Over the past decade, there has been a monumental shift towards software as a service, and the notion of businesses running their own email server feels a little old-fashioned. However, with a growing number of data breaches and stories surrounding the mishandling of third-party data, there are now some compelling reasons to consider it.
This post is the first of a series that will examine matters associated with running your own email server and email security.
Control
Individual industries, professions, and companies all have their particular risk profiles. The security posture for a financial services institution will be very different from that of a hotel chain, which will be different from a medical facility.
So how can outsourcing email be tailored to fit the exact needs of each organization? The answer is it can’t. Not entirely. Once you start to outsource email, you need to remember that you become one of many. For instance, in the case of Google Workspace, you become one of six million customers.
Suddenly your voice won’t always be heard. If you run your own email server, you are in the driver’s seat in terms of being able to handle the following more effectively:
Customizations — you will have complete flexibility (within the realms of what’s possible) to do what you wish to your email stream, something that is lost when you outsource. Specifically, you can tune your spam filters to your exact business requirements. For instance, you can be aggressive in blocking locations you never receive mail from or guarantee acceptance for messages matching specific patterns (whitelisting).
Outages — you’ll be responsible for your own infrastructure, so when you see news like ‘Outlook is down: Microsoft web outage hits users worldwide‘, you won’t be affected.
Delivery issues — your email server will only be sending and receiving your business’s email. Therefore, you won’t be adversely affected by other users’ malpractices. For example, suppose you are sharing an email server with less scrupulous organizations than your organization, and they begin sending spam or malicious emails through that same email server. In that case, there is potential that your emails will be blocked.
This is highly likely if the provider managing your email server is slow to act on spam reports and allows nefarious operators to continue using their network, causing degradation of reputation.
Security — while email is in transit, it will have end-to-end encryption, whether you outsource or not. However, once mail has been delivered and is sitting on a server, it is unencrypted. If you outsource email, then the security of this server will be the responsibility of your provider. So, for businesses requiring 100% control of security to protect sensitive communications from inspection by third parties, bringing email in-house should be considered.
Troubleshooting — you will be able to quickly and easily investigate and remediate failed email deliveries and other related issues. Particularly useful is the ability to look at reasons behind false positives and fix them, rather than being at the direction of an external support desk.
As we all know, dealing with support desks can have its own set of challenges, including slow responses and a lack of technical training.
Privacy and ownership of data
Your company’s data is valuable, and part of that data is its email stream. There have been enough stories over the past few years of data harvesting, most notably the Facebook data privacy scandal.
Should you choose to run your own email servers, you will have increased data privacy; that is to say, the content of your emails can’t be accessed by any other entity (unless you have a security breach!).
In the past we’ve observed cases where the provider’s terms and conditions allowed it to search the content of emails to aid in targeting advertising, which clearly creates privacy and confidentiality problems.
Last but not least, there is a geographical consideration; if you outsource your email, the data may become subject to the regulations of the economy your provider is based in. For example, if your provider is situated in the USA, if the USA government requires your data to be shared, your provider will have to hand it over.
We’re not saying that other governments won’t approach you to get their hands on your data if they require it, but at least you will have more awareness and control over what happens.
Not for everyone
We understand that managing your own email infrastructure isn’t for everyone. Indeed, where email servers aren’t correctly set up, multiple problems can arise, including security and deliverability issues.
However, we do believe that IT teams and those at an executive level need to consider carefully how they manage their email.
For those currently running or are considering setting up their email infrastructure, email filtering will be a crucial component, so we’ll be recapping on the basics of blocklists in our next post.
WEBINAR — DNS Blocklist Basics
Register for our upcoming free webinar to learn more about DNS Blocklists happening Thursday, 26 November from 16:00 (UTC + 10).
DNSBL experts Carel and Skull will walk you through all the blocklist basics from how they’re compiled, to how they work, and how to use them in your email infrastructure.
Natale Bianchi has been a collaborator of the Spamhaus Project for many years and has a background in the ISP industry.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.