Check Point Email Security | Blog

Changing MX Records Makes You Less Secure

Written by Jeremy Fuchs | August 13, 2021

When you deploy a Secure Email Gateway like Mimecast or Proofpoint or Barracuda, you have to change your MX Record. Mail Exchange (MX) records are Domain Name Server (DNS) records that are necessary for the delivery of email. In order to reroute email through an SEG, an organization must change their MX records to that of the Gateway. Sounds simple enough.

Here's the problem. MX records are public knowledge. This is so emails can get to their intended addresses. Changing your MX record to an SEG means that anyone can look up and see what security you're using. Hackers essentially have a roadmap to get past your solution. It's like giving a home robber your exact address.

To cover up for this, the providers have instituted obstructive mail-server configurations, that basically limit themselves as the only approved hop for incoming email. Sounds fine, but what about other third-party security layers? Does the IT staff and SOC know every single exception? What it leads to are guaranteed late-night emergencies. You can expect massive mail drops and unhappy executives.

Further, whenever you change your MX records, it takes DNS about 48 hours for the anti-phishing solution to become fully effective. That's two days, with practically unmitigated phishing. It's a scary proposition. 

Luckily, changing MX records does not have to be part of your security. Avanan does not require changes to MX records and scans email after the default solution. By integrating via API, it's only a five-minute set-up, instead of two days.

Don't broadcast your defenses. Keep them invisible with Avanan.