The world sends more than 44 billion e-mails a day--not counting spam--according to The Radicati Group. That's more legitimate e-mail in three days than the number of hamburgers sold by McDonald's since it opened in 1955.

Some businesses are streamlining IT operations by outsourcing e-mail management to third parties. This lets small and midsize enterprises reduce costs and complexity without sacrificing productivity, reliability or security. In fact, outsourced, hosted e-mail accounts will grow from 856 million to 1.5 billion by 2009, The Radicati Group predicts. But midsize companies (500 to 5,000 employees) cite concerns regarding security, archiving and compliance, the researcher says.

This forecast--and the worries--are logical. Businesses have had to increase their archiving, privacy and security efforts. Why would it get easier any time soon? Identity theft, corporate fraud and electronic surveillance are all hot issues right now, and the government's solution is regulation and legislation.

By outsourcing e-mail, companies don't have to purchase and maintain hardware or software, keep track of licenses, upgrades and backups or worry about scaling for growth. Of course, there are pitfalls. Companies must consider performance, data retention, governmental compliance, security and the vendor's ability to deliver.You're moving a critical communications medium out of your domain and into the hands of a third party. A breach in privacy or security will most likely reflect poorly on your company and may expose you to legal action.

We set out to evaluate the hosted e-mail market by crafting a 60-question RFI for McDonald and Siefert Engineering, a fictitious company. MSE is a publicly traded, vertically integrated engineering services firm, offering consulting, engineering and scientific investigations, laboratory analysis, construction management, and contract operations and maintenance services in water resources, wastewater management and environmental services. MSE has more than 800 employees working in 25 states and six countries. The company, with headquarters and a data center in Pepper Pike, Ohio, has offices in North America and Europe, with plans to expand into Asia and the Pacific Rim by next year. MSE needs a hosted e-mail service that meets regulatory and data-retention requirements, offers Web mail for remote users, supports languages other than English and guarantees of a minimum 99.9 percent uptime.

We sent invitations to 21 companies. Apptix, Electric Mail, Elephant Outlook, EnterGroup and Mi8 all accepted. Products from BlueTie, Google, MailStreet (a division of Apptix), Microsoft, Responsys, RightNow Technologies, Skylist, Yahoo and Yesmail didn't fit requirements or were focused on e-mail marketing. Cavion, Intermedia.Net, ManageTec.Net, 1&1, Oracle and Premiere Global Services never replied to our letter. USA.net declined, indicating it didn't want to provide the proprietary information required to complete the RFI.

Each product we evaluated lets users take advantage of their existing and familiar e-mail clients, use a Web-mail system or a hybrid of the two. Familiar clients, antispam, antivirus scanning and high availability enhance the user's e-mail productivity.Address Worries

MSE's biggest concerns are message archival and spam mitigation. Many in-house mail servers have spam filters, but the message must be transmitted before it can be scanned, eating bandwidth and server space. You can outsource just the antispam service, which will help with bandwidth, but you must still deal with high availability, server management, storage and regulatory needs if you retain in-house e-mail.

A few of the vendors disclosed which products they use for spam filtering. Mi8 uses Postini, while Apptix uses MX Logic's EMail Defense Service. All the vendors support whitelists, blacklists and autodeletion. We liked Electric Mail's highly detailed spam quarantine response: Messages flagged as suspicious are placed in a quarantine area for up to 14 days; daily or weekly e-mail notifications are sent to the user; and the user connects to a Web-based administration site to delete or release a message.

Attachments also can be problematic for organizations. Viruses, executables and excessively large files can wreak havoc on security and bandwidth. MSE wants protection against these problems and still be able to send a file of any size. Many businesses limit the size of both incoming and outgoing attachments. Just because MSE can send a 2-GB attachment doesn't mean everyone on the Internet can receive it. Apptix doesn't allow executables and limits attachments to 20 MB. Mi8 limits attachments to 25 MB from the Internet, but doesn't limit intradomain mail.Although we prefer having the option to attach files of any size, we like the Mi8 semi-unlimited model over Apptix's product. Elephant also blocks executables and limits attachments to 25 MB. Only EnterGroup and Electric Mail allow for any attached file, though admins can selectively block executables or other file extensions. EnterGroup has a default limit of 2 MB, but that can be increased (at an additional cost). Electric Mail has no size limit for attachments, but the Webmail client only allows for up to 10 MB.

