leave your MX records exposed

Why do email API point solutions say secure email gateways are out-of-date?

Main Takeaway: It is easier for email security startups to use APIs into Google or Microsoft. But because they don’t have a gateway, their marketing tactic is to tell MSPs they don’t need a gateway.

The main reason you don’t see startups investing in secure email gateways is not because the tech is old, as they may have you believe. It is because building a secure email gateway is hard!

The truth is that building a secure email gateway takes infrastructure, capital and a lot of experience. It cannot be built overnight like a web app. It is much easier to build APIs into Google or M365.

These API point solutions are taking the path of least resistance and then their marketing tactic is to tell the world that SEGs are old technology. In actuality, API point solutions leave organizations vulnerable because they don’t control the total flow of email. Organizations using these API point solutions are announcing to hackers where their email is hosted.

The other reason for the bad rap on email gateway services is because many secure email gateway platforms are actually out-of-date. Many become dated because company priorities change, additional offerings are created, and investments are earmarked for the shiny new object. Some of these older secure email gateway vendors have sunset their SEG offerings because they are requiring too much time, effort, and money to stay current. Many other SEGs have become stagnant and failed to innovate their products.

So, the SEG approach isn’t flawed – it has significant advantages for those vendors who are willing to continue the investment in time and staff. Mailprotector understands this and continues to innovate as a complete email security platform that delivers its complete solution through a secure email gateway. 

Email API point solutions offer zero protection over outbound email

Main Takeaway: API Point solutions don’t protect an organization’s outbound email. They only secure the incoming email. So, because they can’t see the outbound email relay, they’re only providing a partial email security solution, which makes for an incomplete, unsecured solution.

In case you aren’t familiar, Simple Mail Transport Protocol, or SMTP, is the protocol with which all email is sent and received. One server talks to another server using the SMTP protocol. API point solutions do not use SMTP, which means they don’t have the ability to offer an outbound email relay. Anyone in the email security space who cannot offer outbound email relay is simply providing only a small component of what is required to be a complete, secure email gateway.

By not supporting outbound email filtering, there’s a whole feature set missing from the API point solutions. Without a gateway that protects both inbound and outbound mail flow, their users are not fully protected.

Because Mailprotector’s secure email platform is built using an inbound and outbound gateway, we can give administrators visibility into all email flow. With a secure email gateway, administrators can do things the point solutions can’t offer in one tool – like email encryption.

Phishing, viruses, and spam: Protection is now considered table stakes

Main Takeaway: Protection against viruses, spam and phishing have been commoditized. An email security vendor has to offer a more complete solution.

What else does your email service do?

There are companies advertising that they have a better product in the areas of phishing, spam, and anti-virus. However, in today’s market, all solutions do a pretty nice job at prevention. Because of this, many IT administrators are making decisions based more on the simplicity of the management consoles than on the phishing or spam filters themselves.

It is worth noting that many API point solutions can’t offer protection against all three: phishing, virus, and spam. Rather, many just specialize in one or two. Mailprotector’s CloudFilter email filtering product can protect users against all three, and we have been focused on stopping malware for decades, throughout the more sophisticated evolution.

Read more on this topic: Select the Best Phishing Protection Solution for Your Users.

Why wouldn’t I use Google or Microsoft’s native email security features?

Main Takeaway: What Microsoft and Google offer for email security isn’t comprehensive enough and it gets complex when emails route outside of their environments.

Both M365 and Google are great choices for email hosting. While M365 offers email security solutions, they are not as comprehensive because they don’t specialize in email security. No matter what they tell you, both Microsoft and Google are focused on delivering a wide variety of product types across the technology spectrum. Their email security features do not go deep enough because they are limited to their own platform.

For example, Microsoft’s and Google’s encryption each work great within their ecosystems, but the product starts falling apart outside of their respective environments. Mailprotector’s Bracket email encryption tool works across all platforms, no matter where the users are hosted. And because we hold the patent, literally no one else can do encryption like Mailprotector.

Bracket allows users to have access to secure, yet easy to use email encryption instantly. Just wrap the [subject] in Brackets in any email client on any device. No downloads, apps or plugins are required. And, because it’s so user-friendly, no training is needed – for users or admins. It’s so easy, your grandmother could use it.

