Security Controls In The US Enterprise: Secure Email Gateway

Security Controls In The US Enterprise: Secure Email Gateway


Jason Pappalexis, John Whetstone, Will Fisher, Mike Spanbauer



Email remains a critical component of business correspondence within today’s enterprise. Every enterprise has an email domain, and those that manage their email on-site permit port 25 (SMTP) traffic through their perimeters. For this reason, port 25 is of particular interest to cybercriminals.

Secure email gateways (SEGs) inspect inbound and outbound email for threats, spam, and phishing attacks, and they are also responsible for the overall enforcement of corporate security policies, such as data loss prevention and encryption. SEG products can be installed as on-premises appliances and as cloud-based services.

Enterprises can use this data to gain critical insights into the purpose of secure email gateway products, including how these products are being managed within organizations, where they are being deployed, who is responsible for purchasing decisions, and the extent to which API controls are being used for their management.



  • Product scope, alternatives, deployment, and purchase authority
  • Metrics on product use within the enterprise
  • Who manages SEGs? (breakdown by organization size)
  • Who uses API controls? (breakdown by organization size)
  • Enterprise challenges



Part of a series on security controls deployed by US enterprises, this brief includes current usage statistics for SEGs within small and medium-sized enterprises (SMEs), large enterprises (LEs), and very large enterprises (VLEs).?

As with all NSS Labs group tests, there was no fee for participation. All testing was conducted independently and was not paid for by any vendor.