When you evaluate anti-phishing solutions, the first decision is not which vendor - it is which deployment model. The three main approaches (secure email gateway, API-based, and native platform protection) have fundamentally different architectures, and that architecture determines what threats they can and cannot stop.
This guide compares all three models on what matters: detection timing, threat coverage, deployment complexity, Microsoft 365 gap coverage, and total cost of ownership. Phishing remains the top initial access vector for breaches at 36% (2024 Verizon DBIR), so this is not an academic exercise - it is a risk decision.
The Three Deployment Models
Model 1: Secure Email Gateway (SEG)
How it works: A secure email gateway sits inline between the internet and your mail server. Every inbound email passes through the gateway before reaching any mailbox. The gateway scans, filters, and either delivers or blocks each message in real time.
Architecture: MX records point to the gateway, or mail flow rules route email through the gateway before delivery. Email is scanned pre-delivery - threats never reach the inbox.
Strengths:
- Pre-delivery scanning - threats are blocked before users see them
- Full visibility into every email entering your organization
- Can enforce email authentication (SPF, DKIM, DMARC) at the gateway
- Works with any email platform (M365, Exchange, Google Workspace, SMTP)
- Multiple detection engines can run in parallel on every message
Limitations:
- Historically required MX record changes (modern SEGs can deploy via mail flow rules instead)
- Does not scan internal-to-internal email (only inbound from external senders)
“A gateway that scans before delivery is fundamentally different from a solution that scans after delivery and tries to pull emails back. In those seconds between delivery and remediation, users open messages and click links.” - Adam Lundrigan, CTO, DuoCircle
Model 2: API-Based (Post-Delivery)
How it works: API-based solutions connect to your email platform (typically M365 or Google Workspace) via API and scan emails after they have been delivered to the inbox. When a threat is detected, the solution removes or quarantines the message retroactively.
Architecture: No MX record changes. The solution uses Microsoft Graph API or Google API to access mailboxes, scan messages, and remediate threats post-delivery.
Strengths:
- No MX record changes required
- Can scan internal-to-internal email (not just inbound)
- Can retroactively scan historical email
- Quick deployment - connect the API and go
Limitations:
- Post-delivery by design - the email reaches the inbox first, then gets analyzed
- Remediation lag: seconds to minutes between delivery and removal
- Users may see, open, or click before remediation
- Dependent on platform API rate limits and availability
- If the API connection fails, email flows unprotected
“The API model is elegant, but it has a fundamental timing problem. The email is in the inbox before the solution decides whether it’s safe. For bulk phishing, that delay is annoying. For a targeted BEC attack where someone wires $125,000, that delay is catastrophic.” - Dan Calkin, VP of Sales, DuoCircle
Model 3: Native Platform Protection (Microsoft Defender / Google)
How it works: Built-in security provided by your email platform vendor. Microsoft 365 includes Defender for Office 365 (previously Exchange Online Protection + ATP). Google Workspace includes built-in phishing detection, Safe Browsing integration, and ML-based threat analysis.
Architecture: No separate deployment - it is part of the platform. Enabled by default or via admin configuration.
Strengths:
- Zero deployment - already there
- No additional cost (included in the platform license)
- Deep integration with the platform’s own features
- Google Workspace’s native detection is genuinely strong
Limitations:
- Microsoft 365 native protection has significant gaps. Defender for Office 365 catches bulk phishing and known threats but consistently underperforms against targeted spear phishing, zero-day URLs, and sophisticated BEC attacks.
