Email authentication protocols like SPF, DKIM, and DMARC play a critical role in protecting domains from spoofing and phishing. However, when SEGs are introduced into the email path, the interaction with these protocols becomes more complex. Security gateways(SEGs) are a core part of many organizations’ email infrastructure. They act as intermediaries between the public internet and internal mail systems, inspecting, filtering, and routing messages. This blog examines how security gateways handle SPF, DKIM, and DMARC, with real-world examples from popular gateways such as Proofpoint, Mimecast, and Avanan. We’ll also cover best practices for maintaining authentication integrity and avoiding misconfigurations that can compromise email authentication or lead to false DMARC failures. Security gateways often sit at the boundary between your organization and the internet, managing both inbound and outbound email traffic. Their role affects how email authentication protocols behave. An inbound SEG examines emails coming into your organization. It checks SPF, DKIM, and DMARC to determine if the message is authentic and safe before passing it to your internal mail servers. An outbound SEG handles emails sent from your domain. It may modify headers, rewrite envelope addresses, or even apply DKIM signing. All of these can impact SPF,  DKIM, or DMARC validation on the recipient’s side. Understanding how SEGs influence these flows is crucial to maintaining proper authentication and avoiding unexpected DMARC failures. Inbound Handling of SPF, DKIM, and DMARC by Common Security Gateways When an email comes into your organization, your security gateway is the first to inspect it. It checks whether the message is real, trustworthy, and properly authenticated. Let’s look at how different SEGs handle these checks. Avanan (by Check Point) SPF: Avanan verifies whether the sending server is authorized to send emails for the domain by checking the SPF record. DKIM: It verifies if the message was signed by the sending domain and if that signature is valid. DMARC: It uses the results of the SPF and DKIM check to evaluate DMARC. However, final enforcement usually depends on how DMARC is handled by Microsoft 365 or Gmail, as Avanan integrates directly with them. Avanan offers two methods of integration:1. API integration: Avanan connects via APIs, no change in MX, usually Monitor or Detect modes.2. Inline integration: Avanan is placed inline in the mail flow (MX records changed), actively blocking or remediating threats. Proofpoint Email Protection SPF: Proofpoint checks SPF to confirm the sender’s IP is authorized to send on behalf of the domain. You can set custom rules (e.g. treat “softfail” as “fail”). DKIM: It verifies DKIM signatures and shows clear pass/fail results in logs. DMARC: It fully evaluates DMARC by combining SPF and DKIM results with alignment checks. Administrators can configure how to handle messages that fail DMARC, such as rejecting, quarantining, or delivering them. Additionally, Proofpoint allows whitelisting specific senders you trust, even if their emails fail authentication checks. Integration Methods Inline Mode: In this traditional deployment, Proofpoint is positioned directly in the email flow by modifying MX records. Emails are routed through Proofpoint’s infrastructure, allowing it to inspect and filter messages before they reach the recipient’s inbox. This mode provides pre-delivery protection and is commonly used in on-premises or hybrid environments. API-Based (Integrated Cloud Email Security – ICES) Mode: Proofpoint offers API-based integration, particularly with cloud email platforms like Microsoft 365 and Google Workspace. In this mode, Proofpoint connects to the email platform via APIs, enabling it to monitor and remediate threats post-delivery without altering the email flow. This approach allows for rapid deployment and seamless integration with existing cloud email services. Mimecast SPF: Mimecast performs SPF checks to verify whether the sending server is authorized by the domain’s SPF record. Administrators can configure actions for SPF failures, including block, quarantine, permit, or tag with a warning. This gives flexibility in balancing security with business needs. DKIM: It validates DKIM signatures by checking that the message was correctly signed by the sending domain and that the content hasn’t been tampered with. If the signature fails, Mimecast can take actions based on your configured policies. DMARC: It fully evaluates DMARC by combining the results of SPF and DKIM with domain alignment checks. You can choose to honor the