E-Mail-Sicherheit Glossary
E-Mail-Gateway (SEG - Secure Email Gateway)
A Secure Email Gateway (SEG) is a security solution that scans incoming and outgoing emails for malware, phishing, spam, and policy violations. SEGs analyze email headers, bodies, and attachments, use sandboxes for suspicious files, and enforce anti-spoofing mechanisms (SPF, DKIM, DMARC). Market leaders include Proofpoint, Mimecast, Microsoft Defender for Office 365, and Cisco Secure Email.
Email gateways are the most important technical line of defense against phishing—the most common initial access vector. Over 90% of all cyberattacks begin with an email. An SEG filters spam and malware, detects phishing links, and sanitizes dangerous attachments. However, no SEG is perfect—targeted spear-phishing emails regularly bypass automatic filters.
SEG Features and Architecture
Core features of a Secure Email Gateway:
Anti-Spam:
→ Heuristics: Header analysis, content scoring, blacklists
→ Machine Learning: Language models detect spam patterns
→ Reputation: Sender IP and domain reputation (Spamhaus, Barracuda)
→ Bayesian filter: adaptive based on user feedback
→ Typical detection rate: 99%+ for bulk spam
Anti-malware:
→ Static analysis: signature-based scanning (multiple AV engines)
→ Dynamic analysis: sandbox detonation (execute suspicious attachments in a VM)
→ CDR (Content Disarm and Reconstruction): "clean up" PDFs/Office documents
→ Remove macros, trim external links, disable JavaScript
→ Clean document without malware → fewer false positives than blocking
Anti-Phishing:
→ URL analysis: known phishing domains (blacklists)
→ URL rewriting: redirect all links through gateway + scan-on-click
→ Lookalike domain detection: firma.de vs. fìrma.de (IDN homograph)
→ DMARC enforcement: emails without DKIM signature from known domains → block
SPF/DKIM/DMARC enforcement:
→ SPF check: Is this IP allowed to send emails for this domain?
→ DKIM check: Is the signature valid?
→ DMARC: What to do in case of failure? (p=none → ignore, p=quarantine, p=reject)
DLP (Data Loss Prevention):
→ Check outgoing emails for confidential content
→ Keyword: "CONFIDENTIAL", regex for IBAN/credit card/PII
→ Policy: Emails containing customer data → enforce encryption
Email encryption:
→ S/MIME: Certificate-based, compatible with Outlook/Thunderbird
→ PGP: Key exchange issues (little enterprise use)
→ TLS (STARTTLS): Transport encryption (not end-to-end!)
→ SEG encryption: Gateway encrypts to recipient gatewayMarket leaders compared
Proofpoint Essentials / Enterprise:
Strength: Best phishing detection (people-centric security)
Special feature: VAP (Very Attacked People) Reporting – which users are being targeted?
Feature: Targeted Attack Protection (TAP) – targeted APT campaigns
Attachment: Advanced Sandbox (WildFire-like, CloudSandbox)
Price: Enterprise pricing, starting at ~$4/user/month (Essentials)
Suitable for: Enterprise, companies with high phishing risk
Mimecast:
Strength: Archiving + security combined (email archive as a compliance feature)
Special feature: Impersonation Protection (detects CEO fraud)
Feature: Link Check (real-time URL scanning upon click)
DMARC: Mimecast DMARC Analyzer (best DMARC reporting tool)
Price: Mid-market to enterprise
Suitable for: Companies with compliance requirements (archiving + security)
Microsoft Defender for Office 365 (Plan 1 + Plan 2):
Strength: Native M365 integration (no gateway required!)
Special features: Safe Links + Safe Attachments - URL rewriting + sandbox
Feature: Attack Simulator - integrated phishing simulation!
Price: Plan 1: €2.10/user/month; Plan 2: €4.20/user/month
Advantage: Already included in M365 E5 → no additional product
Suitable for: M365 users (almost all companies)
Cisco Secure Email (formerly IronPort):
Strength: Deepest integration into network security infrastructure
Special features: Cisco Talos Threat Intelligence (one of the largest TI sources)
Feature: Outbreak Filters: Cisco detects global threats early
Price: Enterprise
Suitable for: Companies with Cisco infrastructure
Barracuda Email Security Gateway:
Strengths: SME-friendly, easy management
Special features: Email archiving + security in one
Price: Entry-level friendly, also on-premises option
Suitable for: SMEs without their own security team
Hornetsecurity (German):
Strength: German company (BSI-compliant, GDPR)
Special: AI Recipient Validation, Advanced Threat Protection
Feature: Spam filter + malware sandbox in one portal
Price: Mid-range, also for SMBs
Suitable for: German-speaking SMBs, GDPR focusSEG Configuration Best Practices
Anti-Phishing Configuration:
URL Rewriting (Safe Links):
→ Rewrite all links in emails: original → gateway-url/scan/original
→ Upon click: Gateway scans URL in real time (even after delivery!)
