Email: Self-Host or Entrust a Service Provider?

Below are several points which should be considered, and questions that must be honestly answered as a business decides whether or not to host its own email servers or entrust a professional provider with that responsibility.

Physical Security

If you choose to host within your company, will the location of your email server(s) be safe from theft or damage? Will it restrict access to only those who need it? Using what security measures?

The strict control of access is one of the basic criteria of today’s data centers, which are regulated under a number of U.S. and international laws. Physical data center security generally falls into four categories, each of which provides a progressively restrictive set of physical and process based controls.

  • Perimeter security: to deter, detect and delay any attempt to access the facility. Use of hardened structures, security guards, cameras and electronic surveillance used in multiple configurations meet this need.
  • Facility controls: this layer further restricts personnel access and combines biometric controls and physical controls to allow only authorized personnel into the facility.
  • Computer room controls: each room in a facility can provide different control levels based on the processing or information maintained in that room.
  • Cabinet controls: these are geared toward “insider” threats and include locking systems on the cabinets, access cards, biometrics and video monitoring.

Network Security

Providing a strong network security posture is the most challenging of all email solution security needs.

The threats are daunting: according to the Symantec 2016 Internet Security Threat Report, the security industry reported more than a half a million attacks attempted every minute in 2015, while more than 191 million records and 429 million identities were stolen. Meanwhile, ransomware threats increased 35 percent — cases where an attacker holds key business resources hostage until ransoms are paid for their release. In some cases, they don’t even need access to your data, simply preventing anyone from accessing your network and servers by sending massive traffic to your site.

Staying abreast of the latest threats is daunting to say the least, and demands a slew of protective layers along with an aggressive approach for preventing, detecting and correcting non-authorized actions on your system.

In deciding to host or not, it’s critical to honestly evaluate whether your email solutions include the ability to meet these network challenges.

Data Security

Hosted email solutions that meet the above security needs will also include services that prevent damage or loss of data, even if you network and computers are compromised. It is not only best practice to protect all data in transit by using Secure Sockets Layer (SSL) and/or Transport Layer Security (TLS) but many services now offer stronger solutions by following the Advanced Encryption Standard (AES).

Solutions for encrypting data include physical encryption of the data on disk, distribution of data such that no single piece of communication exists in whole on a specific storage device and a combination of both. Each solution must be evaluated for the cost versus benefit they provide to your company in these areas:

Reliability/uptime: how will you access to your data if it’s impacted by hardware failures, power outages, network interruptions or an act of nature? Does your solution provide the level of server and data protection necessary to meet your business needs and to protection your business assets?

Business continuity: how often are you planning for your server or a server component to fail? How critical is the need for your system to remain up and accessible? How do you plan for power or network interruption? Does your solution actively monitor for failures? Can you respond and fix a solution if key personnel are on vacation and your host has crashed? What uptime do you need and do you have a service level agreement (SLA) in place to protect your business loss? How will you perform upgrades mail application or server without creating downtime for your business?

Data protection: This should be based on the cost of data loss to your business. If it’s not business critical, a single copy of the message may be sufficient. If it is critical, you’ll need a multiple copy solution or even a solution that allows you to store copies in separate geographical locations.

Multiple locations: How likely is it that server(s) stored in your home or business may be impacted by something like a plumbing backup, power surge, flood, fire, or power outage? Hurricane Sandy took out millions of servers, often for weeks. Can your business absorb this impact or do you need a secure offsite solution?

Complexity: mail servers are an alphabet soup of acronyms that require configuration and tuning to meet your specific needs. What will you use as your Mail Transfer Agent (MTA)? Local Delivery Agent (LDA)? Do you want to establish access for IMAP or POP3? How about domain management including DNS Record (MX record management), certificate management or domain specific validation keys? In other words, do you have the onsite expertise to truly manage your email solution?

Spam/malware protection: although the overall rate of spam mail has dropped over the past three years, spam is still roughly half of all email sent, while ransomware and malware (phishing) continue to rise. There are dozens of protection options to consider, each with benefits and drawbacks. Advanced solutions should also provide the ability to remove spam/malware that has entered the system (because no solution will prevent all spam/malware). The effectiveness of the commercial solutions often fluctuates, so the ability to implement a multi-tiered solution to account for these variances is important.

Keeping up with efforts to fight spam/malware will also require an investment of time and effort with the Messaging, Malware and Mobile Anti-Abuse Working Group, a group of technology experts who focus on fighting spam and protecting end-users. The companies and members of the group are working to implement broader standards to help validate the domain of sent emails.

Monitoring: Are you reading the Automated Reporting Feedback for complaint analysis? Will you subscribe to a blacklist monitoring service to see which of the hundreds of potential blacklisting services and/or ISPs have now listed your sending IPs? Do you know how to become delisted? Who will you talk to if your domain reputation has been tarnished to a level in which your email is being deferred by the recipient systems? Just having an email service is not sufficient if you cannot deliver email.

Maintainability: keeping systems up-to-date and performant maybe the largest challenge of all. Email systems are frequently updated, both to keep up with zero day vulnerabilities (e.g. Heartbleed, Freek) that require urgent patching to avoid loss of data and to perform the dozens of necessary system updates and upgrades. Maintenance is a very time consuming task.


Email is a communication medium for a successful business. It is rarely the product you are selling and the subject of your profit. It is often better to focus on what you want to do well rather than on those activities that take you away from your business goals. So while self-hosting might seem like a money or time saver, careful analysis often shows otherwise.

See why more than three million users trust Rackspace with their hosted email.

Dan Shain is a Senior Technical Manager for R&D within the Rackspace Email product. Dan has been a technical leader in the messaging industry since the mid 1990’s which included roles as the Technical Director for AOL Mail, contributor to several standards and initiatives within the messaging community, as well as his current position as a Technical lead at Rackspace. Dan is also a recipient of the Rackspace IO award which recognized him as a leader in technology excellence for the company.


Please enter your comment!
Please enter your name here