sending domain’s DMARC policy (none, quarantine, reject) or apply custom rules, for example, quarantining or tagging messages that fail DMARC regardless of the published policy. This allows more granular control for businesses that want to override external domain policies based on specific contexts. Integration Methods Inline Deployment: Mimecast is typically deployed as a cloud-based secure email gateway. Organizations update their domain’s MX records to point to Mimecast, so all inbound (and optionally outbound) emails pass through it first. This allows Mimecast to inspect, filter, and process emails before delivery, providing robust protection. API Integrations: Mimecast also offers API-based services through its Mimecast API platform, primarily for management, archival, continuity, and threat intelligence purposes. However, API-only email protection is not Mimecast’s core model. Instead, the APIs are used to enhance the inline deployment, not replace it. Barracuda Email Security Gateway SPF: Barracuda checks the sender’s IP against the domain’s published SPF record. If the check fails, you can configure the system to block, quarantine, tag, or allow the message, depending on your policy preferences. DKIM: It validates whether the incoming message includes a valid DKIM signature. The outcome is logged and used to inform further policy decisions or DMARC evaluations. DMARC: It combines SPF and DKIM results, checks for domain alignment, and applies the DMARC policy defined by the sender. Administrators can also choose to override the DMARC policy, allowing messages to pass or be treated differently based on organizational needs (e.g., trusted senders or internal exceptions). Integration Methods Inline mode (more common and straightforward): Barracuda Email Security Gateway is commonly deployed inline by updating your domain’s MX records to point to Barracuda’s cloud or on-premises gateway. This ensures that all inbound emails pass through Barracuda first for filtering and SPF, DKIM, and DMARC validation before being delivered to your mail servers. Deployment Behind the Corporate Firewall: Alternatively, Barracuda can be deployed in transparent or bridge mode without modifying MX records. In this setup, the gateway is placed inline at the network level, such as behind a firewall, and intercepts mail traffic transparently. This method is typically used in complex on-premises environments where changing DNS records is not feasible. Cisco Secure Email (formerly IronPort) Cisco Secure Email acts as an inline gateway for inbound email, usually requiring your domain’s MX records to point to the Cisco Email Security Appliance or cloud service. SPF: Cisco Secure Email verifies whether the sending server is authorized in the sender domain’s SPF record. Administrators can set detailed policies on how to handle SPF failures. DKIM: It validates the DKIM signature on incoming emails and logs whether the signature is valid or has failed. DMARC: It evaluates DMARC by combining SPF and DKIM results along with domain alignment checks. Admins can configure specific actions, such as quarantine, reject, or tag, based on different failure scenarios or trusted sender exceptions. Integration methods On-premises Email Security Appliance (ESA): You deploy Cisco’s hardware or virtual appliance inline, updating MX records to route mail through it for filtering. Cisco Cloud Email Security: Cisco offers a cloud-based email security service where MX records are pointed to Cisco’s cloud infrastructure, which filters and processes inbound mail. Cisco Secure Email also offers advanced, rule-based filtering capabilities and integrates with Cisco’s broader threat protection ecosystem, enabling comprehensive inbound email security. Outbound Handling of SPF, DKIM, and DMARC by Common Security Gateways When your organization sends emails, security gateways can play an active role in processing and authenticating those messages. Depending on the configuration, a gateway might rewrite headers, re-sign messages, or route them through different IPs – all actions that can help or hurt the authentication process. Let’s look at how major SEGs handle outbound email flow. Avanan – Outbound Handling and Integration Methods Outbound Logic Avanan analyzes outbound emails primarily to detect data loss, malware, and policy violations. In API-based integration, emails are sent directly by the original mail server (e.g., Microsoft 365 or Google Workspace), so SPF and DKIM signatures remain intact. Avanan does not alter the message or reroute traffic, which helps maintain full DMARC alignment and domain reputation. Integration Methods 1. API Integration: Connects to Microsoft 365 or Google Workspace via API. No MX changes are needed. Emails are scanned after they are sent, with no modification to SPF, DKIM, or the delivery path.  