The Case for an On-Premises Email Filter, or "Donít You Touch My Junk!"
Outsourcing your spam filtering has advantages, but requires you to trust all your email to an unknown third party. Do you really want to do that?
Think about the kinds of things that are in your organization's email: Personal details of you and your employees, details of your customers and your business with them, sensitive financial information on the company. This is, of course, all information you need to keep confidential.
And yet it is increasingly common for organizations to outsource spam/junk filtering to a service. This function necessarily involves examining both the content and the header information for messages.
Who are these people you are entrusting with information so valuable, and who are they to say what is and is not junk to you?
Even after we climb back down off of Mt. Paranoia and recognize that these filtering services aren't out to get you, it doesn't change the fact that you are entrusting them with enormous amounts of confidential information. This is information which it is your responsibility to protect.
The compromise of email processors is not a big story in computer security, but perhaps it should be. An attacker with access to the traffic of an email processor could sit back and monitor for a few specific, valuable things like Excel spreadsheets, usernames and passwords sent from IT, or reports from Human Resources. Does this sort of thing happen in the real world? Probably it has happened. There's no way to know if it's at all common, but it's a possibility you have to consider.
If you keep all your email processing in-house, that is one point of vulnerability that has been eliminated. Yes, your own systems can be compromised and you need to be vigilant and aggressive in protecting them, but that can happen whether you are using an outside service or not. The outside service increases what security analysts call your "attack surface," meaning the number of openings through which attackers can get to you.
It's worth noting that spam filtering pays at least as much attention to the headers as to the actual content of the email. Headers are the address and routing information for the email message, including the 'From:' and 'To:' information but also the list of all the servers through which the message passed on its way to you and when it passed. Even if the attacker had no access to the actual body of the messages, they could learn a lot from the headers, including who is sending email to you, to whom you are sending, and when.
Apart from the direct value of the information, such email is the perfect tool for an attacker to construct a successful spear phish attack. A spear phish is a highly-targeted fake message which attempts to give the attacker access to very sensitive information. It might look like an actual email from your CFO asking for the access information to this or that account. It might be very hard for you to tell it was not legit.
This is not the only argument for an in-house solution for email filtering. There is the potential for performance and reliability benefits from removing an outside service from your email processing. If you do it all in-house then you only have to rely on your ISP and you have to do that anyway. This is not nothing, but it's not as important as the trust problem.
In the long term, in-house solutions can also be cheaper. Services charge you a recurring fee per month for each user or email, but once you've paid for your in-house solution it that's probably all you need to spend. Depending on your growth you may need to upgrade the hardware it runs on in the future.
Finally, a good in-house filtering solution may also do archiving. On top of preserving your records, a good archiving system also lets you search back through the history of your email, well past the limits imposed by outside services.
Perhaps not everyone needs to care so much about the security and confidentiality of their email. If you do, it may be worth bringing junk mail filtering in-house.