MSE wants a two-pronged antivirus solution: The first line of defense should be the e-mail gateway; the second line, a desktop antivirus engine. All the vendors offer similar viral-scanning services. Elephant claims to use at least seven viral engines. The only company that falls short is Mi8; it does only perimeter antivirus scanning. If an e-mail virus--such as a blended attack that is initially transmitted through removable media, a Web browser or an instant messenger exploit--gets past the perimeter, it could spread within the organization quickly.

A vendor should clearly explain how it meets state, federal or international regulations. Find out about its data-retention policy. Does it encrypt backup tapes? How are the backup tapes destroyed or initialized after the retention period? The vendor should meet any governmental and corporate requirements. Each vendor in our RFI claimed to meet regulatory standards. Only Elephant listed the standards it meets, including HIPAA and SOX, though compliance with these regulations is not as simple as just saying you meet them. You still must vet the vendors to ensure they're meeting your requirements.

Apptix claims to hold backups for three years. Mi8 cites 30 days in a media vault, though it can hold messages longer for regulatory purposes if necessary. Elephant claims to meet the SEC's three-year requirement and will adhere to other regulatory backup policies. Electric Mail keeps data backup tapes for several weeks, then recycles or destroys them, but also will adhere to an organization's retention period. EnterGroup uses redundant systems for live replication instead of backing up, but also complies with EU and U.S. data-storage requirements.MSE wants to keep Active Directory and doesn't want to deal with a separate network and an e-mail account system. Apptix's integration with an existing Active Directory or LDAP system impressed us the most. Electric Mail can extract user data, but not passwords. EnterGroup offers automatic provisioning, but didn't go into details on how this worked, significantly weakening its proposal. Elephant has no integration, claiming this independence means more security. Although MSE is concerned about security, Elephant's explanation smacks of "turn a negative into a positive" marketing speak. Mi8 also offers no directory integration. It did propose a detailed migration timeline, though we didn't ask for one.

Who's Minding the Store?

The vendor should be able to describe its security procedures. It should maintain an audit log and offer sufficient physical security. Inquire about employee background security checks and the procedure following a security breach. See if your contract has any legal remedy or protection for your company if the vendor is negligent. Some vendors may not want to disclose this information publicly or without an NDA in place. If you have to sign an NDA, go for it. If the vendor doesn't want to reveal detailed information at all, walk away.

We asked vendors about their security practices and how they protect MSE's e-mails from espionage, snooping and hacking. Apptix initially didn't reply to this section, but once we asked if this was intentional, it quickly sent a detailed description of its security policies. EnterGroup wrote one sentence that didn't give any specifics, and Elephant didn't want to disclose this information publicly without an NDA. Although some security data is on its Web site, we find that not being able to give 750 words about one's security without an NDA is cowardly. With responses like these, a savvy IT manager would throw the Elephant and EnterGroup proposals into the recycling bin. Electric Mail and Mi8 went into great detail about their facilities and physical security. Electric Mail requires a visual identity check and access cards to get into its data center and audits systems access. Mi8 uses biometrics, audits server access and performs third-party security audits and employee security screenings.

Can They Take the Heat?When looking to outsource, consider how well a vendor can deliver on its promises. Read the SLA (service-level agreement) carefully. How is uptime calculated? How much scheduled maintenance will occur in a month, and at what times? Many vendors will not count scheduled maintenance as downtime. If you are a global company, keep in mind that scheduled downtime from 2 a.m. to 4 a.m. Pacific Time will result in a lost morning in Europe. When the SLA isn't met, do you get a partial or full refund for that month? Are you locked into a yearly contract, and what are the outs?

