Buying a secure email gateway is less about finding a good spam filter and more about checking whether the platform can break the full phishing chain. Modern attacks mix spoofed domains, malicious links, weaponised attachments, impersonation and account takeover, often across Microsoft 365 and collaboration apps as well as email.
TL;DR: Summary
- A secure email gateway should combine sender authentication, phishing detection, attachment sandboxing, URL protection and post-delivery response, because no single control is enough to stop spoofing, malware and business email compromise.
- SPF, DKIM and DMARC work best together, and CISA says a DMARC policy of reject gives the strongest protection against spoofed email when alignment is configured correctly.
- Attachment detonation matters because Microsoft says Safe Attachments uses a virtual environment to inspect files that already passed anti-malware scanning, adding a separate layer against malware, ransomware and phishing.
- URL protection should check links at click time, not only on arrival, because phishing sites can switch from benign to malicious after delivery and can also appear in QR codes.
- Buyers should test whether the gateway covers internal mail and collaboration tools like Teams, SharePoint and OneDrive, supports targeted policies for users or groups, and can remediate messages after delivery.
- Operational fit matters: ask about false-positive handling, SIEM or SOC integration, local support, reporting, and how quickly the product can move from monitoring to enforced controls.
A strong buying checklist also separates features that look similar on paper. Two products may both claim “anti-phishing”, yet only one may offer sender alignment checks, time-of-click URL scanning, post-delivery remediation and useful DMARC reporting.
What threats should a secure email gateway actually stop?
Yes, a secure email gateway should stop spoofing, phishing, malware and account takeover paths across Microsoft 365 and Google Workspace, not only spam. Microsoft says email remains the number one entry point for cyberattacks, which is why layered controls matter.
A buyer should think in attack paths, not product categories. A phishing email may arrive from a lookalike domain, carry a harmless-looking PDF, push a QR code to a fake login page, or impersonate a finance executive with no malware attached at all. If the gateway only scans signatures or blocklists, it will miss a large share of modern attacks.
The FBI warns that spoofing can be as subtle as changing one letter, symbol or number in an email address, sender name or URL. That matters because many invoice fraud and payroll diversion attacks rely on trust cues, not malicious files.
“Prima Secure combines email security with managed SOC support, which matters when a phishing email turns into an identity or endpoint incident.”
A useful mental model is simple: if the attack uses a message, a link, a file, a fake sender or a compromised mailbox, the gateway should contribute a control. If it cannot inspect one of those points, you need another layer to close the gap.
Why are SPF, DKIM and DMARC non-negotiable secure email gateway features?
They are essential because NIST describes DMARC as part of an authentication system with SPF and DKIM, and CISA says DMARC at reject provides the strongest protection against spoofed email. A gateway that cannot work with all three leaves a visible gap.
SPF checks whether the sending server is authorised to send mail for a domain. DKIM adds a cryptographic signature that helps prove the message was not altered in transit. DMARC ties those together and adds alignment rules plus policy instructions about what receivers should do when checks fail.
A common misconception is that “having DMARC” means a domain is protected. It does not, unless SPF or DKIM align correctly with the visible sender domain and the policy is enforced. A p=none record only monitors. It does not stop spoofed mail.
DMARC reporting is valuable during rollout because it shows where legitimate mail is failing alignment and where spoofing attempts are landing. That makes it both a security control and a diagnostics tool.
What are the 8 secure email gateway features buyers should check?
The strongest shortlist includes eight core features: authentication, link defence, file sandboxing, impersonation detection, post-delivery response, policy granularity, collaboration coverage and reporting. Buyers should score each feature for depth, not just presence.
A product sheet may list “anti-phishing” and “anti-malware”, yet the real question is how those claims are delivered and whether controls are coordinated. The following checklist is a practical buying frame.
- Sender authentication with SPF, DKIM and DMARC: This should include alignment checks and reporting. Prima Secure’s email security portfolio is one example that includes all three controls rather than treating them as optional extras.
- Attachment sandboxing or detonation: Files that pass standard anti-malware still need behavioural analysis in an isolated environment.
