Email security gateways sit between the internet and your organisation's mail server, filtering inbound threats and enforcing outbound policy. For organisations operating dedicated email infrastructure, the gateway choice has direct implications for deliverability: gateways that rewrite messages, modify headers, or strip DKIM signatures introduce authentication failures that damage sender reputation for outbound mail. This comparison covers the four leading enterprise gateways from the deliverability operations perspective — not just the security features.
How Gateways Affect Outbound Deliverability
Email security gateways can degrade outbound deliverability in three ways that are invisible without careful monitoring. Understanding each mechanism is the prerequisite for configuring your gateway correctly.
DKIM signature breaking: When a gateway re-processes an outbound message — scanning it, modifying headers, or adding disclaimers — it can invalidate the DKIM signature that was applied before the message entered the gateway. The receiving server then sees a DKIM failure for a message that was correctly signed at origin. This is particularly common with disclaimer injection (adding a footer to all outbound messages) which modifies the message body, breaking DKIM body hash validation.
SPF alignment shift: Gateways that relay outbound mail change the envelope sender path. If the gateway's IP is not included in your domain's SPF record, outbound messages will fail SPF — even though your sending infrastructure is legitimate. The fix is to add the gateway's outbound relay IPs to your SPF record, which is documented in the gateway's admin documentation but frequently missed during initial setup.
DMARC failure on forwarded inbound: For inbound mail forwarded to external addresses, gateways that do not implement ARC sealing will forward messages that fail DMARC at the destination. ARC is the correct solution — see the ARC email authentication guide for implementation details.
Enterprise Gateway Comparison — 2025
| Gateway | ARC support | DKIM preservation | Outbound DLP | DMARC reporting | Deployment |
|---|---|---|---|---|---|
| Proofpoint Email Security | Yes — since 2022 | Manual config required | Full DLP suite | Detailed DMARC dashboard | Cloud / on-prem / hybrid |
| Mimecast Email Security | Yes — since 2023 | Enable in policy | Full DLP | DMARC Analyzer included | Cloud only |
| Microsoft Defender for Office 365 | Native EOP — automatic | Preserved by default | Basic DLP (E3+) | Via Postmaster Tools only | Cloud only (M365) |
| Barracuda Email Security Gateway | Partial — check firmware | Depends on version | Basic DLP | Limited reporting | Hardware / cloud / virtual |
| Cisco Secure Email (IronPort) | Not yet supported | Manual signing config | Full DLP suite | Via third-party integration | Cloud / on-prem |
Proofpoint — Deliverability Configuration
Proofpoint is the most widely deployed enterprise gateway and has the most mature deliverability feature set. ARC sealing must be explicitly enabled — it is not on by default. Navigate to Email Protection → Authentication → ARC to enable outbound ARC sealing. You also need to configure the DKIM signing domain in Proofpoint's signing configuration to match your From: domain, not Proofpoint's relay domain, for DMARC alignment.
Proofpoint's Smart Search and Message Trace features provide excellent visibility into outbound delivery disposition — you can see whether a message was accepted, deferred, or rejected by a downstream server, including the SMTP response code. This is genuinely useful for diagnosing deliverability issues at specific recipients without needing to dig through MTA logs.
Mimecast — Deliverability Configuration
Mimecast added ARC sealing support in 2023, available in the Enterprise tier. It is disabled by default — enable it in Administration → Gateway → Policies → ARC Signing. Mimecast's DMARC Analyzer product (included in higher tiers) provides aggregate DMARC report processing and a useful dashboard for monitoring alignment failures across your sending domains.
The most common deliverability issue with Mimecast is disclaimer injection. Mimecast's default configuration appends an email disclaimer to all outbound messages, which breaks DKIM body hashes. Reconfigure disclaimers to use header injection instead of body modification, or configure DKIM to use relaxed/relaxed canonicalization which tolerates minor whitespace changes but not full footer additions.
Gateway Deliverability Configuration Checklist
▶ Post-deployment deliverability audit for any email gateway
Issue: After deploying Proofpoint, outbound deliverability to Gmail dropped from 96% to 71% over 2 weeks. Gmail Postmaster Tools showed authentication rate falling from 99% to 84%.
Diagnosis: DKIM was being broken by Proofpoint's compliance footer injection. The footer was appending to all outbound messages, invalidating the DKIM body hash applied by the on-premises Exchange server before messages reached Proofpoint.
Fix: Reconfigured Proofpoint to use relaxed canonicalization for DKIM re-signing, and moved the compliance footer to a header field (X-Compliance-Notice) rather than the message body. Also enabled ARC sealing for forwarded mail flows.
Outcome: Authentication rate returned to 99% within 48 hours. Inbox placement recovered to 95% within 2 weeks as Gmail domain reputation normalised.