Your email security point solution is handcuffed

Main Takeaway: Point solutions are limited to their Google or Microsoft API, and they can’t manage the entire email routing process.

By the very nature of their design, API Point solutions are slaves to the ecosystem provider. When the email provider says “jump,” the APIs have to say, “how high?” They must conform to what the provider will allow them to do in order to remain in business. Because these point solutions aren’t a secure email platform, they don’t have access to a gateway, so they cannot realistically control the flow of email. They simply attach, as an app, to an email provider and monitor a single flow of communication: the inbound side.

This approach has existed for many years in the form of a plugin or application users could install on their desktop computer. The plugin would provide a basic level of spam filtering by accessing mailboxes through the email client (ie. Outlook). Google and Microsoft have essentially moved the email client to the web with M365 and Google Workspaces and offered a mailbox API. So, the point solutions are an old approach that has simply moved to the cloud along with the email hosting platforms.

Administrator Logs

Mailprotector is a complete email security platform that offers an unrivaled ease of deployment

Main Takeaway: Mailprotector’s deployment takes minutes, not hours.

Mailprotector has put critical emphasis on making the deployment of our solution as frictionless and risk-free as possible. CloudFilter deployment will take an MSP minutes, rather than hours. We have made it seamless for administrators to change MX records.

Here are a few of the processes we use to ensure a speedy deployment and smooth implementation:

LDAP Directory Sync, O365 User Sync, and G-Suite User Sync.  This process allows users to be added in seconds by simply connecting with an API-enabled account in O365 or G-Suite. For those using an exchange server, all we’ll need is a user with privileges to edit users within a specified organizational unit. After authentication, you can move immediately to changing mail flow to have email running in minutes.

Address discovery (or SMTP discovery). If an email reaches Mailprotector’s relay and we detect a user that doesn’t exist, we will add the user. Once the user is added, we will attempt to deliver the email. If the email can be delivered, we keep that user in the system. If the email can’t be delivered, we remove the temporary user from the system.

Bracket’s 365 deployment. If you choose to use Bracket for email encryption, this API-enabled deployment method is going to make things easy. You’ll log into your Microsoft account as an administrator and we will take care of the rest! Additionally, we create customizable transport rules and connectors if you’d like to implement M365 security features alongside the Bracket system. Automation with encryption is ready as quickly as it takes to set up!

Still have concerns on how long it might take to deploy a complete email security platform? Let’s talk about it.

Mailprotector gives partners a beautifully engineered management console

Main takeaway: The Mailprotector management console was designed for MSPs to quickly deploy and manage email security across clients.

Our central console is a place that makes the administrator’s life easier. Things are easier to do in our console. MSPs can quickly deploy, manage, integrate, and initiate user sync in a matter of minutes. The console saves MSPs time and protects their margin.

The console was designed for partners because the channel is not just how Mailprotector goes to market. It is the lens through which decisions are made and products are built. Like everything else Mailprotector does, the console was built from the ground up with the partner in mind.

Why was Bracket email encryption created?

Main Takeaway: Bracket is simple to use because it was developed alongside our MSP partners based on their email security management needs.

We created our patented Bracket email encryption tool after some universal feedback from our partners that they needed a simple way for their users to send encrypted email. They didn’t want apps, plugins, or separate passwords. Partners needed to get encrypted info from one person to another without tacking on extra work, so we simplified it by letting them encrypt any message in any email client by simply wrapping the [subject] of any email in brackets.

A complete, integrated solution like the one Mailprotector offers, provides inbound, outbound, and encryption in one solution. It leverages that integration to create an experience that cannot be matched. Bracket’s uniquely simple approach is only possible when an email security vendor can offer a complete email security platform. 

Bracket inbox screenshot

Trust the ease and power of a modern secure email gateway

In summary, if your ultimate goal is email security, a secure email platform with an inbound and outbound gateway in place is the only option. Be wary of feature-bloated email security apps and outdated SEGs. The email security API point solutions are one trick ponies. They are slaves to the latest platform updates.  The antiquated (and oftentimes behemoth) secure email gateway companies aren’t going to provide what you need, either. Their view of the security universe is too narrow. Mailprotector is a modern, secure email gateway who stays on top of the latest threats. We sell exclusively through the MSP channel and email security is both who we are and all we do. Trust a reliable, secure vendor who can get you migrated, up and running in a matter of minutes.