By suktech24, Thurs 16 Jan 2025, Estimated reading time : 12 – 14 mins
Email remains the backbone of business and personal communication but is also one of the most exploited entry points for cyberattacks. Organizations and individuals face a range of threats, from phishing and ransomware of varying types to the need to adopt advanced email security measures to protect against these attacks. Two popular approaches for securing email are Secure Email Gateways (SEGs) and API-Based Email Security.
In this week blog post, the following topics are covered.
- Secure Email Gateways (SEGs) and How they work
- API-Based Email Security and How it works
- Comparing Secure Email Gateways and API-Based Email Security
- Useful abbreviations
- Summary
1. Secure Email Gateways (SEGs) and How they work
What are SEGs?
A secure email gateway (SEG) is an email security product that uses signature analysis and machine learning to inspect, identify, filter and block malicious emails traffic before they reach recipients’ inboxes. They are important because email attacks, such as phishing, are some of the most common cyber threats organizations face. SEGs often act as pre-delivery filters, analyzing incoming and outgoing emails to block threats before they reach user inboxes. However, some SEGs also operate post-delivery, leveraging API integrations to monitor and address threats in emails already delivered to inboxes.
How SEGs work?
SEGs typically operate using one of two methods: DNS MX record or API integration.
| Mail Exchange (MX) Record ( Most common) | API based Integration ( Increasingly popular) |
| It is a DNS record that routes emails to specified email servers. The MX record indicates how email messages should be routed in accordance with the Simple Mail Transfer Protocol (SMTP). SEGs can insert themselves into emails’ travel paths by updating an organization’s MX record to point to the SEG. All inbound email traffic will then be routed to the SEG, enabling it to inspect and filter messages before forwarding them on to the organization and users’ inboxes. The SEGs scan metadata, headers, body content, links, and attachments for malicious elements. Malicious emails are blocked or quarantined, while safe emails proceed to the recipient. | Most modern email platforms, such as Google Workspace or Microsoft 365, offer an API for third-party integrations. These APIs enable users to automate and streamline workflows by providing external applications with the ability to read and edit emails. As this approach does not require re-routing email traffic. SEGs can use APIs to monitor email content once it reaches an employee’s inbox. With API integrations, an SEG can provide monitoring and protection for outbound emails, or retroactively remove inbound emails that are identified as malicious after delivery. |
SEGs employ multiple techniques to identify and block spam by doing content analysis, sender reputation analysis, heuristic analysis and Bayesian filtering. To protect against malicious links and attachments, SEGs use signature based scanning, sandboxing, URL filtering, and machine learning. They also incorporate encryption features such as TLS encryption, policy based encryption to protect sensitive information.
The common features of SEGs includes pre-delivery email filtering, spam and phishing protection, malware and attachment scanning, data loss prevention (DLP), policy enforcement, quarantine management, integration with threat intelligence, and outbound email scanning.
Example SEG Products:
- Proofpoint Email Protection, https://www.proofpoint.com/sites/default/files/2020-05/pfpt-au-ds-email-protection.pdf
- Mimecast email security, https://www.mimecast.com/products/email-security/
- It has both email security cloud integrated and email security cloud gateway
- Cisco secure email, https://www.cisco.com/site/au/en/products/security/secure-email/index.html
Use Cases:
- Ideal for organizations with on-premises or hybrid email environments.
2. API-Based Email Security and How It Works
What is API-Based Email Security?
Traditional secure email gateways (SEGs) are deployed along the path that emails travel. As emails are routed through the SEG, it inspects their contents for potential threats or privacy violations.
API-based email security solutions integrate with the corporate email solution, eliminating the need for in-line deployment. Instead, they can use the functionality provided by the API to access and examine the contents of potential emails. API-based email security solutions inspect messages before they enter the inbox or exit the outbox using the email server’s API. Alongside the email service, API-based security can scan incoming and outgoing messages for potential threats.
Using the same APIs, these security solutions can also take action against the malicious email. They can prevent phishing and other threats from reaching the inbox, alert on the potential threat, or even claw back delivered emails that were identified as malicious after checking. Instead of filtering emails before delivery, these tools provide real-time monitoring and post-delivery remediation capabilities.
How API Email Security Works:
The API integrates with the email provider, accessing email metadata, attachments, and user behavior data. Emails are analyzed in real-time or post-delivery for advanced threats such as account takeovers, internal phishing, or anomalous behavior. API solutions can remediate threats by quarantining, flagging, or deleting malicious emails directly from inboxes.
