Check Point Email Security | Blog

Why Customers Switch From Secure Email Gateways to Avanan

Written by Jeremy Fuchs | October 8, 2021

Many of our customers come to Avanan from Secure Email Gateways. For example, in the last quarter, 30.9% of our new customers switched from Mimecast.

When they get to Avanan, our customers find the solution to be leaps and bounds better than SEGs, including Mimecast.

One of the most critical things is the difference in architecture.

Introducing a Secure Email Gateway will blind Microsoft and Google's default security to incoming threats.

To install an SEG, you must first disable Microsoft and Google's spam filters — which play a key role in anti-phishing. This is why upon deployment, you will often be advised by Proofpoint or Mimecast to disable your default spam filtering and rely solely on the gateway.


Email security solutions like Mimecast and Proofpoint change certain indicators in the email's header, blinding some critical aspects of the default security layers in Office 365 and Gmail.

This would not be a problem if the SEG caught 100% of attacks, but this is not always the case, especially in the first hours or days of an event. From a ‘defense-in-depth’ perspective, it is disheartening to know that in order to deploy a second layer of security, you must essentially disable the first.

One of the most basic email checks is the SPF and DKIM authentication of the sending SMTP server. This validates that an email from "company.com" truly came from "company.com". However, when you change your MX record and send it through an SEG, every email is sent from the SEG IP address and fails both of these fundamental checks. 

So, in order to prevent Microsoft from rejecting every email sent by the gateway, you must put the Mimecast and Proofpoint servers on a list of "Trusted Servers". 

Unfortunately, this "Allow List" transport rule effectively bypasses Microsoft's own protection.

So, from Office 365's perspective, this IP address that belongs to Mimecast is marked as a trusted sender for every email. Therefore, every email will bypass Microsoft's filters and be delivered to the user's inbox. If the SEG misses a malicious email, Microsoft's own security will never see it.

As one customer said, "creating a connector inside Office 365 for Mimecast and explicitly "trusting" or Allow Listing anything that Mimecast thinks is clean, is a massive risk. In the past, spam was stopped, but dangerous phishing emails would get past Mimecast with relative ease."

With Avanan, that's not an issue. "For Avanan, the priority is stopping the dangerous emails and it was quite a seismic shift in thinking when talking about email security," the customer said. "It's about taking back control of your email delivery."

Avanan represents a new way of securing email. In this case, newer is better.

"Even though I've always been a fan of a Secure Email Gateway in front of O365," this customer said, "once I understood more about Avanan, I gave it a shot and I can honestly say I don't regret the change."