How it works: Microsoft Graph API or Google Workspace APIs are used to monitor and intervene in outbound emails. Protection level: Despite no MX changes, it can offer inline-like protection, meaning it can block, quarantine, or encrypt emails before they are delivered externally. SPF/DKIM/DMARC impact: Preserves original headers and signatures since mail is sent directly from Microsoft/Google servers. 2. Inline Integration: Requires changing MX records to route email through Avanan. In this mode, Avanan can intercept and inspect outbound emails before delivery. Depending on the configuration, this may affect SPF or DKIM if not properly handled. How it works: Requires adding Avanan’s Protection level: Traditional inline security with full visibility and control, including encryption, DLP, policy enforcement, and advanced threat protection. SPF/DKIM/DMARC impact: SPF configuration is needed by adding Avanan’s include mechanism to the sending domain’s SPF record. The DKIM record of the original sending source is preserved. For configurations, you can refer to the steps in this blog. Proofpoint – Outbound Handling and Integration Methods Outbound Logic Proofpoint analyzes outbound emails to detect and prevent data loss (DLP), to identify advanced threats (malware, phishing, BEC) originating from compromised internal accounts, and to ensure compliance. Their API integration provides crucial visibility and powerful remediation capabilities, while their traditional gateway (MX record) deployment delivers true inline, pre-delivery blocking for outbound traffic. Integration methods 1. API Integration: No MX record changes are required for this deployment method. Integration is done with Microsoft 365 or Google Workspace. How it works: Through its API integration, Proofpoint gains deep visibility into outbound emails and provides layered security and response features, including: Detect and alert: Identifies sensitive content (Data Loss Prevention violations), malicious attachments, or suspicious links in outbound emails. Post-delivery remediation (TRAP): A key capability of the API model is Threat Response Auto-Pull (TRAP), which enables Proofpoint to automatically recall, quarantine, or delete emails after delivery. This is particularly useful for internally sent messages or those forwarded to other users. Enhanced visibility: Aggregates message metadata and logs into Proofpoint’s threat intelligence platform, giving security teams a centralized view of outbound risks and user behavior. Protection level: API-based integration provides strong post-delivery detection and response, as well as visibility into DLP incidents and suspicious behavior.  SPF/DKIM/DMARC impact: Proofpoint does not alter SPF, DKIM, or DMARC because emails are sent directly through Microsoft or Google servers. Since Proofpoint’s servers are not involved in the actual sending process, the original authentication headers remain intact. 2. Gateway Integration (MX Record/Smart Host): This method requires updating MX records or routing outbound mail through Proofpoint via a smart host. How it works: Proofpoint acts as an inline gateway, inspecting emails before delivery. Inbound mail is filtered via MX changes; outbound mail is relayed through Proofpoint’s servers. Threat and DLP filtering: Scans outbound messages for sensitive content, malware, and policy violations. Real-time enforcement: Blocks, encrypts, or quarantines emails before they’re delivered. Policy controls: Applies rules based on content, recipient, or behavior. Protection level: Provides strong, real-time protection for outbound traffic with pre-delivery enforcement, DLP, and encryption. SPF/DKIM/DMARC impact: Proofpoint becomes the sending server: SPF: You need to configure ProofPoint’s SPF. DKIM: Can sign messages; requires DKIM setup. DMARC: DMARC passes if SPF and DKIM are set up properly. Please refer to this article to configure SPF and DKIM for ProofPoint. Mimecast – Outbound Handling and Integration Methods Outbound Logic Mimecast inspects outbound emails to prevent data loss (DLP), detect internal threats such as malware and impersonation, and ensure regulatory compliance. It primarily functions as a Secure Email Gateway (SEG), meaning it sits directly in the outbound email flow. While Mimecast offers APIs, its core outbound protection is built around this inline gateway model. Integration