Built-in vs. third-party email security: What you need to know

Research published in Weak Links in Authentication Chains: A Large-scale Analysis of Email Sender Spoofing Attacks tested 30 email services and 23 email clients and found that they were vulnerable to at least some form of sender spoofing, including trusted platforms like Gmail and Outlook. As the researchers put it, "a failure in any part can break the whole chain." When organizations set up their emails, they must decide on whether to rely on the security tools that come with their email platform, or invest in third-party security solutions.

What built-in email security covers

Email providers, such as Microsoft 365, Google Workspace, and others come with built-in security. These built-in tools are designed to detect common threats and require little configuration.

Spam filtering is the most common feature and it uses a combination of reputation scoring, keyword analysis, and sender verification to divert unwanted mail away from the primary inbox. Alongside this, most platforms offer basic antivirus scanning of attachments, flagging known malware signatures before they reach the user.

Authentication protocols include standards like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) which help verify that incoming emails are genuinely sent from the domains they claim to come from. These protocols reduce spoofing and impersonation attacks. The advantages of built-in security are its simplicity and cost efficiency. There is no additional vendor to manage, no separate console to learn, and for organizations with limited IT resources, having security integrated directly into the email platform reduces problems.

Where built-in protection falls short

Built-in email security has limitations because it is normally reactive rather than proactive. Research into the foundational principles of Security by Design identifies proactiveness as one of the central principles of robust security thinking, the research states that security must be "emphasized throughout the whole software lifecycle," anticipating threats before they happen rather than responding to them after they have happened.

The Weak Links in Authentication Chains study identified 14 distinct spoofing techniques capable of bypassing SPF, DKIM, and DMARC protections, many of which can be combined into what the researchers describe as "cocktail" attacks that leave no visible warning in the recipient's inbox. Attackers can exploit inconsistencies between how different email fields are processed, abuse legitimate forwarding services to obtain valid cryptographic signatures, and use encoding tricks or special characters to make a fraudulent sender address appear legit. Furthermore, the study found that only 12 of the 30 services tested performed any form of sender inconsistency checks, meaning the majority showed users no indication that the displayed sender address might not be legitimate.

According to the Paubox 2026 Healthcare Email Security Report, 74% of breached organizations lacked effective DMARC enforcement, with 41% having no DMARC policy at all and a further 33% operating in monitoring-only mode, meaning receiving servers were given no instruction to block or quarantine suspicious messages. More than half had permissive or missing SPF records, and not a single breached organization enforced MTA-STS which is the policy that requires encrypted connections between mail servers and prevents attackers from intercepting messages in transit.

Furthermore, Paubox's 2025 Report on How Microsoft and Google Put PHI at Risk showed how leading platforms handle encryption. In controlled testing, Google Workspace delivered messages using TLS 1.0 and TLS 1.1. Microsoft 365, however, bypassed encryption and delivered messages in cleartext with no alert to the sender. As Paubox CEO Hoala Greevy put it, "Force TLS gives you just enough confidence to stop asking questions, until something breaks." And as Chief Compliance Officer Rick Kuwahara noted, "Confidence without clarity is what gets organizations breached. We don't just need encryption, we need evidence."

The report further notes that, "Encryption doesn't just fail, it fails silently." There is no audit trail showing encryption was bypassed, no bounce notification, and no alert. For healthcare organizations transmitting protected health information (PHI), this is a risk. Microsoft 365 alone accounted for 43.3% of all healthcare email breaches in 2024, according to Paubox's research, and the average cost of a healthcare data breach stands at $9.8 million per incident.

Built-in tools are tuned for threats such as mass phishing campaigns, known malware, and generic spam. They tend to not help much against zero-day exploits, novel attack techniques, and personalized business email compromise (BEC) attacks. Advanced persistent threats (APTs), where attackers carefully craft emails that mimic trusted internal or external senders, can bypass standard filters with ease. Similarly, file-less attacks, attacks that use malicious links rather than attachments, are harder to catch at the gateway level without deep URL inspection capabilities.

