Finding the email product with the best policy-based controls

E-mail Security School guest instructor Joel Snyder offers advice on choosing e-mail security products.

by Joel Snyder

Review policy control carefully

Policy-based e-mail controls are integral to most antispam and antivirus solutions, but they vary enormously. Defining your specific needs will be critical to finding the right product. Policy controls usually end up as a combination of match rules and actions. Determine what kind of matching you need and the actions you require. For example, if you want to look for keywords in documents your users are e-mailing out, get as specific as you can. Ask yourself:

  • Are you going to search for a dictionary of words, account numbers or phrases?
  • How big will the dictionary be?
  • Do you need to look inside proprietary formats, such as a Microsoft Word doc or an Adobe PDF? If not, don't make it a requirement because it's an expensive feature. If your policy control needs are simpler, say so. You don't want to pay for features that you aren't going to use.

Build a short list

Once you establish some basic requirements, use them to winnow the field of products. You don't have to go through a formal RFP process, yet. Share a few pages of notes and requirements with sales people to help them understand what you need and if their product is a good fit. No sales person wants to waste time talking to you if they can't meet your needs, and you don't want to waste your time studying the wrong products. Your goal is to come up with a short list of three to five products that all fit all of your requirements (at least on paper). If you have more than five, refine your list of requirements.

Security School

Print this technical paper

Webcast: E-mail policy control

E-mail Security Final Exam

Talk to the author and your peers in our discussion forum

Security School Home Page


If you can't decide among the products you've short listed, then you have a good list. If you walk into the evaluation with a favorite, or (more commonly) thinking one product is not up-to-snuff, you're doing something wrong. If your short list is too long, consider other factors that will weigh on your final decision, such as pricing or the stability of the vendor. There's no point in looking at products you can't afford or that won't pass muster with your purchasing department.

From the short list, move into the lab. Products worth buying are worth testing and you want to put them through their paces. This is the time to get down and dirty with the features. For example, if you need footer stamping to add a disclaimer to outgoing messages, see if the feature actually works with real e-mail your company generates. If you're fighting spam, make sure that the product will work in your topology. It's not enough for a vendor to promise it works with Active Directory. The product has to be compatible with your Active Directory, and that's a lot easier to claim in a brochure than it is to make work.

Test the features -- all the features you're going to use. E-mail security is not a mature field, and many products still have substantial bugs in them. Configure the product and make sure that it fits into your company's architecture. If you don't get good vendor help now, you won't get good support later on. So this is an excellent time to evaluate the quality of the support team.

Haggle, haggle, haggle

Getting the best terms is an art in itself and beyond the scope of this column. Here's a quick hint, though: Don't start negotiations by admitting that the product is the one you want. Remember that everything is negotiable, and if the long-term support costs look high (and they usually do for this class of product), you have other pressure points you can bring to bear. They include training and professional services. Most of the e-mail security vendors are already giving away consulting services as part of the purchase, so be sure to get your share of free help.

Previous: Identifying your antivirus and antispam needs

Previous >>

About the author
Joel Snyder is a senior partner with Opus One, a consulting firm in Tucson, Ariz. He sent his first network e-mail in 1980, and has been designing and implementing enterprise e-mail systems ever since. He is partially to blame for the X.400 messaging standards and has been trying to atone for them ever since.

This was last published in April 2005

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.