Methods 1. Gateway Integration (MX Record change required) This is Mimecast’s primary method for outbound email protection. Organizations route their outbound traffic through Mimecast by configuring their email server (e.g., Microsoft 365, Google Workspace, etc.) to use Mimecast as a smart host. This enables Mimecast to inspect and enforce policies on all outgoing emails in real time. How it works: Updating outbound routing in your email system (smart host settings), or Using Mimecast SMTP relay to direct messages through their infrastructure. Mimecast then scans, filters, and applies policies before the email reaches the final recipient. Protection level: Advanced DLP: Identifies and prevents sensitive data leaks. Impersonation and Threat Protection: Blocks malware, phishing, and abuse from compromised internal accounts. Email Encryption and Secure Messaging: Applies encryption policies or routes messages via secure portals. Regulatory Compliance: Enforces outbound compliance rules based on content, recipient, or metadata. SPF/DKIM/DMARC impact: SPF: Your SPF record must include Mimecast’s SPF mechanism based on your region to avoid SPF failures. DKIM: A new DKIM record should be configured to make sure your emails are DKIM signed when routing through Mimecast. DMARC: With correct SPF and DKIM setup, Mimecast ensures DMARC alignment, maintaining your domain’s sending reputation. Please refer to the steps in this detailed article to set up SPF and DKIM for Mimecast. 2. API Integration (Complementary to Gateway) Mimecast’s APIs complement the main gateway by providing automation, reporting, and management tools rather than handling live outbound mail flow. They allow you to manage policies, export logs, search archived emails, and sync users. APIs enhance visibility and operational tasks but do not provide real-time filtering or blocking of outbound messages. Since APIs don’t process live mail, they have no direct effect on SPF, DKIM, or DMARC; those depend on your gateway (smart host) setup. Barracuda – Outbound Handling and Integration Methods Outbound Logic Barracuda analyzes outbound emails to prevent data loss (DLP), block malware, stop phishing/impersonation attempts from compromised internal accounts, and ensure compliance. Barracuda offers flexible deployment options, including both traditional gateway (MX record) and API-based integrations. While both contribute to outbound security, their roles are distinct. Integration Methods 1. Gateway Integration (MX Record / Smart Host) — Primary Inline Security How it works: All outbound emails pass through Barracuda’s security stack for real-time inspection, threat blocking, and policy enforcement before delivery. Protection level: Comprehensive DLP (blocking, encrypting, or quarantining sensitive content)  Outbound spam and virus filtering  Enforcement of compliance and content policies This approach offers a high level of control and immediate threat mitigation on outbound mail flow. SPF/DKIM/DMARC impact: SPF: Update SPF records to include Barracuda’s sending IPs or SPF include mechanism. DKIM: Currently, no explicit setup is needed; DKIM of the main sending source is preserved. Refer to this article for more comprehensive guidance on Barracuda SEG configuration. 2. API Integration (Complementary & Advanced Threat Focus) How it works: The API accesses cloud email environments to analyze historical and real-time data, learning normal communication patterns to detect anomalies in outbound emails. It also supports post-delivery remediation, enabling the removal of malicious emails from internal mailboxes after sending. Protection level: Advanced AI-driven detection and near real-time blocking of outbound threats, plus strong post-delivery cleanup capabilities. SPF/DKIM/DMARC impact: Since mail is sent directly by the original mail server (e.g., Microsoft 365), SPF and DKIM signatures remain intact, preserving DMARC alignment and domain reputation. Cisco Secure Email (formerly IronPort) – Outbound Handling and Integration Methods Outbound Logic Cisco Secure Email protects outbound email by preventing data loss (DLP), blocking spam and malware from internal accounts, stopping business email compromise (BEC) and impersonation attacks, and ensuring compliance. Cisco provides both traditional gateway appliances/cloud gateways and modern API-based solutions for layered outbound security. Integration Methods 1. Gateway Integration (MX Record / Smart Host) – Cisco Secure Email Gateway (ESA) How it works: Organizations update MX records to route mail through the Cisco Secure Email Gateway or configure their mail server (e.g., Microsoft 365, Exchange) to smart host outbound email via the gateway. All outbound mail is inspected and policies enforced before delivery. Protection level: Granular DLP (blocking, encrypting, quarantining sensitive content) Outbound spam and malware filtering to protect IP reputation Email encryption for sensitive outbound messages Comprehensive content and attachment policy enforcement SPF: Check this article for comprehensive guidance on Cisco SPF settings. DKIM: Refer to this article for detailed guidance on Cisco DKIM settings. 