Feel free to check-out my original post for some background and context on Cloud vs. on-premise before continuing.
Email is easily one of the most important IT services used within a company and often serves as the primary means of both internal and external communication. While historically it was common for companies to self-host their email service on-premise, over the past decade many companies have migrated to cloud-hosted solutions. In this article, we’ll break-down the components of email hosting and dig into the economics behind hosting email in the Cloud versus on-premise.
How Does Email Hosting Work?
While I’ve attempted to limit the technical jargon used in this section, feel free to skip to “Where does the Cloud come-in?” if you want to cut straight to comparisons between Cloud and on-premise email hosting.
Email strongly resembles traditional mail carrier services, with email hosting being analogous to operating a post office which serves your employees. There are three core components needed to host any email service, including:
Internet service
More specifically, you need Internet service that provides a static IP address and does not place restrictions on TCP/UDP ports 25 or 587. This is analogous to possessing geographic coordinates with access to a street.
Registered domain
More specifically, you need the ability to modify the DNS records for a domain, e.g., poignanttech.com, so that you can correctly set your MX records to point to your IP address used for email hosting. This is analogous to having a street address, which is just a human-readable representation of your geographic coordinates.
Email hosting software
More specifically, you need a server, virtual machine or container with email hosting software installed, such as Postfix, Exim, Sendmail, Mailcow, Microsoft Exchange Server(!), etc. The core function of this software is to facilitate the receipt, storage, and delivery of email and is analogous to a post office.
While the above three components represent the bare minimum requirements for functional email hosting, there are additional components required for email hosting to function at an acceptable level for business use, including:
DKIM, SPF and DMARC
By default, anybody on the Internet can send an email purporting to be from your domain. When used malevolently, this is referred to as “spoofing”. If left unmitigated, this presents a huge threat vector. DKIM, SPF and DMARC provide a strong and necessary mechanism for combating spoofing:
- An SPF (Sender Policy Framework) record is a DNS record that announces where legitimate email from your domain will originate from.
- DKIM (DomainKeys Identified Mail) uses public-private key cryptography to validate the identity of a sender and the integrity of an email’s contents. This is similar to how SSL certificates work when browsing web pages and assures recipients that an email they’ve received from you is legitimate and has not been tampered with.
- A DMARC (Domain-based Message Authentication, Reporting and Conformance) policy is a DNS record which dictates how SPF and DKIM failures need to be handled by recipients.
Since email received from domains without SPF, DKIM and DMARC configured cannot be validated for authenticity, many email hosts will flag or block email lacking these records altogether.
Spam Filtering
Spam email encompasses any unsolicited, unwanted or otherwise malevolent email. Since spam will not necessarily violate DMARC, it is distinct from spoofing and requires other mechanisms to block or quarantine.
Spam filtering can take-on innumerable forms with varying degrees of complexity. The most basic form of spam filtering involves maintaining a blocked sender list within your email hosting software. More comprehensive solutions can incorporate routinely updated block lists including known spam domains, with the most complex solutions using proprietary heuristics to analyze email contents and patterns to identify spam. In any circumstance, a mechanism for blocking spam is necessary in-order to avoid being inundated with unwanted email.
While the focus of most spam filtering involves inbound spam, restricting outbound spam is just as, if not more important. If a sender within your mail domain attempts to send mail to hundreds or thousands of external recipients at a time, there is a possibility that your domain will be flagged as a spam domain by block list maintainers which can cause your domain and IP address to end-up being unilaterally blocked across the Internet, which can be extremely difficult to reverse. In extreme circumstances, your ISP may restrict your access to outbound TCP/UDP ports 25 and 587, which will block you from sending any outbound email whatsoever. This unfortunate outcome can largely be prevented by configuring your email hosting software with a conservative limit of outbound emails that can be sent at a time.
Antivirus
Even with spam blocking enabled, viruses can easily spread through email in the form of malevolent attachments or macros. An example of a scenario includes a legitimate email domain not otherwise flagged for spam being compromised or hijacked by a malevolent actor being used to spread viruses.
While antivirus on a user’s device can prevent the local execution of malicious programs, antivirus in the context of email hosting serves to protect all users of an email host by scanning and eliminating malevolent email attachments before they are ever sent to a user’s inbox.
In its simplest form, an email host can unilaterally block attachments containing the most frequently abused filetypes, such as executable or zip files. More complex antivirus solutions for email hosts will scan all email attachments and use a signature and/or heuristics-based approach to detecting and quarantining potentially malevolent email attachments.
Like spam email, you do not want to receive or send viruses. it is important that your approach applies to both inbound and outbound communications.
