Zix wins 5-vendor email encryption shootout
Email encryption has come a long way since our last review.

- HPE/Voltage: Need an upgrade jolt
- Inky writes an end-to-end story
- Symantec Email Security.cloud with Advanced Policy-Based Encryption option
- Virtru Pro: Set it and forget it
- Zix Gateway: Frictionless encryption
Email encryption products have made major strides since we last looked at them nearly two years ago. They have gotten easier to use and deploy, thanks to a combination of user interface and encryption key management improvements, and are at the point where encryption can almost be called effortless on the part of the end user.
Our biggest criticism in 2015 was that the products couldn’t cover multiple use cases, such as when a user switches from reading emails on their smartphone to moving to a webmailer to composing messages on their Outlook desktop client. Fortunately, the products are all doing a better job handling multi-modal email.
In this review, we looked at five email encryption products, four of which employ encryption gateways and one that’s end-to-end. The gateways usually rely on plug-ins to Outlook and browsers so you can continue using your existing email clients. The end-to-end product requires new clients for all encrypted message traffic.
The five vendors include two that we reviewed in 2015: HPE/Voltage Secure Email and Virtru Pro. The other three are Inky (the end-to-end product), Zix Gateway, and Symantec Email Security.cloud.
Winners and losers
The overall winner is Zix. It was easy to install and manage, well-documented, and the encryption features were numerous and solid. The only drawback was that Zix lacks a separate mobile client to compose messages, but having a very responsive mobile web app made up for most of this issue.
If you want a separate end-to-end product, you should look at Inky, which offers its own clients to support S/MIME encryption.
Voltage, Symantec and Virtru are also solid products, but are still behind Zix in terms of the flexibility of various encryption protocols used, along with DLP features that are built-in along with a simple and single pricing structure -- all things that Zix excels.
All of these encryption products will cost you a few dollars a month per user. While that doesn’t sound like much, if you have an installation of several thousand users, the price tag could add up. However, the alternative is having your email stream available to anyone with a simple collection of tools that even teens can master.
Trends and bright spots
In 2015, we said that gateways may have fallen out of favor, but that trend has been reversed from what we could see from the current state of the art with these products. The gateways have gotten more capable for three reasons: they can better manage and eliminate any message residue that could be left on a local storage device, they make it easier for enterprises to manage message processing rules for compliance purposes, and they have auto-sensing mechanisms to deliver the best-effort encryption between the sender and recipient, so users don’t have to figure this out on their own.
The biggest overall improvement in these products has been in better encryption key management. The difficulty associated with key management was made infamous last year with a Motherboard story where the reporter tried to get the inventor of Pretty Good Privacy (PGP), Phil Zimmerman, to exchange encrypted messages. Zimmerman sheepishly revealed that he was no longer using his own protocols, due to difficulties in getting a Mac client operational.
Since then, ProtonMail has improved its single-user free encryption tool (adding a Tor-capable version to further hide your email traffic) and Lavabit has relaunched its service (after closing its doors rather than give up its keys to law enforcement as part of the Snowden debacle.)
While these personal encryption products are improvements, there are also steps forward for the enterprise encryption email user. Some products, such as Zix, hide the encryption key process entirely from the user, so well that you might not even know that an encrypted message has passed from sender to recipient.
Others, such as Virtru and HPE/Voltage, use identity-based encryption management to verify a new recipient in their systems. Once a user new to these products clicks on a confirmation email, they are forever allowed access, their emails are automatically decrypted, and there is no need for any further effort to keep track of or to prove who you are.
That is the way all encrypted email products should operate if they are going to get used more often.
The second biggest improvement is the data loss prevention system (DLP) integration that Zix, Symantec and Virtru have as part of their products. Voltage also offers an extra-cost DLP option on top of the basic package. What this means is that all of these systems detect when sensitive information is about to be transmitted via email, and take steps to encrypt or otherwise protect the message in transit and how it will ultimately be consumed on the receiving end.
DLP has gone from something “nice to have” to more essential as part of business compliance and data leak hacks, both of which have increased its importance. Having this integration can be a big selling point of making the move to an encrypted email vendor, and we are glad to see this feature getting easier to use and to manage in these products.
A third improvement is the use of cloud-based services. All of the products tested offer cloud installations in their products, which make setup a breeze. Inky, Zix and Voltage also have on-premises servers, if that is more comfortable. Most of the products could be installed in about an hour, some even in minutes. This is a big change from earlier products that required lots of help from support staff to get up and running.
These are all great strides forward. But there are still a few issues, including the lack of support for Mac and Linux desktops. Most of the products offer a web-based alternative to reading and sending encrypted email on these endpoints, but only a few offer native clients or plug-ins for browsers or Outlook running on anything other than Windows.
There are other potential gotchas contained in the fine print, such as limits on attachment size (shown in our summary table) or subtle configuration parameters that will require a call to the vendor’s support line to complete the setup. We discuss those items in the individual reviews.
Frictionless encryption
In the past, encryption was frankly a pain in the neck. Users hated it, either because they had to manage their own encryption key stores or had to go through additional steps to encrypt and decrypt their message traffic.