2. API Integration – Cisco Secure Email Threat Defense How it works: Integrates directly via API with Microsoft 365 (and potentially Google Workspace), continuously monitoring email metadata, content, and user behavior across inbound, outbound, and internal messages. Leverages Cisco’s threat intelligence and AI to detect anomalous outbound activity linked to BEC, account takeover, and phishing. Post-Delivery Remediation: Automates the removal or quarantine of malicious or policy-violating emails from mailboxes even after sending. Protection level: Advanced, AI-driven detection of sophisticated outbound threats with real-time monitoring and automated remediation. Complements gateway filtering by adding cloud-native visibility and swift post-send action. SPF/DKIM/DMARC impact: Since emails are sent directly by the original mail server, SPF and DKIM signatures remain intact, preserving DMARC alignment and domain reputation. If you have any questions or need assistance, feel free to reach out to EasyDMARC technical support.

After about a hundred hours of being happily hunched over my Moza AB9 FFB Base and MH16 Flightstick, bolting in the Moza MTP Throttle and MTLP Panel felt like quite the level up. All that gear is starting to morph my office space into a serious simpit. Pretty soon I’ll be needing a flight suit, a spare 60K for this helmet, or maybe just intervention from my loved ones before those purchases can happen. When I affixed it to my port side, the MTP Throttle delivered a fighter-jet-inspired grip, 27 programmable switches, an adjustable detent system for afterburner and trim positions, and game-changing vibration feedback that let me feel every gust and buffeting breeze.Perched to starboard (or connected above the MTP, if you’d prefer), the MTLP Take-off and Landing Panel brings 25 Hall-effect-driven switches, a true-to-life parking brake lever, and telemetry-driven lighting straight from an iconic F/A-18 cockpit. And, when paired together, this Master Blaster of a peripheral is a chonk requiring 170 x 430mm worth of real estate. Putting this bundle through its paces, mostly in an A-10 Warthog in Microsoft Flight Simulator 2024 (complete with bunghole-puckering canyon runs), was a blast. I feel I’ve experienced every yaw-trim tweak, afterburner snap, gear-down click, and parking brake yank these peripherals can muster. Before I elaborate more, though, let’s talk about the deep end – prices. Or click here to skip the window shop to my continued thoughts.ContentsCurrent PricesMoza MTP Throttle PanelA$599.00 at JB Hi-FiMoza MTLP PanelA$299.00 at JB Hi-FiMoza MTP ThrottleAfter you take a small age to bind every function to it, the MTP Throttle will competently emulate the full-range control demands of your fave fighter, from idle settings to screaming afterburner engagement and even centre-detent modes for precision yaw or spacecraft simulations. Inspired by carrier-based fighter throttle panels, its aluminium alloy grip felt substantial and reassuring in my clammy hands, far removed from the hollow plastic of my many budget joysticks from the Pentium-II days of yore. Surrounding that dual-split throttle grip are 27 perfectly backlit physical switches, which include rotaries, toggles, and a Hall-effect mini-joystick. Basically,you have everything you need to assign flaps, trim, weapon selection, or camera angling/zooming without reaching for an immersion-breaking keyboard (which, let’s face it, should have little business in your sim-pit).Tack on a 15-bit magnetic encoder for drift-free, ultra-precise throttle position sensing and dual vibration motors that more-than-decently rumble out aerodynamic buffeting or overspeed warnings, and you’ve got an impressive piece of all-in-one thrust control. Everything about this looks premium and feels smooth and crisp to the touch; a product worth an asking price that’s steeper than your average Immelman. Sliding the lever forward in MSFS 2024’s A-10 felt mesmerising; the adjustable damping screw lets you dial in a heavy carrier-style feel or a nearly frictionless