Apptix and Mi8 both offer 99.9 percent reliability, the minimum required by MSE. This equates to approximately 45 minutes a month of downtime, not including scheduled maintenance. All vendors give themselves an out with sliding scheduled maintenance windows as long as advance notice is given. Elephant allocates two hours semimonthly for maintenance, for example, but during any other time period, it considers a 24-hour notice to be scheduled. MSE is a global company, which means any hour could be a business hour, so we liked Electric Mail and EnterGroup's claim of 99.99 percent reliability, or downtime of less than five minutes per month. Elephant checked off the 99.999999 percent uptime in our RFI, though its marketing brochures claim 100 percent uptime, not including scheduled maintenance.

Remediation is also important: A company should stand behind its SLA financially. It's better to drop reliability slightly for a better financial remedy. Apptix and Mi8 offer partial monthly credit. Electric Mail didn't disclose its crediting policy. Elephant claims to offer an account credit, but didn't provide details. EnterGroup will waive the entire monthly fee, which, combined with its claim of 99.99 percent uptime, makes MSE very happy.

Pricing varied greatly from product to product. Exchange users may be charged more per month than IMAP mail systems, and BlackBerry access increases prices. The vendors all offer 100 MB per user as a base price. EnterGroup and Mi8 came in with the lowest prices, while Electric Mail and Apptix have the most-expensive services. Archiving, additional storage space, antivirus protection and higher uptime guarantees affect the price. Apptix charges $21,786 per month for its premium service, but drop uptime down to 99.9 percent and remove BlackBerry support, and its service would cost $14,855. EnterGroup's service was the lowest, at $640 per month. However, that price only includes 100 MB of space per user. Electric Mail and Mi8 also quote a prices for additional storage. We looked at the cost for the itemized components, but focused on the bottom line pricing we requested.

The vendors are all at least five years old, and most have been in business for over a decade. However, there are a lot of minor league hosted Microsoft Exchange operators. These vendors usually offer a less-extensive SLA and less-expensive services. Companies considering a start-up e-mail hosting company should be cautious. If they go bankrupt, your e-mail stops, and transitioning can take time--assuming you can recover your data.In the end, we gave the Editor's Choice to Electric Mail. It offers a greater number of features for spam and attachment control, archiving options, security assurances and platform support. We were also happy to see that it offers a 99.99 percent uptime, though the penalties for failing to meet it are handled on a case by case basis. Mi8 and Apptix also offer excellent products. EnterGroup and Elephant both scored on the low end of our evaluation. Their RFI responses were shorter than the other vendors, offering up less detail on the system and its features.

Michael J. DeMaria is a technology editor based at Network Computing's Syracuse University's Real-World Labs®. Write to him at [email protected].

Executive Summary

Companies may turn to e-mail outsourcing to streamline operations and reduce the complexity and capital investment in their current systems without losing functionality.

We considered services from some of the best players in the market, including Apptix, Electric Mail, Elephant Outlook, EnterGroup and Mi8. We sent them an RFI that covered the operations of a fictional engineering services firm called McDonald and Seifert Engineering (MSE), then evaluated their responses based on price, functionality, remote accessibility, spam handling, security, guaranteed uptime and best practices. Although some of the competitors did surprisingly well, there are some huge gaps in the features they offer vendors.

To help you select an e-mail service provider, we highlight what your organization should look for when considering such a move. Even if your company isn't looking to change its e-mail scheme, e-mail outsourcing is viable and growing, and could be just right for some overburdened IT shops.E-Mail Outsourcing Services RFI responses
Download PDF Files:
• Electric Mail Hosted Exchange 2003
• MI-8 Hosted Microsoft Exchange System

• Apptix Hosted Exchange
• EnterGroup Fidelity Mail
• Elephant Outlook Exchange Hosting

Electric Mail Hosted Exchange 2003
Among the hosted e-mail services we looked at for midsize enterprises, Electric Mail impressed us the most--from its detailed and thorough proposal to its extensive system support, features, security and management capabilities. It supports all the major OSs, Blackberry, Palm, as well as all the browsers, e-mail clients and mail protocols listed on our RFI. It was also the only vendor that supported POP3, IMAP, MAPI, POP3S and IMAPS.

MI-8 and Apptix, the other top vendors in this review, only support IMAP and POP3. Electric Mail's security procedures, archiving options and messaging compliance capabilities put it at the top of the heap. However, it didn't provide much information relating to migration from the old system to the hosted environment, explaining that this would vary on a case-by-case basis and more information would be needed. This was disappointing, considering the excellent sample timeline provided by MI-8.