- API integration: The security solution connects to the email platform (such as Microsoft 365 or Google Workspace) using its APIs. This connection allows the security system to access emails and their metadata without interfering with the standard email flow.
- Continuous monitoring: Once integrated, the security solution continuously monitors incoming and outgoing emails in real time. It can scan emails before they reach the user’s inbox or after they’ve been sent but before delivery to the recipient.
- Content analysis: The security system uses advanced algorithms and machine learning to analyse various aspects of each email, including: metadata, headers, body content, attachments, urls, links.
- Threat detection: Based on this analysis, the system identifies potential threats such as phishing attempts, malware, spam, or Business Email Compromise (BEC) attacks.
- Automated response: When threats are detected, the system can take immediate action, such as:
- Blocking the email from reaching the inbox
- Quarantining suspicious messages for further review
- Stripping malicious attachments or neutralising dangerous links
- Alerting administrators or end-users about potential threats
- Post-delivery remediation: If a threat is identified after an email has been delivered, API-based security can often retract or delete the email from user inboxes, preventing further exposure.
- Continuous learning: Many API-based email security solutions incorporate machine learning algorithms that continuously optimise threat detection capabilities based on new data and emerging attack patterns.
The common features of API based email security tool includes cloud native integration, post delivery protection, AI/ML based threat detection for more advanced attacks, advanced threat detection, behavioural analysis, internal threat monitoring such as lateral phishing or insider abuse, quick deployment.
Example API-Based Products:
- Checkpoint Harmony Email & Collaboration Suite Security (Previously Avanan), https://www.checkpoint.com/harmony/email-security/
- Barracuda Sentinel , https://assets.barracuda.com/assets/docs/dms/Barracuda_Sentinel_DS_US.pdf
Use Cases:
- Ideal for cloud-native organizations using platforms like Microsoft 365 or Google Workspace.
- Effective for detecting post-delivery threats, such as compromised internal accounts.
3. Comparing Secure Email Gateways and API-Based Email Security
| Feature | Secure Email Gateways (SEGs) | API Email Security |
| Deployment | Typically deployed at the network edge or on-premises. Requires changes to MX records to redirect emails through the gateway for inspection. Blocks malicious emails before they reach user inboxes. | Cloud-native deployment with direct integration into platforms like Microsoft 365 or Google Workspace via OAuth APIs. No MX record changes required. |
| Detection Timing | Pre-delivery: SEGs analyze emails before they reach the recipient. Actions like quarantining or blocking are done upfront. | Post-delivery: API solutions monitor emails after they are delivered, allowing ongoing analysis, remediation, and real-time detection of evolving threats. |
| Threat Intelligence (same as both rely on similar mechanisms) | Relies on pre-configured rules, machine learning (ML) algorithms, and global threat intelligence feeds to detect threats. Performance depends on updating the threat database regularly. | Relies on pre-configured rules, machine learning (ML) algorithms, and global threat intelligence feeds to detect threats. Performance depends on updating the threat database regularly. |
| Advanced Threat Protection | Effective against phishing, spam, and known malware. Limited against advanced social engineering attacks and zero-day threats without sandboxing add-ons. | Superior protection against sophisticated attacks (e.g., BEC, Account Takeover (ATO), and internal threats). Analyzes email history, user behavior, and context to detect malicious patterns. |
| Cloud Compatibility | Not inherently designed for cloud platforms | Cloud native design – Purpose-built for platforms like Microsoft 365 and Google Workspace. |
| Ease of Use | Initial setup can be complex due to DNS/MX configuration and hardware management. | Quick Deployment: Direct API integration with minimal configuration. |
| Attachment Scanning | Scans attachments using hash reputation and sandbox analysis. May introduce latency during attachment analysis. | Deconstructs and analyzes attachments post-delivery using API access. Some solutions integrate with cloud storage APIs to detect threats spreading via shared files. |
| Detection and Response | Detection is limited to preconfigured rules, with slower response times for post-delivery threats. No Continuous Monitoring: Unable to detect post-delivery threats like ATO or malicious replies. | Enables automated remediation, such as quarantining, flagging, or removing malicious emails from inboxes in real-time. Post-delivery protection: These solutions can retract or quarantine malicious emails even after they’ve been delivered, offering an additional layer of security against threats identified after initial delivery. |
| Sandboxing and Zero-Day Detection | Requires additional licensing or hardware (e.g., sandboxes for analyzing unknown files or links). | Many API-based tools include built-in sandboxing, AI anomaly detection, and integrations with threat intel APIs for enhanced zero-day detection. |
| Potential API Exploits and Performance Impacts | Misconfigured API access can introduce vulnerabilities. High-volume API calls required for real-time email scanning can potentially lead to latency issues, affecting email delivery times and user experience. |
4. Useful abbreviations
- SPF (Sender Policy Framework) is an email authentication method that helps to identify the mail servers that are allowed to send email for a given domain. By using SPF, ISPs can identify email from spoofers, scammers and phishers as they try to send malicious email from a domain that belongs to a company or brand.
