The arguments in favor of managed email security are easily made. Cost savings tend to be dramatic, with ROI often coming in months. The load on mail server infrastructure can be reduced to a tiny fraction as all spam and malware is blocked before it enters the client network. As a result, resistance to denial-of-service attacks and mail reliability are much improved.
The arguments against are fewer, but growing stronger. Compliance requirements might raise concerns about the guaranteed integrity of the EMSSP network, and while most are undergoing ISO17799 testing or similar, few are able to offer the assurance you would expect from an outsource provider.
Email service providers operate data centers in multiple countries for redundancy and global coverage and may not guarantee where your messages are stored and processed, which might affect data protection. Demand reassurance about this issue from your service provider.
The market is changing rapidly: few email service providers are focused on purely messaging any more. Most are investigating other areas of service, so picking a provider will involve much closer examination of their service roadmap – there is talk of web filtering, IM integration, long-term message archival, encryption and more – and not just a look at the spam filters and monthly cost.
To test these services, we used our test lab’s mail services, pointing incoming and outgoing mail through the MSSPs’ facilities, then examined the service configuration from a high level, looking at configuration, reporting and policy controls. Actual mail filtering was of peripheral interest to us: most MSSPs should achieve excellent spam (and false positive) rates.
But given the changes taking place, we were more interested in each service’s business plan, since these services are moving out of plain filtering roles into a much more strategic position, particularly with compliance-oriented facilities, such as mail archival and policy reporting. We interviewed senior managers at each service, asking about current and future services, support, global coverage and business strategy, and built each review around the business as much as the actual service itself.
The provisioning process tends to be similar from one provider to the next, although some take more care to ensure the customer has not messed up the configuration.
Outbound mail servers (if outgoing mail is to be filtered) are instructed to relay through the service provider’s facilities. MX records (Mail eXchange DNS entries) are reconfigured so that incoming mail will route through the service, which then forwards mail into the existing local mail infrastructure. Most services then recommend that connections to the inbound mail server are firewalled to allow only connections from the managed service.
Most will conduct regular tests of your facilities to ensure mail records are correctly set, firewalls configured appropriately and mail servers not acting as open relays.
But while most services do this, not one pointed out that our existing SPF records for the test domain were now invalid, or gave any guidance on configuring them correctly. SPF works by stating which IP addresses are acknowledged to be valid senders of mail from a particular domain. When mail is relayed through a service provider, these need to be updated with the MSSP’s IP addresses, or anti-spam services at the recipient end might block your mail. Changing them to reflect the email provider’s addresses is a moment’s work, but easily forgotten.It is now relatively easy to change from one supplier to another, and while custom rules need reconfiguring, swapping MX records and allowing LDAP syncs to import user lists means it is a relatively painless process. This boost to competitiveness in the market might change, however, as archiving becomes a more important part of the service suite, and switching providers might become a lot more difficult.
This is also the strongest argument against using the email filtering service provider as an archival host too — separation of the functions will cost more, but ensure no loss of flexibility.
We were disappointed by the poor turnout for testing. Managed service companies have always been reluctant to allow testing. Taken to extremes, as in the case of the now-bankrupt Avecho, we received a complete stonewall response to queries about the service risks alienating the market. In this test, over a dozen vendors were approached, and while several indicated interest, only four finally provisioned services.
Non-participants included high-profile players like Postini, Frontbridge (now owned by Microsoft) and MessageLabs.