Network infrastructure
Your email hosting instance likely resides on shared IT infrastructure supporting other business technology needs. As a result, there are many networking infrastructure components that need to be correctly configured to accommodate mail hosting, including:
- NAT (Network Address Translation): If a mail host is behind a firewall, incoming traffic needs to know where the final destination is.
- Network isolation: Email hosting instances should not be capable of freely communicating with other components of an internal network. This is necessary because email hosting is typically a web-facing service which presents a huge attack surface. Isolation can be accomplished by many means, including placing email hosting instances within a DMZ or a lower-trust subnet with firewall rules dictating strict egress and ingress permissions. This ensures that the rest of the internal network will remain safe in the event that an email host is ever compromised through a bug or exploit.
- Intrusion and DDoS Protection: Email hosts are subject to being attacked over the Internet. Most business-grade firewalls provide built-in intrusion prevention controls. Rudimentary options include blocking IP ranges belonging to countries that your organization does not conduct business with in-order to narrow your attack surface. More complex controls include using proprietary intrusion detection/prevention systems, or employing the use of a reverse proxy as a point of entry for all mail traffic.
Backup & Disaster Recovery
Business-critical services, including email hosting, require backups in-order to avoid permanent data loss. Backup systems can be as primitive as a rotation of external hard drives or as complex as third-party backup appliances and services featuring replication and disaster recovery capabilities.
High-availability
If your business requires as close to 100% uptime as possible, your email hosting needs to be configured in a high-availability configuration. This typically involves the use of 2 or more servers, virtual machines or containers located on different physical hardware, ideally in different geographic locations, configured and tested in a manner where failure of one will not result in a loss of service or data.
Where does the Cloud come-in?
As-mentioned in my original article, the Cloud is just somebody else’s computer. In a vacuum, using somebody else’s computer provides no intrinsic benefit over using your own machine; a well-designed on-premise email hosting solution is functionally equivalent to the same hosted in the Cloud.
On that note, following over a decade of market maturation, there has been an ongoing mass migration toward Cloud-hosted email solutions by companies of all sizes. Budget-oriented options include Rackspace, Zoho, mxroute, and many more. Premium options include Microsoft 365 and Google Workspace.
The benefits these options have over on-premise solutions include:
- Easy-to-use web-based interfaces for the creation and management of mailboxes
- No on-premise infrastructure required
- No capital expenditures or other steep up-front costs, save for any third-party support needed for setup/migration
- Easy-to-forecast monthly costs; billing is typically handled on a per-mailbox and per-month basis with discounts for yearly commitments
- No/limited maintenance required; “back-end” functionality is entirely managed by the cloud email host
Despite these benefits, there are some disadvantages to using Cloud email hosting over on-premise solutions, including:
- Limited economies of scale: The cost to use Cloud-hosted email scales linearly with total user/mailbox count; while it might be possible to negotiate better rates for large enterprises, this is not guaranteed. On the other hand, on-premise email hosting solutions generally experience shrinking marginal cost per mailbox as the environment grows because costs are a product of infrastructure investment rather than mailbox count
- Control: When email is hosted on-premise, the controlling company can dictate functions such as the timing of maintenance and outage windows. When email is hosted in the Cloud, customers are at the mercy of the Cloud provider’s quality of service.
- Privacy: If an organization is bound by laws or ethical rules disallowing the storage or transmission of data on third-party servers, using a Cloud solution for email may be a non-starter.
What solution should I use?
If your organization:
- Is small or mid-sized (less than 1500 mailboxes) OR is non-profit
- Cannot tolerate email downtime greater than ~0.1%
- Is not bound by laws prohibiting third-parties from storing your data
Then there is no question; you should absolutely use a Cloud-hosted email solution.
Cloud-hosted email solutions typically cost between $1/mo (Zoho Mail Lite) and $6/mo (Google Workspace Business Starter) per mailbox. For an organization with 1500 mailboxes this puts our yearly cost between $18,000 and $106,000 per year. Even at the high-end of this range, Cloud-hosted email is more cost-effective than an equivalent on-premise email solution.
Many IT specialists and system administrators will disagree with me. Let’s address some of their points:
E3 Licenses cost $36/mo per mailbox! Cloud-hosted email is expensive!
An Exchange Online (Plan 1) license for Microsoft 365 costs $4/mo per mailbox. Premium options such as Microsoft’s E3 and E5 licenses provide additional features beyond email, including but not limited to productivity software, identity management, Cloud storage, and advanced integrations with other software. In future articles I’ll be covering these features and dissecting their potential value. For now, we’re going to stick to discussing email.
It costs almost nothing to host email on-premise!
