A secure email gateway (SEG) is an email security product that uses signature analysis and machine learning to identify and block malicious emails before they reach recipients’ inboxes.
SEGs are important because email attacks, such as phishing, are some of the most common cyber threats organizations face. SEGs work similarly to secure web gateways (SWGs) but focus on identifying threats in email traffic rather than a user’s web browsing activity.
Originally, SEGs were designed to deal with email spam, which provides a large volume of samples with which to analyze and identify malicious content. Modern email threats are more targeted and sophisticated, and, in cases such as business email compromise (BEC) attacks, may not contain overtly malicious content like phishing links or malware. Modern SEGs use machine learning and threat intelligence to identify these more advanced attacks, as well as other novel threats.
How does an SEG work?
An SEG inspects and filters email traffic for potentially malicious, dangerous, or inappropriate content. They do so using a combination of signature analysis — looking for known malware — and machine learning.
SEGs typically operate using one of two methods: DNS MX record or API integration.
DNS MX record
An MX record is a type of DNS record that specifies the IP address of a corporate email server or mail transfer agent (MTA).
SEGs can insert themselves into emails’ travel paths by updating an organization’s MX record to point to the SEG. All inbound email traffic will then be routed to the SEG, enabling it to inspect and filter messages before forwarding them on to the organization and users’ inboxes. This is like routing automobile traffic on a highway through a law enforcement checkpoint to look for contraband goods.
API integration
Most modern email platforms, such as Google Workspace or Microsoft 365, offer an API for third-party integrations. These APIs enable users to automate and streamline workflows by providing external applications with the ability to read and edit emails. As this approach does not require re-routing email traffic, it is more like hiring a team of detectives to look for potentially dangerous cars on the road.
SEGs can use APIs to monitor email content once it reaches an employee’s inbox. With API integrations, an SEG can provide monitoring and protection for outbound emails, or retroactively remove inbound emails that are identified as malicious after delivery.
How do SEGs protect against threats?
Most SEG solutions include some combination of the following core functionalities:
- Inbound SMTP gateway: Act as an inbound gateway for SMTP email traffic by replacing the DNS MX record with that of the SEG proxy
- Email hygiene: Identify and block spam and malware from reaching employees’ email accounts
- Content filtering: Inspect emails for inappropriate content or attempted exfiltration of sensitive data
- Anti-phishing: Use machine learning to identify business email compromise (BEC) attempts and other phishing threats
- Advanced threat defense: Use machine learning and advanced analytics to identify novel and sophisticated email-borne threats
What threats can SEGs protect against?
Email is a common threat vector for cyber attackers because it is simple but effective. Almost all organizations use email to communicate with employees, vendors, and clients, and tricking a user into clicking a malicious link or opening an infected attachment is often easier than identifying and exploiting a vulnerability in an organization’s systems. Also, email-based attacks can be automated, making them highly scalable.
An SEG can identify a wide range of potential threats that can be delivered via email. Threats that an SEG protects against include:
- Spam: Attacks containing high volumes of malicious or unwanted email traffic
- Malware: Ransomware and other malware are commonly delivered via email attachments or malicious webpages linked in phishing emails
- Phishing: Phishing attacks use social engineering to trick or coerce the recipient into clicking a link, opening an attachment, or taking some other dangerous action