If a recipient wasn’t using the same encryption provider, it was another painful process, which could quickly be multiplied by the number of different systems employed. We can see those days coming to an end, where encryption is almost completely frictionless.
So will that be enough to convince users to start using encryption for normal everyday emailing? We hope so. As the number of attacks and malware infections increase, enterprises need all the protection that they can muster and encrypting emails is a great place to start.
ScoreCard
HPE/Voltage: Need an upgrade jolt
Voltage has been around for more than a decade and has 75 million mailboxes at some very large installations. It was purchased a few years ago by HP, now called HPE, and the product has been made more appealing for smaller businesses. It comes in two versions: one for the cloud and one as an on-premises server. The cloud version doesn’t store any message traffic offsite.
There are two plug-ins: one for Windows Outlook/Office versions only and one for Office 365. If you are going to deploy Voltage, you will need to study the specific OS and Office requirements, because they are numerous and picky.
For example, you’ll need to apply SP2 if you are running Office 2010 and be running Windows 7 with SP1. It supports Outlook across Office 2010, 2013 and 2016. There are also mobile versions for at least iOS v5.1, Android 2.3 and even Blackberry from v5 and later.
There is a web-based client that Voltage pioneered several years ago that anyone can use: a message contains a HTML link that will self-register new users, similar to what its competitors now do.
When a new recipient receives an encrypted message, they are directed to download the mobile app (if they are reading it on their phones) or to click on the HTML attachment where they are taken to the web portal to read the message. This is not as effortless as we’d like nor as easy as what Symantec or Zix offers.
With the mobile versions, I had trouble with the iOS app but the Android app worked fine. Voltage has a bit of a clunky method for its mobile apps: once they are installed, you still click on the attachment icon in your usual email client, then the app takes over and decrypts and displays the contents.
When you want to send a message from within Outlook, there is a special button above the normal Outlook “send” button that will encrypt your message. That is pretty simple. For any other Office app, you have a special Voltage menu that will get things going: you can add users, specify the access rights (editor, viewer or owner of the message) and press encrypt and off it goes. It is all rather plain and somewhat unimpressive, compared to its more feature-rich competitors.
Voltage, like other gateways, puts a limit on encrypted file attachments. You can get around this by using a separate utility program. This is part of the plug-in installation, and adds the ability to send files encrypted by just right-clicking on them in Windows Explorer. It will share addresses with your Outlook address book. The file sending feature is part of the trial version of software, but this is typically an extra-cost option.
Unlike the other products, Voltage’s web management portal is pretty bare-bones. You can download the plug-ins, connect to the webmail pickup portal, or manage your end user licenses.
Voltage doesn’t have any built-in DLP features, but does support integration with a third-party tool from Digital Guardian. Another limitation is that Voltage only supports Google/Gmail POP connections and not IMAP, like some of its competitors. There is also a confusing set of error or warning messages about certificate expiration.
The conflict is between the Windows-based Voltage client and what you see on its online management portal. This is because the desktop certificate is only valid for a week, but it is automatically renewed. Most of your users probably will never venture into these screens anyway, so this is mostly a non-issue.
Voltage is sold either on a per-seat or per-enterprise installation with pricing starting at $99 per user per year. This per-seat price drops for larger installations. There are free trials for up to five users and 14 days.
Overall, Voltage is showing its age and hasn’t kept up with the competitors: its screens are rather plain and while it covers a solid collection of encryption use cases, it is time for a major UI overhaul to bring it into the modern era.
Inky writes an end-to-end story
Inky was the sole end-to-end product in this review. It has five components: a separate desktop or mobile client that accesses various cloud-based servers running in AWS: a profile server (that provides encryption features), an identity server (which contains the private key database and certificate authority), a public key server, and the email verification server that replies with the encrypted email traffic.
All of those servers are operating outside of any user’s view: the only thing that is relevant is their endpoint client. Inky has assembled a solid encryption infrastructure -- but more importantly, it is an infrastructure that you don’t have to worry about, because your messages are protected end-to-end as they traverse the internet. They have a white paper that goes into the details of their cryptographic prowess (PDF) that convinced me that they know what they are doing. The product is based on S/MIME standards, and they have designed it without having to fuss about encryption certificates that have long hobbled its use in the past.
The way Inky works is that the client rides on top of your standard email account. So you can still make use of this account and whatever existing client (Outlook, webmailer, etc.) you have -- you just don’t get any encryption benefits from using your old client. For that, you will need to sign into the Inky client. On the desktop, this is somewhat inconvenient, because you are trading off the feature-rich things you are used to if you use Outlook, et al.
On a mobile device, it is somewhat at parity with the Google and Apple email clients, and here you can think of Inky as a better mobile device management tool when it comes to protecting your emails than what these vendors offer. Setting up your account is fairly painless: Inky has built-in routines to configure itself for Google, Microsoft Exchange, Office 365, Live and Outlook online, Yahoo, AOL, and iCloud email systems.