Electric Mail's user account control offered a range of capabilities: A web-based provisioning tool, for example, allows administrators to create users, set global preferences and create mailing lists. The company also offers a way to extract user data from LDAP directories for proliferating accounts. Multiple mailboxes, shared calendaring and mailboxes, forwarded mailboxes and access control can all be set in the provisioning tool as well.

On the downside, however, it cannot extract e-mail passwords--a weakness that means users will need to have an additional work password. We would have preferred a way to authenticate against the corporate systems directory, as Apptix provides. This is one capability that nearly every hosted e-mail provider--with the exception of Apptix--still needs to implement.As for collaboration options, Electric Mail calendaring feature allows users to create multiple work and personal calendars from inside the Webmail client. In addition, group calendars, permission-based sharing and meeting planning are available. Users can synchronize with Outlook, as well as access a global address book, distribution lists, contact information and a corporate address book. We would have liked instant messaging integration, or a hosted IM solution, but vendors lack these features.

End users can use their existing e-mail client, the Electric Mail Web client or a combination of the two for day-to-day work. Support for POP, IMAP and MAPI allow for wide flexibility in supported clients. MAPI-only supported, which is what Elephant offers, limits your e-mail clients to Outlook. Users log into the Web system to address quarantined spam and set e-mail filters.

Electric Mail stores e-mail on a RAID device; they claim to replicate the e-mail to another RAID device every six hours and back up to tape nightly. It was encouraging that they placed such emphasis on redundancy and backup. They claim to recycle or destroy tapes after the retention period. Electric Mail can also perform random e-mail samplings, archive attachments and track conversations based on keywords--useful for ensuring your employees are adhering to your e-mail usage policy, privacy concerns aside. E-mail for Exchange users is stored encrypted on the Electric Mail server, but the e-mail of non-Exchange users is unencrypted. TLS (Transport Layer Security), HTTPS, IMAPS and POPS are all offered for encrypted channels. Of all the vendors we looked at, Electric Mail is the most "enterprise ready," and has the better overall package, though MI-8 and Apptix proved to be close competition.

Antivirus features are about what we'd expect and require in an enterprise e-mail system. Electric Mail states that they are vendor agnostic and, as such, can switch virus scanning engines if a better one becomes available. This flexible approach is preferred compared with being locked into one engine. Infected e-mails can be cleansed or deleted, and notifications can also be sent to senders, recipients or both.MI-8 Hosted Microsoft Exchange System
MI-8 offered a well-rounded solution, though we would have liked to have seen additional improvement with regard to user management and collaboration features. The price was slightly cheaper than the other top competitors--though availability was only 99.9%. Entergroup was the only vendor to have a lower price, but it isn't as "enterprise ready" as MI-8.

MI-8's platform support scores were boosted by its support for any standard IMAP or POP client, all the major Web browsers, Blackberry and Palm. Calendaring support is available through the usual Microsoft Exchange/Outlook shared calendars, and is compatible with third-party calendaring applications. Support for Microsoft Live Communications Server and Sharepoint Services is planned for Q3 2006. Support for global address books, corporate address books (including outside e-mail addresses) and distribution lists are also available--typical features found in an enterprise e-mail system.

MI-8 provided an impressive timeline when it responded to how users would migrate from the old implementation to the new service, something none of the other vendors did. The project--from planning to full implementation--was estimated to last at least three months. Planning was scheduled for six weeks, pilot deployment five weeks, then migration of 800 users, in batches, would be determined based on the results of the planning and testing. This timeframe seemed reasonable to us, neither slow nor overly aggressive. Migration is a big issue, especially for a highly entrenched e-mail system such as that laid out by our RFI.

We had greater confidence in MI-8's ability to migrate the users than with any other vendor, simply because it laid out the best case, starting with drafting a plan, discovering applications that integrate with e-mail, finding mailboxes, testing migration methods and then engaging in the actual migration.Data is backed up nightly to disk, and after three days is transferred to tape. The tapes are rotated offsite every week, and held for a month, then wiped and reused. However our scenario company was also concerned with archiving for government compliance regulations, which require extensive archiving and message retention. MI-8 partners with Frontbridge, Global Relay, Zantaz and Iron Mountain for archiving and compliance purposes. This is an added cost, and requires working with another vendor. However, when it comes to compliance, we'd rather work with an outside vendor who knows exactly what is necessary, than a first party vendor that doesn't.