slide for rapid thrust chops, perfect for the Warthog’s “your ordnance delivered in 5 minutes or it’s free” strafing runs. Switch presses registered instantly, and the haptic feedback added subtle jolts when breaking the sound barrier in my mental Top Gun montage. After hours of gun runs and canyon drifts, wrist fatigue was minimal, thanks to the throttle’s ergonomic layout and smooth travel path.In the final analysis, anyone craving realistic, customisable thrust control should find the MTP Throttle hard to resist. It commands a decent chunk of desk real estate and demands PC-only drivers, but its build quality, precision, and immersive feedback make it worth the investment. If you want to feel every ounce of power from idle to afterburner, this is a brilliant addition to any simmer’s ongoing flight(s) of fantasy. Back to topMoza MTLP PanelAs veteran eyes would have already spotted, the MTLP Panel is designed to ape the landing controls of an F/A-18, giving you 25 Hall-effect-monitored switches for gear, lights, flaps, and more, all laid out to guide your fingertips instinctively without glancing down. Its signature parking brake lever reproduces the spring-loaded recoil and rotation of real jet brakes, complete with a reassuring click on release that is satisfaction plus.The composite housing and aluminium accents of the MTLP are consistent with the superb build quality of its sister MTP unit (though the hook and gear levers do feel a tad cheaper). Moza has struck a balance between sturdiness and lower weight so it stays firmly in place even during my most enthusiastic brake yanks (to let bogies fly right by–that old Pete Mitchell chestnut). Meanwhile, telemetry-driven LED indicators glow to confirm gear status or landing-light activation, turning your desk into a mini runway light show. When I deployed landing gear during a low-altitude A-10 approach, the brain-muscle memory switch flick felt instantly familiar and satisfying, a vast improvement over fumbling with on-screen menus. The brake lever’s Hall-effect sensor gave crisp, drift-free inputs, and I never once forced a failed gear-up on final. Its compact footprint meant I could palm-reach each switch without looking down like a learner (after)burner or lifting off my stick.Ultimately, the MTLP Panel makes takeoff and landing procedures more immersive and efficient, but at around A$299 (US$150) it’s definitely a nice-to-have rather than a must-have. If you’re piecing together a full fighter-jet cockpit and crave that final touch of realism, just be prepared to clear desk space or mount it securely.Back to topBetter TogetherThere’s something undeniably thrilling about wielding hardware that echoes the heft and detail of real combat aircraft, especially when you’re diving into my test case scenarios (close-air support missions). The MTP Throttle and MTLP Panel aren’t merely flashy desk ornaments; they integrate seamlessly into Moza’s Cockpit Suite for drag-and-drop mapping, telemetric lighting, and vibration tuning, delivering an immersive sim experience. Side note: I also have to say, as a primarily VR-based flight simmer, having so much functionality “where it ough to be” at one’s fingertips, as opposed to blindly faffing about on a keyboard, is next-level handy. Put simply, I cannot go back from here. Whether you’re lining up for a low-and-slow bomb run or wrestling a heavy bomber through crosswinds, these peripherals elevate every cockpit interaction. If you can afford the mid-to-high-end price of admission, I say cue up some Kenny Loggins, engage those detents, retract your gear, and turn ‘n’ burn in an altogether higher tier of tactical. Adam Mathew is our Aussie deals wrangler. He plays practically everything, often on YouTube.

Proton Mail4.5 ExcellentBottom LineProton Mail is an easy-to-use webmail service that brings zero-access encryption to your local message store and end-to-end encryption for message transmission, along with an impressive posse of related programs.US Street Price$47.88Learn MoreProton Mail ReviewVSPreVeil4.5 ExcellentBottom LineWith PreVeil, you get free end-to-end encrypted secure cloud storage along with secure email that’s tough enough for business but extremely easy to use, all while keeping your existing email address.Learn MorePreVeil Review Table of ContentsPricing and Pricing TiersDo I Need a New Email Address?Authentication and Security OptionsCloud Storage and File SharingEmail Client IntegrationTemporary Email AddressesAdvanced Security FeaturesFeatures Beyond Email Encryption Pricing and Pricing TiersPreVeil’s pricing system is as simple as can