→ Issue: legitimate emails with URL tracking break → Whitelist
→ Important: also URLs in attachments (PDFs, Office documents!)
Anti-Spoofing (DMARC + DKIM + SPF):
Inbound DMARC Enforcement:
→ Incoming emails from company.de: Check DKIM!
→ If SPF fails + DKIM fails → Apply DMARC policy (quarantine/reject)
Own domain protection (outgoing):
→ SPF record: Which servers are allowed to send mail for @company.com?
→ DKIM signature: SEG signs outgoing emails
→ DMARC policy: p=quarantine or p=reject
Example DMARC record:
_dmarc.company.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@firma.de; ruf=mailto:dmarc-forensic@firma.de; fo=1"
# p=reject: Reject emails that fail SPF and DKIM!
Impersonation Protection (CEO Fraud):
→ Whitelist: legitimate external senders (CEO advisor, lawyer)
→ Display Name Spoofing: "Max Müller (CEO)" from a third-party domain → Warning banner
→ Look-alike domain: muster-gmbh.de vs. mustergmbh.de → Block
Quarantine Management:
→ Digest Emails: Daily list of blocked emails sent to recipients
→ Self-Release: Users can retrieve harmless emails from quarantine
→ Admin Review: All quarantine items viewable by admins
→ Retention: 30 days in quarantine, then deletion
Attachment Sandboxing:
Document types that are always analyzed:
.exe, .dll, .ps1, .vbs, .bat - always block or sandbox
.docx, .xlsx, .pptx with macros - sandbox
.pdf with JavaScript - CDR or sandbox
.zip, .rar, .7z - Unzip + analyze all files
CDR (Content Disarm and Reconstruction):
→ Instead of blocking: Clean up document and deliver
→ PDF: Remove JavaScript, trim external links
→ Office: Remove macros, disable active content
→ Advantage: Fewer false positives than "block everything"
→ Disadvantage: complex technology, performance
Outbound DLP Policy:
# Sample rules:
Regex: [0-9]{4}\s?[0-9]{4}\s?[0-9]{4}\s?[0-9]{4} → Credit card number!
Keyword: "CONFIDENTIAL", "Non-Disclosure Agreement"
Attachment Type: .mdb, .bak (database files) → always check
Action: Quarantine + Admin Alert + User NotificationEmail Gateway Logs and SIEM Integration
Important log sources for SIEM integration:
Proofpoint SIEM Integration:
→ SYSLOG (CEF/LEEF Format) → Splunk/Sentinel
→ Events:
- Message-Block: Malware, Phishing blocked
- Message-Quarantine: Spam/Policy in quarantine
- URL-Click: User clicks on URL (including blocked ones!)
- Attachment Analysis: Sandbox result
Microsoft Defender for Office 365 (Sentinel):
→ Data Connector "Microsoft 365 Defender"
→ EmailEvents table in Sentinel:
EmailEvents
| where ThreatTypes contains "Phish"
| where ActionType == "Delivery" # Phishing still delivered!
| project Timestamp, SenderFromAddress, RecipientEmailAddress,
Subject, UrlCount, AttachmentCount, ThreatTypes
| order by Timestamp desc
Key KPIs for email security:
→ Phishing rate: % of emails that were phishing attempts (industry average: ~3%)
→ Block Rate: % of phishing emails that were blocked (Target: >99%)
→ Click Rate: % of delivered phishing emails that were clicked
→ User Reports: How many users manually report suspicious emails?
→ False Positive Rate: % of legitimate emails blocked (Target: <0.1%)
Phishing Simulation Integration:
→ SEG whitelist for phishing simulation IPs (KnowBe4, Proofpoint, etc.)
→ Otherwise, your own phishing test emails will be blocked!
→ Whitelist method: IP + header (e.g., X-Phishtest: true)
→ CAUTION: no blank wildcard whitelist → Attackers could spoof headers
