Email Security

11 Questions To Ask When Demoing A Cloud Email Security Solution

What questions should you ask a Cloud Email Security Solution provider when looking for a new piece of cybersecurity infrastructure?

Cloud Email Security Questions

Even with a multitude of messaging apps on offer, email is still the most common way that organizations communicate internally and externally. Email is considered the backbone of many organizations. As it plays such a central role, email is an attractive target for attackers looking to distribute malware or carry out phishing attacks across your network. 96% of the companies that Mimecast spoke to had been the target of an email-related phishing attempt in 2022. In order to combat the threat of phishing, BEC and malware, you need an effective cloud email security solution in place.

What Is A Cloud Email Security Solution?

Cloud email security solutions are used to monitor inbound emails so that any dangerous material can be blocked. They use a series of comprehensive spam filters to identify indicators of malicious mail. The solutions can then decide whether to block the email outright, quarantine it, or carry out further investigation. 

Tools like sandboxing, database referencing, and URL scanning are commonly used to achieve this. Some, particularly advanced, cloud email security solutions can carry out Content Disarm and Reconstruction (CDR) – this feature strips macros and any additional code from the base of a file. This “sterilizes” the file and will comprehensively remove any malware but may affect the way that a file can be used. For example, a word doc may be saves as a PDF after it has been reconstructed.

Cloud email security solutions are also able to scan outbound emails to prevent data breaches. They can identify information that would breach data loss prevention (DLP) policies and prevent this information from being sent. Files and links can also be monitored to ensure malware is not being distributed from your accounts – knowingly or unknowingly.

Cloud email security solutions are designed to combat a host of email-based threats, these include:

  • Phishing
  • Malware distribution
  • Ransomware
  • Data loss prevention
  • Spoofed Emails – using DKIM, SPF and DMARC
  • Anti-Spam
  • Improves compliance

For more information on common email threats, we’ve published an informative article, that you can read here:

The Top 5 Email Threats Facing Small Businesses

Common features of Cloud Email Security Solutions include:

  • Sandboxing
  • Real-time deep memory inspection
  • Malicious file scanning
  • Warning banners on suspicious email messages
  • Advanced URL protection
  • Content analysis
  • CDR (Content Disarm and Reconstruction)
  • Cloud, hybrid, or on-premises deployment
  • Reporting and analytics

In this article, we’ll consider ten questions for you to ask your potential cloud email security provider. The questions will explore practical concerns based around ease-of-use, as well as technical capability, and the longer-term trajectory of the product. Once you are armed with these questions, you will be able to speak to vendors and ensure you are getting the right solution for your organization.

1. How Complicated Is The Deployment Process?

For a cloud email security solution to be effective, it needs to be deeply integrated with your email accounts. This ensures that it can scan emails and carry out sophisticated analysis (like sandboxing and CDR). Despite its technical capabilities, the software will need to feel light enough so as not to impede productivity.

From an admin’s perspective, it is essential that setting up the solution is streamlined. In a large organization, there are likely to be hundreds (perhaps stretching into the thousands) of email addresses to manage. Not only does every employee have an address, but there are also additional addresses (like “info@” or “accounts@”) and other user aliases. Your cloud email security solution is only effective if it has authority over every mailbox in your network. If this process of adding accounts is not streamlined, this very quickly becomes an overwhelming task. 

Traditional secure email gateways (SEGs) are deployed via changing MX records to redirect email traffic through a vendor’s spam and AV filters. Many cloud email security solutions today are deployed via API integrations, or Azure for Office 365. Integrating with Google Workspace ca be more complicated, and ease-of-integration depends on the provider. Some services have no Google Workspace integration which makes user management more awkward, e.g. the filtering service is looking for SMTP discovery. Other services integrate with an API. Sometimes this is easy to deploy, other times its more difficult.

How is the solution deployed? Can you change MX records for all of your domains at once? Is there any additional installation or configuration that needs to happen before the solution can protect you? This next question depends on your current MX record – how long will it take for mail to be rerouted through the cloud email security solution?

2. How Customizable Is The Solution?

From an admin’s perspective, it is important that your cloud email security solution provides a granular level of control and customization. This covers the customization of policies, as well as the presentation of information and data. Admin should be able to tailor policies while the product is operational to ensure their organization is receiving a comprehensive level of coverage.

If, for example, you are finding that too many spam emails are getting into inboxes or realize that legitimate emails are being wrongly sent to the spam folder, you may want to adjust the spam filtration policy. This is about finding a balance, and might, therefore, need ongoing fine-tuning. How easily can these changes be made? Will emails continue to be scanned while these changes are taking place?

To make the admin’s experience as frictionless as possible, you will want to ensure that the dashboard is customizable. This allows admin to have easy access to the information they find most useful. While this does not affect how the solution functions, it can make the admin’s job much easier and allow them to ensure policies are tailored and effective. What information do they have access to? Can current data be compared with historical trends? Is the information presented in a digestible, sharable manner? Can policies be set on an individual and group level?