be—it’s free. Period.You can use ProtonMail for free, too, but a free Proton Mail account lacks some features and limits others. For example, you can only send 150 messages per day and only manage a single email account. When you pay $47.88 per year for a Proton Mail Plus account, the limit on messages per day vanishes, but there’s still a cap on the number of email addresses you can use.There’s one more option, Proton Mail Ultimate, which costs $119.88 per year and includes the full pantheon of Proton’s products. This one makes sense if you want your email encryption served up along with fully functional instances of Proton Calendar, Proton Drive, Proton VPN, and the Proton Pass password manager. Ultimately, everything’s better when it’s free, so PreVeil wins.Winner: PreVeilDo I Need a New Email Address?I’ve had the same personal email address for more than 20 years, and I’ve grown fond of it. I could sign up for PreVeil and keep that address. But if I wanted to rely on Proton Mail to safeguard my email secrets, I would have to pick a new address and share it with all my contacts.On the flip side, my 20-year-old email address has accumulated quite a collection of spam. It’s been revealed in dozens of data breaches and captured by who knows how many data brokers. If you want to level up your security game by using email encryption, you might prefer switching to a pristine new address, too.Here’s the thing. You can do the same thing with PreVeil. Just set up a new, clean email address before you start using PreVeil. But you simply can’t use Proton Mail with your existing address, except in one rare case. If you own your own domain, and if you host your email on that domain, and if you're up for such domain-management tasks as changing MX records and reconfiguring settings for DNS, DKIM, DMARC, and SPF, then you can use your own email. PreVeil wins on flexibility.Winner: PreVeilAuthentication and Security OptionsIt doesn’t matter how thoroughly your email is encrypted if an evildoer gains access to your encrypted inbox. Proton Mail offers multiple levels of protection, starting with using a strong password and an optional account recovery email. On top of that basic password protection, you can optionally configure it for multi-factor authentication (MFA) using Google Authenticator or a compatible authenticator app. You can advance to expert-tier authentication by configuring Proton Mail to require a hardware security key.(Credit: Proton/PCMag)PreVeil doesn’t use passwords at all, presuming that the security of your email account is sufficient. Yes, an attacker would need access to both your email account and a trusted device, which fits the definition of MFA, barely. But you can only use an authenticator app or hardware key to authenticate your email account, not PreVeil itself. When it comes to actively protecting access to your encrypted email system, Proton Mail takes the prize.Winner: Proton MailCloud Storage and File SharingIf you want to share a file or picture securely with someone, you can add it as an attachment to an encrypted email message. That’s a workable solution, but it’s not always the most convenient. Proton Mail and PreVeil both go beyond simple attachments by allowing you to store files in the cloud and share them securely.Your PreVeil account comes with 5GB of encrypted cloud storage that’s easily accessible from Windows Explorer. You also get the option to securely share folders (but not individual files) and to set each recipient’s permission level, from full Edit & Share permission down to View Only, which merely lets the recipient peek at the file’s content in a browser window.(Credit: PreVeil/PCMag)Proton Mail users at all pricing tiers get access to the separate Proton Drive app for cloud backup. Non-paying customers get a tenth of what PreVeil offers, just 500MB. However, at the commercial Plus level that storage rises to 15GB, and if you go all out with Proton Mail Ultimate, you can store 500GB of files. If you’re keeping score, those storage figures are three times and 100 times what PreVeil gives you.Proton Drive lets you share files directly with other Proton users and control their level of access in much the same way you do with PreVeil. You can also create a public link, optionally setting a password and an expiry date. PreVeil’s similar links only work for someone with whom you’ve already shared the folder.It’s true that PreVeil offers more storage than Proton Mail’s free tier, but there’s no easy path if you want more from PreVeil. And Proton Mail’s full backup app has more flexibility. This one goes to Proton Mail.Recommended by Our EditorsWinner: Proton MailEmail Client IntegrationEven if you’ve grudgingly switched to a new email address, you can at least keep the email client that you’ve used for years, right? Well, not necessarily. To get your Proton Mail messages into Apple Mail, Outlook, or Thunderbird, you must install a separate “bridge” app and go through a configuration routine that can get complicated. It doesn’t work with the latest Outlook because it requires access to IMAP and SMTP. And you don’t get full access to encryption features in your old familiar email app.