MX vs. API vs. Hybrid Email Security Deployment
Email remains a foundational communication tool for businesses but it is also an entry point for 90% of cyber attacks. To mitigate these risks, organizations often turn to specialized email security solutions.
Three prevalent approaches are MX, API and Hybrid (MX + API combination) email security.
There tends to be a false dichotomy in the industry that one deployment model is vastly superior than the others. However, this is not the case. Each has pros and cons. Understanding the differences between the various solutions is crucial for considering your requirements as a Managed Service Provider (MSP) and what works best to protect your customers.
MX-Based Email Security
How It Works
MX (Mail Exchange) DNS records determine where email traffic is routed. In an MX-based setup, organizations change these records to redirect email through a mail sever or Secure Email Gateway (SEG). If it is routed to a SEG, the vendor scans and filters emails before they reach their final destination.
An illustration of MX-based email security deployment
Strengths
Pre-delivery threat filtering: Emails such as spam, malware, and phishing are blocked at the edge before entering the infrastructure.
Platform-agnostic: Works with any email infrastructure, making it ideal for on-prem servers.
Trade-offs
MX change overhead: Requires DNS changes and mail flow changes.
Limited visibility post-delivery: Inbound emails from threats go straight to the inbox.
Potential downtime/delays: Extra infrastructure adds another potential point of failure in the delivery pipeline.
To learn more about MX-based email security, you can view Mesh Gateway.
API-Based Email Security
How It Works
API-based tools connect directly to cloud email platforms like Microsoft 365, providing real-time access to mailboxes and events. These solutions typically scan and monitor emails post-delivery.
An illustration of API-based email security deployment
Strengths
No DNS/mail flow changes: Easy to deploy with no MX changes.
Post-delivery detection and remediation: Removes threats that bypass pre-delivery filters.
Contextual intelligence: Evaluates user behavior, conversation history, and more.
Trade-offs
Reactive model: Threats typically reach the user’s inbox before filtering can occur.
Dependent on platform APIs: Possible that vendor is subject to cloud provider rate limits, third party API infrastructure changes, etc.
For more information on API-based email security, feel free to check out Mesh 365.
Side-by-Side Comparison
Hybrid Approach
The Hybrid approach involves combining both MX and API-based protection.
In this setup, email is first routed through a SEG to offer protection at the perimeter. Once delivered, the API-based solution offers continued protection and a suite of features to better secure mailboxes internally.
An illustration of Hybrid (MX and API-based) email security deployment
Why Hybrid?
Layered defense: Blocks known threats early, helps catch evasive ones later.
Improved visibility: Full visibility of external and internal traffic.
Faster remediation: Threats that bypass initial filters can still be detected and quarantined.
Considerations
Operational complexity: Often requires integration between two different systems.
Cost overhead: Licensing and managing both tools.
With our Mesh Unified solution, we allow you to use a hybrid configuration without the requirement of two email security products or licenses.
What is the best for you?
Go MX-Based if you only require perimeter filtering, have an on-prem server, or an existing API solution.
Go API-Based if you want easier integration, internal protection, and post-delivery remediation.
Go Hybrid if you're targeting both perimeter and internal protection, while removing the negatives of MX/API standalones.
Email security isn't one-size fits-all. MX and API-based services serve a purpose individually but together, they can offer stronger, layered protection. For MSPs, striking a balance between security and manageability is critical when managing varied client environments at scale.