- Single-vendor detection - one engine, one threat intelligence feed
- Limited customization compared to dedicated solutions
- No multi-engine cross-referencing
“Microsoft’s built-in phishing protection in Office 365 catches the obvious attacks, but it consistently misses targeted spear phishing and zero-day threats. We see this every day - customers come to us after an incident that Microsoft Defender didn’t catch.” - Adam Lundrigan, CTO, DuoCircle
Head-to-Head Comparison
| Criterion | SEG (Gateway) | API-Based | Native (Defender/Google) |
|---|---|---|---|
| Scan timing | Pre-delivery (before inbox) | Post-delivery (after inbox) | Pre-delivery (built-in) |
| User exposure to threats | None - blocked before arrival | Seconds to minutes of exposure | Depends on detection accuracy |
| Detection engines | Multiple (vendor-dependent) | Typically one | One (platform vendor) |
| M365 gap coverage | ✅ Strong | ✅ Strong | ❌ This IS the gap |
| Google Workspace value-add | Moderate (Google is already strong) | Moderate | ✅ Strong natively |
| Internal email scanning | ❌ Inbound only | ✅ Internal + inbound | ✅ Internal + inbound |
| Email authentication | ✅ SPF/DKIM/DMARC at gateway | Varies | Basic |
| Time-of-click URL protection | ✅ (if supported) | Varies | Limited |
| Deployment complexity | Mail flow rule (minutes) | API connection (minutes) | Already deployed |
| Vendor lock-in | Works with any platform | Platform-specific API | Tied to platform |
Which Model Fits Your Business?
Choose a Secure Email Gateway if:
- You run Microsoft 365 and need to close the Defender gap
- Pre-delivery blocking is non-negotiable (you do not want threats in the inbox, ever)
- You want multi-engine detection from independent threat intelligence feeds
- You need time-of-click URL protection
- You support multiple email platforms or hybrid environments
Choose API-Based if:
- You need internal email scanning (insider threats, compromised accounts)
- You cannot change mail flow rules or MX records due to organizational policy
- You are comfortable with post-delivery remediation and the inherent timing gap
- You need to retroactively scan historical mailboxes
Rely on Native Protection if:
- You run Google Workspace (Google’s native detection is strong)
- Your organization is very small and budget is the primary constraint
- You understand and accept the detection limitations (especially on M365)
Why Phish Protection Uses the Gateway Model
Phish Protection is a secure email gateway because the gateway model provides the strongest protection where it matters most:
Pre-delivery blocking. Threats are stopped before they reach the inbox. No remediation lag, no user exposure, no reliance on clawback.
Multi-engine detection. Every email is scanned by 5 detection engines simultaneously - Vade Secure, Sophos, Halon Classify, Webroot BCTI, and proprietary weighting algorithms. No single-vendor blind spots.
Time-of-click URL protection. Every URL is rewritten and re-scanned at the moment a user clicks, catching delayed-weaponization attacks that both native and API-based solutions miss.
Microsoft 365 focus. Deploys via mail flow rules in under 5 minutes. No MX record changes. Works alongside Defender without conflicts. Purpose-built for the platform with the biggest protection gap.
BEC detection. Display name spoofing, domain impersonation, behavioral analysis, and first-contact flagging - integrated into the gateway scan, not bolted on as a separate product.
Full email authentication. SPF, DKIM, and DMARC validation on every inbound email. For outbound DMARC monitoring, see DMARC Report. For SPF management, see AutoSPF.
“We chose the gateway model deliberately. Pre-delivery scanning means the user never has to make a judgment call about a malicious email - because they never see it.” - Brad Slavin, General Manager, DuoCircle
Phish Protection Deployment Summary
| Detail | Specification |
|---|---|
| Deployment model | Secure email gateway (mail flow rules) |
| Detection engines | 5 (Vade Secure, Sophos, Halon Classify, Webroot BCTI, proprietary) |
| Scan timing | Pre-delivery |
| URL protection | Time-of-click rewriting and re-scan |
| BEC detection | ✅ Display name, domain, behavioral |
| Email authentication | ✅ SPF/DKIM/DMARC |
| Platforms supported | Microsoft 365, Exchange, Google Workspace, SMTP |
| Setup time | Under 5 minutes |
| Pricing | From $19/month |
| Trial | 60 days, no credit card |
Start your 60-day free trial - no credit card, no contract, setup in minutes.
Try the Free BEC Cost Calculator
Use our BEC Cost Calculator to estimate your phishing risk exposure and compare the cost of protection against the cost of a single successful attack.