(Credit: PreVeil/PCMag)With PreVeil, integration can be as simple as installing a plug-in for Gmail or Outlook. The plug-in adds a few handy controls, like an encryption on/off switch for the messages you compose, and clearly separates encrypted messages from those you’ve sent without encryption.Winner: PreVeilTemporary Email AddressesI mentioned earlier that being forced to spin up a new email address can be a blessing in disguise, as doing so frees you from any spam and baggage associated with the old address. But if you use a temporary email address service, you can avoid accumulating those problems in the first place. Using such a service lets you communicate with online merchants and other possibly shady connections without ever revealing your actual email address. You see and respond to the messages in your normal inbox, but they see only an email alias. And if one of your connections sells you out to a spam cartel, you just delete the corresponding alias.Sounds convenient, right? The Proton team agrees. At the Unlimited subscription level, you get full access to SimpleLogin, a four-star temporary email service. Yes, that’s the most expensive level, but PreVeil doesn’t offer email aliases at any level. (Don’t feel too left out if you’re using PreVeil or haven’t opted for the expensive Proton Mail Unlimited. You can supplement your email encryption for free with email aliases from ManyMe or Bulc Club.)Winner: Proton MailAdvanced Security FeaturesAfter going to the trouble of switching to encrypted email, you’d feel pretty dumb if you lost your login and couldn’t get access to your important messages. Proton Mail encourages you to save a recovery key in the form of a lengthy code and a QR code, but that recovery key itself now becomes a weakness. Someone who acquires your code owns your account.PreVeil offers a similar recovery code system, but encourages you to use its Recovery Group system instead. This is a high-tech solution more commonly seen in Enterprise-level security. With PreVeil, your recovery key resides with multiple friends, and the recovery process requires participation by several of them. For example, you might enlist six friends to hold your secret and require any three of them to activate recovery.PreVeil’s wrapped keys encryption system is proprietary, but Proton Mail relies on the venerable and widely used PGP (Pretty Good Privacy) encryption system. Proton Mail users can set up encrypted communication with users of other encryption tools that rely on PGP, such as Private-Mail and StartMail. For those with the tech chops, using PGP opens up immense possibilities.(Credit: Proton/PCMag)Proton Mail also actively protects your privacy against tracking that relies on images. When your email client displays an image, it necessarily requests that image from a server. From that request, the sender can learn your IP address, among other things. Proton Mail wipes out web beacons, which are images that have no purpose beyond penetrating your privacy. And it acts as an intermediary for normal images, so the sender gets the IP address of a Proton Mail server, not your personal address.Both services have clever, high-tech features. And in both cases, most users won’t use or pay attention to these features. I call this a draw.Winner: TieFeatures Beyond Email EncryptionI’ve already mentioned that both services offer encrypted file storage and secure sharing. For PreVeil, that’s about it.Proton Mail, on the other hand, offers several other significant security features. These include the already-mentioned Proton Drive, Proton VPN, Proton Calendar, and the Proton Pass password manager.(Credit: Proton/PCMag)Like Proton Drive, Proton Calendar and Proton Pass are available to free users, but with limitations. Free users of Proton VPN can use it to protect one device at a time and can’t choose which country the VPN connects through. Paying for Proton Mail lifts some of these limitations. And if you choose Proton Unlimited, you get the maximum from all the Proton apps.Winner: Proton Mail