I am trying to convince management to subscribe to a well known antispam hosted service, instead of doing it inhouse on our servers, and would need advice/arguments on this issue.
They are concerned about the confidentiality of the documents being sent/received with their clients by email. Their argument is that they do not want somebody or a service to have possible access to the emails/documents when they are sent between the client email server and ours.
The arguments I was planning to give them, which I would like to verify with you here, would be the following:
1) Internet email is presently unsecured email, unless you apply some sort of encryption to its contents.
2) The path taken by an email sent from a client email server to ours is not "direct". It will have to go through a certain number of hops (routers and servers) in order to reach us. (ex: tracert gives 14 hops to go from our server to a @yahoo.com email server).
3) The antispam service we would be subscribing to is simply one additionnal hop in the series of hops followed by the message.
4) Traffic "sniffing", in theory, could be done in any of the locations which manage one of the routers/networks involved in the hop along the route, by someone with wrong intentions and proper access to the equipement/network environement.
5) If previous argument (4) is true, and confidentiality is really important on some documents, then encryption should be applied to these.
Are these arguments valid ?
Thanks for your help and comments.