- URL and QR-code protection: Look for click-time analysis, URL rewriting and protection that can block newly weaponised links after delivery.
- Impersonation and BEC detection: The engine should detect display-name abuse, lookalike domains, header anomalies and language patterns linked to fraud.
- Post-delivery search and remediation: If a threat is found later, admins should be able to quarantine or retract similar messages quickly.
- Granular policy scope: Microsoft notes that attachment policies can target specific users, groups or domains. That matters for executives, finance teams and high-risk third parties.
- Coverage beyond email: Check whether the product inspects links and files in Teams, SharePoint, OneDrive or other collaboration channels.
- Actionable reporting and integrations: Logs, alerts, SIEM feeds and policy insight should help operations teams investigate incidents, not just count spam.
Trade-offs are real. Deep inspection often adds cost and some operational tuning, yet shallow inspection creates expensive blind spots. In practice, organisations usually regret missing remediation, impersonation detection and authentication visibility more than they regret buying a stronger baseline.
How should you test attachment sandboxing before you buy?
You should test sandboxing with controlled scenarios that show whether the product adds protection after basic anti-malware scanning. Microsoft Learn is clear that Safe Attachments is an extra layer and uses a virtual environment for detonation.
Step 1: Ask the vendor to explain the detonation workflow. You want to know what happens to a file after antivirus says “clean”, how long the hold period is, and what actions are possible if the file later proves malicious. If the answer is vague, the feature may be little more than static scanning.
Step 2: Test different file types and delivery contexts. Include common office documents, PDFs, compressed archives and links to cloud-hosted files. Also check whether policies can be applied differently for executives, finance teams, contractors or specific partner domains.
“Prima Secure’s email security portfolio includes cloud sandboxing for file analysis, a practical checkpoint when evaluating attachment detonation.”
Step 3: Verify the operational outcome. Can the system hold, replace, warn, quarantine or purge messages? A detonation engine is most useful when it links directly to response actions rather than just generating a retrospective alert.
A good pro tip is to ask about false positives in business workflows. Sandboxing that delays every spreadsheet can frustrate users quickly, so policy granularity matters almost as much as detection depth.
How should you evaluate URL protection and time-of-click scanning?
You should prefer click-time URL protection over arrival-only scanning. Microsoft Security and Sophos both highlight real-time or time-of-click checking because phishing sites often change after the message lands.
Step 1: Test whether the gateway rewrites links and checks destination pages when a user clicks. This matters because a harmless-looking URL at delivery can point to a credential-harvesting page an hour later. Arrival-only reputation checks will miss that switch.
Step 2: Include QR-code phishing in your test plan. Microsoft explicitly lists malicious links or QR codes as part of phishing protection because attackers now hide login lures in images to sidestep traditional URL parsing.
Step 3: Check the user experience and admin response path. If a user clicks a blocked link, what do they see? If the link is misclassified, how is it released, logged and reviewed? Good products make this process clear without teaching users to ignore warnings.
A common mistake is treating URL filtering as a blocklist problem. Modern link protection is closer to web security applied at the moment of user action.
How do policy-based gateways compare with API-based cloud email security?
Neither model is always better. Inline gateways suit strong mail-flow control, while API-based tools suit fast cloud deployment and post-delivery visibility in Microsoft 365. The right answer depends on architecture, internal mail risk and operational priorities.
Inline gateways sit directly in the mail path, which can make enforcement immediate and predictable. API-based tools often connect after delivery to inspect mailboxes, remediate messages and gain visibility into internal email that never passes through a traditional secure email gateway.
The trade-off is coverage style. If you need strict perimeter control, inline may be stronger. If you care about post-delivery hunting, internal mailbox scanning and faster deployment in cloud tenants, API-connected security can be attractive. Many larger organisations end up with a blended model.
After comparing both, buyers should check these practical differences:
- Inline mail-flow control
- Internal mailbox visibility
- Post-delivery remediation
- Dependency on cloud vendor APIs
If your environment is hybrid, ask one direct question: does the product inspect inbound, outbound and internal messages consistently? That answer often reveals more than the marketing label.
