Apr 3, 2016

Secure Email Gateways and Email Authentication — Entirely Different Yet Complementary Anti-Phishing Approaches

Salt and pepper shakers

The ever-increasing waves of email phishing attacks have spawned a flurry of how-to articles offering advice on how to cope with the threat.

Yet there is a lot of confusion, even among knowledgeable technologists, on the difference between traditional Secure Email Gateways (SEGs) and Email Authentication (EA).

Each technology addresses different and at times overlapping purposes. But even in the overlapping areas, they complement each other.

Secure Email Gateways

SEGs are a familiar technology and have been in use for nearly two decades. They have recently experienced renewed interest thanks to the rise in phishing attacks, according to Gartner. SEGs offer protection against phishing threats, and also against spam and email-borne malware. They do this by offering a combination of algorithmic and heuristic analysis to weed out the “bad actors” among incoming emails, ensuring that all (or most) of the inbound email reaching a company’s servers is legitimate. URL link protection, sandboxing email attachments, and other techniques used by SEGs can help protect companies from many of these threats.

According to a recent TechTarget buyer’s guide, “the basic security functions performed by every email security gateway are fundamentally the same: antivirus, antimalware, antiphishing and antispam.” And there are many, many choices in the market, from vendors including Cisco, Fortinet, Microsoft, Proofpoint, Symantec, and Trend Micro.

Email Authentication

So how do SEGs and EA compare?

A core security principle is to layer your defenses. That means deploying varying approaches to security in order to maximize the effectiveness of your overall defense. Taken together, SEGs and EA provide exactly this complementary, layered approach. And while some SEGs do check and enforce the DMARC authentication policy of incoming emails as part of their filtering mechanisms, that’s as far as they go. They don’t configure and maintain email authentication for your domains nor do they monitor or digest DMARC reports.

Here are some of the basic differences and the security gaps each technology addresses:

Who is protected?

SEGs focus on protecting your employees from any email you receive. EA protects both people inside (employees) and outside (clients, partners, consumers) your corporate boundaries, but only for your domains and domains that have deployed EA.

Why does this matter? Just one example: a criminal pretends to be your company and sends millions of phish emails to your clients (using your domain as the return address). These emails never go through your SEG, yet could cause immense damage to your brand and consumers’ trust in your company. EA would stop that attack, because the phish would not authenticate as legitimate emails from your domain.

An actual phishing scam blocked by ValiMail.

Subscribe to our newsletter