Email Protection

The key to effective email protection is to minimize the number of security threats evading detection by minimizing the number of security threats entering the mail server. The best way to minimize the number of security threats entering the mail server is to implement an email filtering solution with greylisting capabilities.

Nobody really knows the scale of email-borne security threats. It has been estimated that 90% of targeted security threats are deployed by email, but this doesn´t account for the volume of non-targeted security threats masquerading as bulk spam. It is also the case that email-borne security threats are becoming more sophisticated; and, as quickly as new processes are developed to detect security threats, cybercriminals find new ways for malicious emails to evade detection.

This leaves organizations exposed to risk; because although it is possible to reduce employee susceptibility to phishing, and raise awareness of malware and ransomware, it is not possible to eliminate all susceptibility. It only takes one individual to click a malicious link or open an infected attachment for an organization´s network to be crippled by ransomware, and there is no knowing in advance who that individual may be. For this reason, email protection is essential.

What is Email Protection?

Email protection is an umbrella term for the processes built into email filters to detect email-borne security threats. Typically, these include front-end tests such as recipient verification checks, and sender authentication tests based on Sender Policy Frameworks (SPFs), Domain Keys identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC). Emails that pass these tests are then compared against blacklists of known sources of spam.

Further along the delivery pipeline, the content of emails and attachments is assigned a Spam Confidence Score, scanned for viruses and malicious links, and checked against email filtering policies. If an email is assigned a high Spam Confidence Score, is found to contain a virus or malicious link, or fails to comply with an email filtering policy, it is quarantined or sent to a spam folder. Only when an email passes all these email protection tests is it delivered to an employee´s inbox.

The above email protection processes generally detect around 99% of spam and email-borne security threat; but this still leaves 1% evading detection. Although it is possible to increase detection rates by applying more aggressive filtering policies, this can increase the percentage of false positives (emails quarantined in error) which can impede productivity while quarantined emails are restored, and potentially impact sales if sales leads are sent to spam folders.

How Email Greylisting Works

Email greylisting is a more effective method of increasing detection rates. The greylisting process increases detection rates by returning all non-whitelisted inbound emails to the mail servers from which they originated with a request for the emails to be resent. Most mail servers have mail retry capabilities for when emails are not delivered at the first attempt; and, when the greylisted email is returned from the destination server, it is added to a mail retry queue and resubmitted in minutes.

Servers used for sending spam often have the mail retry capability disabled. This is because a large volume of email is often returned by the front end tests; and, if every returned email was added to a mail retry queue, the mail server would constantly be resending returned emails rather than sending fresh spam. Therefore, greylisted spam emails are rarely returned – and, if they are, they still have to negotiate the gauntlet of tests and checks before being delivered to their targets´ inboxes.

The effectiveness of email greylisting is significant. By returning all spam emails to the sources from which they originated, the process not only prevents the delivery of spam from previously known sources (as per blacklist comparisons) but also from previously unknown sources. In tests, email greylisting has been proven to increase the detection rates from 99% to 99.9% – not only reducing the amount of spam email that avoids detection, but also email-borne security threats.

Email Filters with Greylisting Capabilities

Not all email filters support email greylisting. Some (i.e., Office 365) claim the front end tests are sufficient for detecting spam from previously unknown sources, while others are reluctant to include this process because it can delay the delivery of business-critical emails. However, it is not only possible to disprove claims that front end tests get the job done, but it is also possible to whitelist emails from business-critical sources so they bypass the greylisting process and are not delayed.

Email filters such as SpamTitan not only support email greylisting, but include Bayesian analysis, heuristics, and machine learning processes in the filtering process to block new varieties of phishing and Zero Day attacks before they are delivered to users´ mailboxes. This level of email protection is above and beyond what most email filters offer; and the processes not only apply to inbound mail. Outbound mail is also scanned to prevent data leaks and detect remote account takeovers.

To find out more about SpamTitan, visit, where you will be able to learn more about the deployment options (on-premises or in the cloud), and how you can place SpamTitan in front of an existing email protection solution (i.e., Office 365) to increase detection rates. The opportunity also exists to book a demo of SpamTitan in action so you can see its mail protection software in action and how easy the email filter is to configure to your specific requirements.