3. How User-Friendly Is The Cloud Email Security Solution?

Through customization you might be able to make the solution more user-friendly, but is this enough? Is the solution easy to use? And can your admins see themselves working well with the solution?

Ideally, you want a cloud email security solution to be so frictionless that you hardly notice it is at work. The only thing an end-user should notice is the absence of nuisance emails. Ensuring that the software is “light-touch” means that users can focus on their normal daily tasks, rather than worrying about cybersecurity.

End users should be able to access emails that have been flagged as spam through their email portal. This should be a relatively simple and intuitive process. If a legitimate email has been sent to the spam folder, it should be quick and easy for a user to recover the mail. That being said, it should be a separate process to accessing confirmed “safe” emails to ensure human error does not endanger the network.

The solution should provide periodic updates of what has been sent to the spam folder. This ensures that users can assess whether any legitimate emails have been wrongly categorized. The frequency of these emails should be flexible and set by the user or administrator. Email notifications are a quick and frictionless way to ensure that important communication isn’t missed.

Is it easy to flag suspicious emails? How easy is it to block domains or addresses from sending mail to your accounts? Is it easy to retrieve information regarding blocked mail?

4. Does It Offer Outbound Email Protection Too?

Preventing suspicious emails from reaching your accounts is known as “inbound” protection. Some solutions offer “outbound” protection too. This is the capability to monitor emails that are sent from your accounts to ensure that sensitive information is not distributed via email.

This prevents a user from knowingly, or unknowingly, sending highly sensitive information to a contact, or someone impersonating a known contact. With outbound protection, admin can specify what type of information should be prevented from being shared via email. Common options include credit card details, mobile numbers, and social security numbers. 

As well as ensuring sensitive text content is not shared, outbound protection can prevent certain files, or file types, from being sent. The solutions can also monitor behaviour to understand a user’s relationship with addresses in their network. This can be used to indicate if a user has selected the wrong recipient or attached the wrong type of file.

Outbound email security tools will also ensure that all emails are properly encrypted. This means that if an email is intercepted in transit, its contents cannot be understood. These outbound features help to improve an organization’s data loss prevention (DLP) strategy. By putting concrete policies in place to prevent the data being distributed via email, you can ensure that sensitive personally identifiable information (PII) is not revealed. 

What types of information are covered by the outbound tools? What type of content can be blocked? Can specific user have authorization to share sensitive data? Can these features improve compliance and DLP?

5. Does It Cover Communication Beyond Email, Like Other Messaging Services?

Technically, this is straying away from dedicated cloud email security solutions, and into the territory of integrated cloud messaging security (ICMS) solutions. However, it is worth questioning your provider on ICMSs as there is a considerable amount of overlap, and some cloud email security providers offer ICMS as an “add on” product. 

According to Safeguard Cyber, 45% of business communications occur outside of email, through channels like Teams and Slack. These applications make it very easy to communicate within an organization, and share images, files, and URLs. If a malicious actor gains access to one of your accounts, it is easy for them to share dangerous content.

ICMSs have visibility over your workplace apps and use NLU-based (natural language understanding) context analysis to understand messages that are being sent. They can infer message intent from this and block suspicious traffic. Suspicious or malicious files can be blocked from being sent, thereby reducing the likelihood of malware being distributed from your accounts. This is particularly relevant for organizations that use M365 as this will automatically integrate with other messaging and file sharing services like Teams and OneDrive.

Does your provider offer this type of cover? What remediation actions are possible? If they do not have an ICMS, can a third-party one be integrated to the cloud email security stack? How simple is it to integrate with M365?

6. Can It Help With Compliance?

Depending on what sector your organization operates in, you may have additional expectations and requirements on the way you work, to protect consumers and ensure standards are maintained. Some of these standards will be legally binding, and you will need to prove your organization is compliant with these policies. Some cloud email security solutions can keep automatic logs of activity for auditing purposes. This will ensure that you can show that your organization uses best practice methodologies, if audited.

Outbound protection will also help with compliance. In this case you can demonstrate the policies that you have in place to prevent data mismanagement. Some of the most common regulatory frameworks are – GDPR, HIPPA, FINRA- so if your organization is overseen by one of these frameworks, it is worth checking with your cloud email security provider if their product can prove, and enforce, compliance.

How streamlined is the reporting and auditing functions? Are logs kept automatically, and how can these be accessed? Are there pre-set DLP policies that relate to specific regulatory frameworks?

7. How Fast Is The Solution? 

API-backed email protection operates by scanning the email once it has reached your inbox. While this level of scanning is often more sophisticated than default spam filters that your mail host provides, it can take marginally longer. As the email has reached a user’s inbox, there is a chance that they will open a dangerous link. If a user clicks on the email before it has been scanned, they could be unwittingly putting the network at risk.

