Email Security - API - Choosing Email Security Deployment Option (MX Record-Based or API-Based Deployment)

Choosing Your Email Security Deployment Method

This page provides an overview of the differences between Email Security - MX-Based Deployment and Email Security - API-Based Deployment, and things to consider when deciding which of the two deployment options is most suitable for your business needs. 

Overview

Mimecast Email Security supports two deployment methods that provide the same comprehensive threat protection but integrate with your email infrastructure differently:

• MX-based (Cloud Gateway): Email flows through Mimecast's infrastructure, acting as a pre-delivery quarantine before reaching Microsoft 365.
• API-Based Email Security: Microsoft 365 delivers email to the mailbox first, then Mimecast scans and remediates threats post-delivery.

Both deployment methods deliver identical protection against sophisticated email threats, including business email compromise, credential theft, phishing attacks, malicious URLs, and weaponized attachments. Your choice depends on your infrastructure complexity and operational preferences rather than security feature differences.

Deployment Method Comparison

MX-Based (Cloud Gateway)

How it works: 

Inbound email is routed to Mimecast by changing your domain's MX records. Mimecast scans messages before delivering clean emails to Microsoft 365.

Best suited for organizations that require:

Compatibility with any email platform beyond Microsoft 365, advanced routing capabilities for complex mail flow scenarios, granular configurable policies across multiple email security layers, pre-delivery protection that inspects messages before they reach mailboxes, hold queue management for administrative review, or comprehensive content examination of all email.

Additional capabilities available with MX-Based Email Security are:

• Brand Protection
• Data Governance and Compliance
• Collaboration Threat Protection
• Large File Send

• Secure Messaging

   

• Insider Risk Management, Email Continuity with backup and restore

API-Based Email Security

How it works: 

Microsoft 365 delivers email to the mailbox normally. Mimecast connects via Microsoft Graph API to scan messages post-delivery and automatically remediates detected threats by moving them to quarantine.

Best suited for organizations that have:

• Investment in native Microsoft 365 security, and are seeking enhanced post-delivery protection.
• A preference for minimal infrastructure changes, priorities around rapid deployment with typical completion in under 30 minutes, or requirements to avoid MX record modifications.

Additional capabilities available:

• Email Authentication
• Brand Protection
• Data Governance and Compliance
• Collaboration Threat Protection
• Insider Risk Management

Current limitations:

Business continuity features, including backup, restore, Large File Send, and Secure Messaging, are not currently available.

Making Your Decision

Select MX-based (Cloud Gateway) when...

Your infrastructure supports DNS and MX changes, and you need business continuity capabilities, pre-delivery email inspection, compatibility with multiple email platforms, or complex email routing requirements.

Select API-Based Email Security when...

You've invested in Microsoft 365 native security but need stronger post-delivery protection against sophisticated threats like BEC, credential theft, and impersonation. This method avoids infrastructure changes like MX record updates and prioritizes deployment speed and simplicity.

Deployment method is irreversible: Once you select your deployment type during onboarding, you cannot switch methods. Changing deployment methods requires creating a new Mimecast account.

Feature parity: Both methods provide identical threat detection capabilities. The primary differences are the integration approach and the availability of business continuity features.

Infrastructure complexity assessment: Base your decision on your current infrastructure and change management processes, not on organization size or user count.

Getting Started

Ready to deploy? Follow the appropriate guide for your chosen method:

• Getting Started with API-Based Email Security 
• Getting Started with MX-Based (Cloud Gateway) 

See Also...

• Troubleshooting Installation
• Per Policy Detection Engines

Need help deciding? Contact your Mimecast representative or submit a Support Request for guidance on selecting the right deployment method for your environment.