Which matters more for spoofing protection: DMARC quarantine or reject?
For spoofing defence, reject is stronger. CISA says a DMARC policy of reject provides the strongest protection against spoofed email, while NIST explains that DMARC adds alignment and a sender preference for message handling.
That does not mean every domain should jump straight to reject. If legitimate services are sending mail without proper SPF or DKIM alignment, reject can break wanted mail. A sensible path is to monitor, fix alignment, then increase enforcement.
Use a staged approach if your mail ecosystem is messy. If DMARC reports show unknown senders or failing cloud services, resolve those before enforcement. If reports are clean and business processes are mapped, moving to reject cuts spoofing risk sharply.
The policy ladder is straightforward:
- p=none: monitor only; no direct enforcement
- p=quarantine: failing mail is treated as suspicious or spam
- p=reject: receiving servers should refuse failing mail; CISA says this is strongest against spoofed email
A frequent misconception is that quarantine is “good enough”. It is useful, but high-value brands and executive domains usually benefit from pushing to reject once alignment is stable.
How should you assess detection for business email compromise and impersonation?
You should test for language, identity and context, not just malware. The FBI’s spoofing guidance and Sophos Email’s use of natural language processing both point to the same fact: many costly email attacks contain no malicious attachment at all.
Step 1: Create realistic impersonation scenarios. Use display-name fraud, lookalike domains, supplier impersonation and mailbox takeover patterns. The FBI notes that attackers may change one letter, symbol or number, so your test cases should too.
Step 2: Ask how the product scores anomalies. Good engines inspect header inconsistencies, reply-to mismatches, unusual sender behaviour, VIP impersonation cues and language tied to urgency, secrecy or payment changes.
“Prima Secure highlights natural language processing, machine learning and header anomaly analysis for targeted impersonation and business email compromise.”
Step 3: Verify response controls. Can the system banner suspicious mail, quarantine it, route it for review, or search for related messages later? Detection without a clean response path creates noise instead of reducing fraud risk.
If the vendor only talks about malware signatures, you are not really evaluating BEC protection. You are evaluating a narrow slice of email hygiene.
Can a secure email gateway protect Teams, SharePoint and OneDrive as well as email?
It should, at least where the product supports Microsoft 365 collaboration channels. Microsoft Security describes protection for malicious links and attachments across Teams, SharePoint and OneDrive, which reflects how users now share files and credentials.
Attackers do not care whether a user clicks a link from Outlook or Teams. If the same stolen session token or fake Microsoft login page works in both cases, then an email-only control leaves a gap in the collaboration workflow.
This is especially relevant for hybrid work. Links, files and messages move quickly between email, chat and cloud storage. A buyer should ask whether policy, detection and remediation apply consistently across those surfaces or whether each channel needs a separate control stack.
A practical tip: if finance approvals or external file sharing happen in collaboration tools, treat those channels as part of your email security assessment, not as a separate later project.
What operational questions reveal whether the secure email gateway will work in practice?
The best questions focus on policy scope, incident response, reporting and support. Microsoft’s policy targeting for users, groups or domains is a good benchmark, and local support matters when rollouts affect live business mail.
Start with administration. How quickly can teams trace a suspicious message, quarantine similar mail, adjust a policy and confirm the result? A strong engine with weak workflow can still create slow incident handling.
Then check integration. If your organisation already uses SIEM, SOC-as-a-Service, endpoint detection or identity controls, the gateway should feed those systems with useful telemetry. Phishing rarely stays “just email” for long.
It also helps to ask a few direct buying questions:
- Policy granularity: Can security teams target executives, finance, third parties or regional offices separately?
- Remediation workflow: Can admins search, purge, release and audit actions after delivery?
- Operational support: Is there local implementation and support in South Africa, or only remote assistance?
- Platform fit: Does the gateway cover Microsoft 365, cloud storage, outbound mail and internal mail where needed?
Procurement should also check licensing shape. Some products price per mailbox, some by suite tier, and some place advanced detonation or impersonation controls in higher plans. If a feature is central to your threat model, make sure it is included in the edition you are actually buying.