Even if you already have the prerequisite infrastructure, time is not free. At the scale of 1500 mailboxes, maintaining all of the underlying components related to hosting production-grade email on-premise can easily become a full-time job which will quickly eat into any perceived savings.
You’re exaggerating! Managing our mail environment takes almost no time!
Are you routinely checking RSS feeds for CVEs related to your mail hosting software? Are you doing the same for your firewall? Are you scheduling maintenance windows to conduct patching? Are you routinely testing your anti-spam and anti-virus capabilities? Are you conducting fail-over tests between HA mail server nodes? Do you have 99.9%+ uptime? Are you testing the integrity of your backups and publishing RPO/RTO estimates? Are you documenting all of this work and creating continuation plans to hedge against technical debt? Do you have at least two engineers on payroll who could rebuild your mail environment from scratch at a moment’s notice?
We don’t need all of that! Everything is working fine!
Computers break. Even if an important service has never broken before, it is statistically inevitable that something will go wrong. Since organizations rely on computers, the risk of IT services breaking must be mitigated against to reduce the fiscal impact that breakage imposes on the organization.
Email is a vital service for most organizations. When email breaks for a few hours, we start to experience chaos. When email breaks for days, the impact becomes catastrophic. In a worst-case scenario where an email host is compromised by a malevolent actor resulting in leaked data, the impact can be completely ruinous.
When a relatively small IT department provides on-premise email hosting, the service is provided to employees of the parent organization. When email breaks or is compromised, it is up to this small IT department and any contracted vendors to fix the issue. The maximum risk exposure to the employees of the IT department include potential termination of employment, especially if it comes to-light that the on-premise mail hosting environment has been mismanaged. If you have contracted vendors such as an MSP supporting your on-premise email, they risk losing your business if the support they provide is inadequate during a crisis, however they hedge against the risk of losing your organization as a customer by supporting a pool of other customers with diverse IT infrastructure, insulated from the fallout of your organization’s outage.
…When a Cloud provider hosts email, the service is provided to a very large number of customers. Correspondingly, when a Cloud provider is compromised or experiences an outage impacting your organization, the problem likely unilaterally impacts thousands, if not millions of individual mailboxes, all belonging to many different organizations. The maximum risk exposure to Cloud providers includes millions or billions of dollars in lost revenue if lost confidence causes customers to flee to other, more-reliable and secure Cloud providers, which is compounded by Cloud email hosting being an extremely saturated and competitive market. Cloud email hosts may likewise face class-action litigation if customer data is leaked.
While your IT staff probably don’t want to lose their jobs, the risk they face when things go sideways pales in comparison to the cumulative risk Cloud email hosts face in the same scenario, making Cloud email hosting an overall better hedge against risk. Cloud providers do frequently experience service outages, however on-average their uptime generally exceeds 99.9%. As far as security is concerned, Cloud email hosts must run very tight ships in-order to maintain market confidence.
Small to mid-sized organizations unequivocally benefit from Cloud-hosted email. Dollar-for-dollar, Cloud hosts provide better reliability and a safer risk profile than on-premise email hosting at this scale.
What if I need more than 1500 mailboxes?
As an organization grows and meets most standard definitions of a “large” company, the economics of scale slowly start to favor self-hosted email. This is especially true if your organization already has sizable on-premise infrastructure and has a talented internal IT department. Regardless, you need to evaluate and compare your options before committing to a specific solution. Many large organizations decide to use Cloud-hosted email despite having far greater than 1500 mailboxes.
Hybrid Cloud
Whether you host email in the Cloud or on-premise, both paradigms can coexist and compliment each other to fulfill your business needs.
Maintaining geographically-separate backups is a core component of a 3-2-1 or 3-2-2 backup and disaster recovery strategy. If your email hosting resides in the Cloud, you can achieve geographic redundancy by maintaining an on-premise copy of your mail data. The reverse is also true; an on-premise email environment can be backed-up to a public Cloud provider. This principle can extend to high-availability systems; resiliency can be added to on-premise email hosting by maintaining a standby environment through a public Cloud.
On-premise email hosting can also benefit from leveraging Cloud-based antivirus and spam filtering solutions, which may seem more attractive now given recent reports of Barracuda Networks experiencing a breach involving their on-premise ESG appliances.
VPS
Virtual Private Servers (VPS) provide an interesting avenue for extremely low-cost email hosting that combines components of Cloud and on-premise hosting techniques. A VPS is essentially a Cloud-hosted virtual server which can be used for a variety of purposes. While they are typically used for web hosting, it is possible to install and run email hosting software which would typically be installed on-premise.