What small practices are missing

According to the Paubox 2025 Report: What Small Healthcare Practices Get Wrong About HIPAA and Email Security, more than 80% of small practices expressed confidence in their current compliance, however, the data said otherwise.

Nearly all small practices surveyed (98%) said their platform "encrypts emails by default", yet most are using Microsoft 365 or Google Workspace, platforms which, as documented in Paubox's controlled testing, can silently fall back to deprecated protocols or deliver messages in cleartext without any alert to the sender.

The report further found that 83% of small practice leaders believe patient consent removes the need for encryption. Patient agreement to communicate electronically does not waive the requirement for appropriate safeguards under 45 CFR § 164.530(c). Similarly, 64% believe that patient portals are required by HIPAA, when in fact the regulations permit secure, direct email and other reasonable alternatives where appropriate safeguards are in place.

Also, one in five small healthcare organizations had no form of email archiving or audit logging at all, meaning that when a breach does occur, there is no way to investigate what happened. Healthcare breaches already take an average of over 10 months to detect and contain, according to IBM's Cost of a Data Breach Report 2025, cited in the Paubox research.

What third-party email security brings

Third-party email security platforms are purpose-built for threat detection and go deeper than what comes with standard email services. Paubox, for example, is designed specifically for compliance, offering amongst other things, HIPAA compliant email encryption that works by default rather than requiring staff to manually trigger protections.

One of the advantages of third-party email security is advanced threat protection (ATP). This includes sandboxing capabilities, where suspicious attachments are detonated in a controlled virtual environment to observe their behavior before delivery. URL rewriting and real-time link scanning intercept malicious links even after the email has been delivered.

Another added advantage is behavioral AI, these systems learn the normal communication patterns of an organization and flag anomalies that could indicate account compromise or impersonation. This is effective against BEC attacks, which often contain no malicious links or attachments. It also addresses one of the weaknesses identified in Weak Links in Authentication Chains, that is the most dangerous spoofing attacks leave no protocol-level footprint for standard filters to catch.

Third-party solutions also tend to offer reporting dashboards, compliance archiving, data loss prevention (DLP) policies, and integration with broader security systems. It is worth noting, however, that the presence of third-party tools alone does not guarantee a stronger security posture. The Paubox 2026 Healthcare Email Security Report found that tool deployment without proper configuration leaves organizations exposed. As the report concludes, email security is a set of controls that require deliberate configuration, ongoing review, and clear ownership across IT and compliance teams.

Layering both approaches

The most resilient email security posture is what Del-Real, De Busser & van den Berg, in the research into the foundational principles of Security by Design, described as multi-layered security, which calls for overlapping controls rather than reliance on any single mechanism.

The Paubox's 2025 Report on How Microsoft and Google Put PHI at Risk warns that using obsolete encryption provides a false sense of security because it appears as though sensitive data is protected, even when it is not. Furthermore, the Paubox 2026 Healthcare Email Security Report found that 41% of breached organizations in 2025 fell into a high-risk category based on their email configuration, up from 31% the year before. In other words, the organizations still experiencing breaches are those with the gaps to close.

Lastly, the “Third-Party Access Cybersecurity Threats and Precautions: A Survey of Healthcare Delivery Organizations” study found that 60% of organizations do not routinely monitor third parties with access to sensitive information, and of those that do, more than half rely on manual processes. This is not a sustainable approach as threat volumes grow.

The right balance depends on organizational size, risk profile, industry regulations, and budget. A small business with limited resources may find that upgrading to a higher tier of their email provider's native security closes most gaps affordably. A mid-sized company in a regulated sector, however, will likely benefit from a dedicated third-party solution.

FAQs

What is "built-in" email security?

Built-in email security refers to the protective features that come pre-packaged with your email platform.

What is a third-party email security solution?

A third-party email security solution is a dedicated product from a separate vendor that you add on top of your existing email platform to provide more specialized protection.

How often should an organization review its email security setup?

Email security should be reviewed regularly and ideally whenever there is a change in staff, technology, or the threat landscape.