- DKIM (DomainKeys Identified Mail) is a protocol that allows an organisation to take responsibility for transmitting a message by signing it in a way that mailbox providers can verify. DKIM record verification is made possible through cryptographic authentication. There are three main steps to the DKIM signing process.
- First, the sender identifies what fields they want to include in their DKIM record signature. These fields include the “from” address, the body, the subject, and many others. These fields must remain unchanged in transit, or DKIM authentication will fail.
- Second, the sender generates a cryptographic hash of the selected fields and encrypts it with their private key to create the DKIM signature, which is then attached to the email’s header.
- Finally, the receiver verifies the DKIM signature by retrieving the sender’s public key from the domain’s DNS records. The receiving server decrypts the signature and compares the resulting hash with the hash of the email content to ensure that it has not been altered during transit.
- DMARC is Domain-based Message Authentication, Reporting and Conformance, a technical standard that helps protect email senders and recipients from advanced threats that can be the source of an email data breach. DMARC email security provides a way for domain owners to outline their authentication practices and specify the actions to be taken when an email fails authentication. DMARC also provides a way for recipients to report on email that fails authentication.
5. Summary and Best Practices
🍃1. Secure Email Gateways (SEGs) and How They Work
Secure Email Gateways (SEGs) inspect and filter incoming and outgoing emails to block threats like phishing and malware before they reach the recipient. SEGs operate using DNS MX records or API integrations to monitor and protect emails from malicious elements by scanning metadata, body content, attachments, and more.
🍃2. API-Based Email Security and How It Works
API-based email security solutions integrate directly with email platforms, providing real-time monitoring and post-delivery remediation without needing to reroute email traffic. These solutions utilize APIs to analyze emails for threats such as phishing, malware, and internal attacks, and they offer the ability to retract malicious emails after delivery.
🍃3. Comparing Secure Email Gateways and API-Based Email Security
SEGs are typically deployed at the network edge and focus on pre-delivery email filtering, while API-based security integrates directly with cloud email services and offers post-delivery protection. API solutions are better for detecting advanced threats like BEC and ATO, providing continuous monitoring and remediation of emails even after they are delivered.
🍃Best Practices (Based on Top 10 Email security best practices 2024 by checkpoint)
- Combine SEGs and API-based tools for layered security.
- Regularly update your email security solutions to address new vulnerabilities.
- Monitor email logs using tools like Sigma and YARA for advanced threat detection.
- Train employees on recognizing phishing and other social engineering tactics.
- Implement strong multi-factor authentication (MFA) to mitigate account takeovers.
- Use email encryption
- Implement Data Loss Prevention (DLP)
- Implement DMARC, SPF, DKIM email authentication protocols
- Leverage inline protection
- Regular email audits and pen testing
- Employ sandboxing technology
In today’s threat landscape, a proactive, multi-layered approach to email security is no longer optional. By understanding the strengths and limitations of both SEGs and API-based solutions, organizations can better protect their communication channels against evolving cyber threats.
References
- https://www.barracuda.com/support/glossary/secure-email-gateway
- https://www.cloudflare.com/en-gb/learning/email-security/secure-email-gateway-seg/
- https://www.proofpoint.com/au/threat-reference/api-based-email-security
- https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-email-security/what-is-api-based-email-security/
- https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-email-security/top-5-email-security-threats/
- https://www.reddit.com/r/msp/comments/1ekly89/api_email_security_vs_secure_email_gateway/
- https://www.f5.com/labs/articles/threat-intelligence/2020-phishing-and-fraud-report
- https://www.avanan.com/hubfs/Adrian%20Uploads/10%20Top%20Email%20Security%20Best%20Practices.pdf
suKTech24 
Leave a comment