Our biggest gripe with MI-8 is related to its anti-virus support: only perimeter scanning is performed. Intra-domain mail passes through. MI-8 recommends that you use a desktop AV solution. That may be a good interim solution, but it's unacceptable for an otherwise excellent service. Blended attacks can enter from a mechanism outside e-mail, then forward itself through e-mail to everyone in the company. The RFI cites that a fix for this is coming this year. In the event that a mass e-mail virus breaks out, MI-8 says it can use the content filtering to scan for a pattern and block or quarantine it. MI-8 also receives alerts if an unusually high number of messages occur.

Apptix Hosted exchange
Apptix offers two versions of their product: basic and premium. The basic is just a POP service that's insufficient for a midsize enterprise. The premium solution, which we evaluated, is a hosted Exchange server with better e-mail content filtering, backup, archiving, collaboration and a higher SLA than the basic version.

Like Electric Mail and MI-8, Apptix also offers a competitive product for the midsize enterprise, offered through subdivisions and channel partners. Our sample company of 800 users would typically be serviced through a channel partner. None of the other vendors showed as much diversity in catering to different markets.

Apptix's system support came up a bit short. It only supports IE under Windows and Mac for Webmail, while Outlook is the only officially supported e-mail client. Entergroup and Elephant, the least "enterprise ready" of all the vendors, support multiple browsers. Apptix offers POP3 and IMAP protocol, so theoretically other clients should work. BlackBerry and Palm are supported for mobile messaging.

There are three options offered for migration from an existing Exchange setup: self, assisted and custom. Self involves exporting all the e-mail to a local file from Outlook, and then uploading this file to the new environment, one user at a time. Apptix acknowledges that this isn't time-efficient, but it is simple and inexpensive. Assisted, which would work better for MSE, comes at an extra cost depending on size and complexity. Apptix creates the user accounts automatically. Then the customer would batch up existing users' e-mail and upload it. This allows for a rollout deployment over time, keeping both systems running until everyone has switched over. Custom migration involves greater participation on the part of the professional services team when moving users in complex and multi-site environments, as well as reintegrating the new e-mail server into existing business applications.

Apptix claims to authenticate against an Active Directory or LDAP server for unified username/password management, a feature none of the other vendors offered. This solution is superior to the hybrid model other vendors employ, as it's one less directory store to maintain, and it reduces the need for the help desk to retrieve forgotten e-mail passwords. A hosted Sharepoint service is also available, but IM integration is not. None of the other vendors in this review offer hosted or integrated IM. Apptix says it plans to offer this by the end of the year. Users can enjoy Microsoft Exchange calendaring features and create global address books and distribution lists. These features--offered by Electric Mail and MI-8--are to be expected in an enterprise-class offering.

Apptix utilizes a three-level escalation when it comes to disk usage. The default space is 100 MB per user. At 80 percent of quota, the user is issued an e-mail warning; at 100 percent, the user cannot send mail; at 120 percent, the user stops receiving e-mails. While the warn, prohibit send and prohibit receive functions are useful as an enforcement mechanism, we don't agree that quota violations should prohibit e-mail from being received. We'd prefer a setup where the user doesn't receive new e-mail in his/her inbox, but incoming messages are queued and stored. None of the vendors offer a queue-and-store model for over-quota limits.

EnterGroup Fidelity Mail
We found EnterGroup's proposal lacked detail compared with its competitors; specifically, very little information was provided on user management, collaboration and archiving.Interestingly, EnterGroup doesn't offer any calendaring features, despite the fact that Microsoft Exchange's growing popularity in the enterprise has been in part due to integrated calendaring. Calendaring and online address books need to be supported for a midsize or small enterprise. However with its less-expensive price tag, EnterGroup would probably be a fine solution for a smaller private enterprise, especially those that don't need to worry about compliance issues.