Using a VPS for email hosting provides a combination of on-premise and Cloud benefits:
- No on-premise infrastructure or capital expenditures required, save for any support needed for setup/migration
- Low monthly cost: Billing is handled based on the “size” of the VPS rather than mailbox count, with the lowest-cost options typically starting at around $6/mo. Costs increase as absolute storage, compute, RAM and networking requirements rise
- Greater degree of control versus dedicated Cloud email hosts
While this might seem like an extremely attractive option, there are a handful of problems associated with VPS email hosting:
- Many VPS providers do not permit traffic over port 25
- Many VPS providers’ IP addresses are blacklisted by other mail hosts
- Storage space provided is often limited and not suitable for heavy use or persistent long-term storage of email
- Not a fully-managed solution; the VPS provider is only providing virtual hardware, leaving you fully-responsible for maintenance of the the email hosting software.
This combination of attributes makes VPS-hosted email suitable for niche applications involving non-critical workloads with examples including rudimentary email-based alert collection, light internal communications, lab or development use, or any other low-volume activity.
The elimination of seat-based billing combined with the absence of customer-managed hardware makes VPS-hosted email unbeatable in-terms of cost, so long as the downsides are not a non-starter for your intended use-case.
A note on Microsoft Exchange Server
In early 2021, it was revealed that all versions of on-premise Microsoft Exchange Server were subject to multiple exploits which were being actively exploited to compromise networks and steal data, impacting an estimated 250,000 mail servers.
While officials like to point politically-charged blame on foreign actors, the reality is that Microsoft wrote and shipped unsafe code. They failed to discover a critical vulnerability in their software that had likely existed for over a decade and only reacted when a lot of damage was already done to their customers.
This is compounded further by Microsoft’s use of an archaic and cumbersome method of issuing patches for Microsoft Exchange Server via “Cumulative Updates”. These are issued quarterly and in my experiences can take up-to 3 hours to complete during which time mail services will be down. These updates are extremely temperamental and are prone to failure, requiring a restore from backup. Many small to mid-sized businesses impacted by this exploit never installed Cumulative Updates until this fiasco and quickly discovered that having a recent CU installed was a requisite step for Microsoft’s emergency patches.
If you are somehow still using Microsoft Exchange Server in 2023, you need to stop. It doesn’t matter if you have 150 or 15,000 mailboxes; Microsoft Exchange Server is deader than Elvis. If your organization does not have or does not care to employ the resources, knowledge or support to deploy a Linux-based on-premise email solution, your path is the Cloud. I would suggest shopping around and picking the option that best suits your organization’s needs, however if you’re trapped in Microsoft’s ecosystem, Microsoft 365 is the clearest escape route, which leads us to our final topic…
A note on third-party Cloud resellers
Microsoft 365 is a great product when used effectively. In the context of email hosting, it provides a (mostly) intuitive and overall low-maintenance experience which integrates very well with Microsoft’s other Cloud and on-premise offerings.
If your organization has decided to move to M365 for email hosting, it is important to understand that there are two different ways M365 can be purchased.
The primary method of purchasing M365 is to obtain it directly through Microsoft. This approach grants your organization’s administrators full control and access over your Cloud tenant. Access can be provided to support vendors or your MSP by providing them with an administrative account, or by linking your tenant to their Partner Portal.
The secondary method of purchasing M365 is to buy licensing through a third-party reseller. This approach grants the third-party full access and control over your Cloud tenant.
Unless you have an extremely good reason for using a third-party reseller, by default you should purchase your licensing directly through Microsoft. While third-party resellers may bundle support with their agreements and while they might be able to leverage their Partner status with Microsoft to offer reduced rates for licensing, this approach invariably will work to benefit the reseller at your expense, including the introduction of a degree of “stickiness” between your organization and the vendor which can make switching vendors or solutions in the future more difficult. Any honest MSP or other service provider will not demand that you purchase licensing through them as a condition of a support agreement. Maintaining sovereignty over your own tenant ensures greater flexibility when managing your environment and when deciding to switch IT support vendors.
There is also a risk factor to consider when using a reseller. While Microsoft 365 customers were not impacted by the 2021 Exchange Server incident, as recently as 2020 there was a high-profile incident where some Microsoft Cloud customers had their Cloud tenants breached due to a reseller account being compromised. While this type of incident is always possible with reseller-provided M365, a similar incident can also occur with self-purchased M365 if your organization consents to being added to a Microsoft Partner Portal belonging to an MSP or other support vendor. Principle of Least Privilege applies to Cloud services just as much as it does on-premise and it is important to be extremely selective and careful about who you grant administrative tenant-level access to.
Conclusion
Email hosting is largely a solved problem. While there is still a place for self-hosted email in large organizations or for niche applications, small to mid-sized businesses stand to strongly benefit by adopting Cloud-hosted email.