The time taken for these checks to take place will affect user’s productivity. If you are waiting for an email-based OTP, you do not want to wait even a few minutes before this email arrives.  

It is worth checking how the cloud email security solution works, and how long it takes for an email to be scanned. Is this time consistent, or are there factors that might delay this from occurring? If sandboxing or CDR is used, how long does this typically take?

8. What Is The Rate Of False Positive / False Negatives?

When you implement a cloud email security solution, you are entrusting it to keep your accounts safe, but also giving them a lot of control. You want to ensure that these tools are accurate and effective. If your cloud email security solution blocks too many, or too few, emails, user’s productivity will be affected. More than that, important emails could be sent to spam, preventing you from completing work.

Can admin monitor false positive / false negative rates? How easy is it for admin to adjust policies to change this? What rates can be expected, and are they within safe limits?

9. What Are The Different Security Features On Offer?

This might seem like an obvious question, but it is worth considering exactly how your cloud email security solution will respond to suspicious emails.

Reporting Functionality

No matter how stringent your security set up is, there will be occasions where suspicious emails make it through to a user’s inbox. In these instances, the cloud email security solution will need clear reporting features to ensure that suspicious emails can be flagged. Often, this is as a simple “report” button. You will want to check that reported emails are flagged to admin and can be removed from inboxes across your network. 

For example, if five users receive a suspicious email, and only one user reports it, your network is only kept safe if all five emails are removed. 


This is a safe, isolated space where suspicious links and downloads can be opened and analyzed. This gives the solution an opportunity to understand more about the suspicious content and decide if it is dangerous or benign. 

Content Disarm And Reconstruction (CDR)

As with sandboxing, this is a technique for analyzing the content of a suspicious file. In this case, a file is broken down and has all actionable code removed. The file is the rebuilt, ensuring that only essential information is present. This “sanitized” file is then safe for a user to access. CDR is an advanced process and is only offered by a few vendors. 

URL Time-Of-Click Analysis

While URLs are check as they pass though spam filters, hackers can weaponize a site after it has been checked, and before a user clicks on it. In order to prevent this, time-of-click analysis will scan a URL for dangerous content at the moment a user open the link. This ensures that users are always safe.

Crowdsourced Threat Intelligence

In the fast-moving world of cybersecurity, threat intelligence can quickly become outdated as threats evolve and new tactics emerge. Rather than relying on a static database of historical threat information, cloud sourced threat intelligence gives you updated and accurate information. By connecting to a network of other cloud email security solutions, you can ensure that any your solution is primed to respond to the latest threats. 

How quick are each of these tools? How often are these tools used? Does your cloud email security solution connect to an intelligence network? How large is the network? What sort of information is shared? Is it updated in real-time? Can the intelligence automatically inform product policies? How effective are they? Can data be logged to speed up analysis in the future?

10. What Is The Product Roadmap?

Adding a new security tool to your stack is an investment in terms of time and money. The platform will take time to install and to properly configure. Then, there might be steps that end-users need to learn and get used to. You’ll want to ensure that your email security solution is here for the long run. 

It is worth asking your provider what the roadmap is for the product. Are there any plans to extend, or strip the platform? Will their email security solution be merged with another product that they offer? How often are patches, or new features released?

The more information you have about a security solution, the more confident you can be in your email security. 

11. How Does Product Licensing Work?

To ensure that the cloud email security solution is an appropriate fit for your organization, it is important to understand the product’s pricing and licensing structure. Plans will often be priced depending on the number of mailboxes protected, or the amount of email traffic. You will want to find out about what happens if this amount is exceeded. Will you pay a premium for additional traffic? Equally, if you are vastly underusing the service, can you reduce your plan’s capacity? Can you upgrade your plan easily as your organization scales?

There are several, more specific, questions that it’s worth finding out about. Say, for example, a member of your team leaves the company. Can their mailbox be transferred to another user, or will this require an additional license? What happens to mail sent to an inactive user?

Different providers have different stances on shared mailboxes – some companies will charge you extra for this, others will offer this is a free service. Depending on how your organization operates, it could be worth enquiring about this.


Email is the backbone of most organizations – it connects with customers and keeps things on track, behind the scenes. It is, therefore, essential that your inbox remains clear of phishing emails, spam, and other threats. This ensures your users can focus on their important tasks, rather than deciding if an email is genuine or not.

With the questions covered in this article, you’ll be in good stead to identify the most appropriate cloud email security solution. You can consider what type of solution fits your need. 

To help you get started with your market research, we’ve put together a guide to the top cloud email security solutions. We cover key features of each solution and suggest who they are best suited to. You can find that guide below:

The Top 11 Email Security Gateways