What are the limits of gateway-based protection?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Every security team eventually hits the same uncomfortable truth: your email gateway is not a force field. It's a filter. And like any filter, it has gaps you need to plan around, not hope away.
Here's where email security gateways genuinely struggle:
Zero-day threats. Gateways work from known signatures and patterns. A brand-new attack, one that no one has seen before, has no signature. It walks right through. By the time the signature database catches up, the damage may already be done.
Sophisticated phishing with no technical red flags. Imagine an email from a real domain, with valid SPF and DKIM, written in clean prose, containing only a link to a legitimate-looking login page. The gateway sees nothing wrong. Neither do most humans on first glance. These are the attacks that actually work.
Evasion techniques. Attackers know how gateways scan. They use things like delayed redirects (the link is clean at delivery, then swaps to a malicious page hours later) or multi-step payloads that only activate after a human interaction. This is called delayed weaponization, and it's specifically designed to beat delivery-time analysis.
Scope blind spots. A gateway protects the perimeter. It sees what comes in from outside. It doesn't see an already-compromised internal account sending malicious emails to colleagues. It doesn't protect someone accessing corporate email on a personal phone. It can't catch a threat that arrives through Slack, Teams, or a shared document link instead of email.
URL rewriting (where the gateway rewrites every link so it can scan on click) helps with delayed weaponization. But it adds friction for users, occasionally breaks links, and still only works if the click happens while the scanner is still watching. (Which it isn't always.)
The honest expectation is that some percentage of threats will get through. That's not a failure of your gateway vendor. It's physics. Defense-in-depth means accepting that and layering your protection accordingly: endpoint detection, security awareness training, conditional access policies, and clear incident response playbooks for when something slips through anyway.
Now if you're trying to map your actual gaps, our SOS hotline is free and we'll walk through what a realistic layered approach looks like for your setup.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.