EnterGroup claims that by not focusing on calendering, it allows them to focus on offering an e-mail service. In an enterprise the size of our scenario company, offering integrated calendaring is strongly desired. We were also annoyed that the product didn't offer any online address book capabilities, though every other vendor did. Even smaller enterprises would want this feature, let alone an 800-user system, but users are free to create and maintain their own address books through a local mail client. If EnterGroup included these features, it would greatly enhance its ability to compete.

EnterGroup also claims that it meets all regulatory standards set by the European Union and, as such, its solution should have no compliance problems in either the EU or U.S. markets. Our scenario company has U.S. and European offices, so meeting EU standards was important. The EU is generally considered to have stricter data privacy laws than the US.

We also wanted to see better backup support. EnterGroup's service runs on redundant servers, but EnterGroup doesn't offer inbox tape backups. This may limit them from select U.S. markets that need to retain all messages for compliance purposes. Electric Mail, MI-8 and Apptix all offer archiving support. E-mail is stored in encrypted format on the servers--a good move. HTTPS access is available for an additional cost, but POP3S is not offered.Migrating from the old e-mail system to a new one involved both manual and automatic tools. Administrators can automatically create accounts for existing e-mail users, though EnterGroup says that the process of moving existing mailboxes and e-mail messages depends on the data format currently used. This short response is along the same lines of ElecricMail, but we would have liked more information, similar to what MI-8 provided.

On a positive note, EnterGroup blew everyone away on price. The system costs just $9.61 per mailbox per year, with 100MB of storage--much less expensive compared with other vendors' fees. The odd part about their pricing is that attachments are limited to 2MB. After that, it costs an extra $1 per megabyte. EnterGroup's proposal would be a hard sell for our midsize public company. We see underlying potential, but we would recommend that the quality of attachment control, collaboration and user management be raised to the level delivered by top vendors like Electric Mail.

Elephant Outlook Exchange Hosting
Elephant submitted an extremely brief RFI, in fact, it provided no detail in some places. As our evaluation and grades were based on the RFI responses, this cost the company in both grade and rank. For example, when asked for up to 250 words on what online address book capabilities exist, the response was a simple "yes." Marketing brochures submitted along with the RFI mention central employee directory and distribution lists, typical with an Exchange server.

Elephant offers support for almost every Web browser, OS or language we listed on our RFI. However, the only mail protocol supported is MAPI; there's no support for POP or IMAP. All the other vendors support POP, and all but EnterGroup support IMAP. Non-Outlook users will need to use Webmail, not an ideal solution, especially for remote and disconnected Mac and Linux users. However, the extensive browser/OS support helps. Standard MS Exchange calendaring support is available with Outlook, and Elephant support the iCal standard.

Administrators can allow or deny attachments by file type, or size, and Elephant claims to use at least seven antivirus engines, which update every five minutes. This is impressive, and no other vendor indicated such thorough AV scrubbing. The most detailed response to the RFI came in the question on regulatory compliance: Elephant claims to meet SEC, HIPAA, SOX and other government regulations. This made our scenario company feel a little better, though the lack of response on Elephant's corporate security measures and procedures was disappointing. E-mail can be stored on the server, encrypted using S/MIME. We see a potential for sufficient regulatory and security needs for MSE, but would need more information on security practices to feel comfortable recommending it for public enterprises.

Information on migration was also sparse, only stating that migration and customized importing tools are provided along with a setup wizard for the end user to export and import data.

Elephant's pricing was close to that of Electric Mail and Apptix, but both offer more enterprise functionality.

Michael J. DeMaria is a technology editor based at Network Computing's Syracuse University's Real-World Labs®. Write to him at [email protected].

R E V I E W

E-Mail Outsourcing Services Interactive Report Card

Sorry,
your browser
is not Java
enabled

Welcome to NETWORK COMPUTING's Interactive Report Card, v2. To launch it, click on the

Interactive Report Card ® icon above. The program components take a few moments to load.

Once launched, enter your own product feature weights and click the Recalc button. The Interactive Report Card ® will re-sort (and re-grade!) the products based on the new category weights you entered.Click here for more information about our Interactive Report Card ®.

0