A new approach to cybersecurity
For Business → ProtectionGrid For Large Corporates → ProtectionGrid For Law Enforcement → Intelligence For Governments → Intelligence
Home / ProtectionGrid / HybridMail
HybridMail · Part of ProtectionGrid

Some mailboxes belong in the cloud.
Others don't.

HybridMail lets you distribute mailboxes flexibly between cloud services and your own infrastructure — under one domain, one identity, one policy. Sovereignty where it matters. Convenience everywhere else.

See pricing See the architecture →
The dilemma

Cloud or on-premise? Both. Without compromise.

Most providers force a binary choice. Either everything moves to Microsoft 365 or Google Workspace, or you keep running your own mail servers. Neither is right for most businesses.

Pure Cloud

Convenient. But not for everyone.

Microsoft 365 and Google Workspace work brilliantly for the majority of users — easy admin, mobile-first, integrated calendars. But for some mailboxes, the cloud isn't the right answer.

  • Sensitive data subject to US jurisdiction (CLOUD Act)
  • Limited control over storage location and processing
  • Compliance gaps for regulated industries (DORA, finance, public sector)
  • Vendor lock-in once everything depends on one provider
Pure On-Premise

Sovereign. But operationally heavy.

Running your own mail infrastructure gives you full control — physical, legal, technical. But for mailboxes that don't actually need that level of sovereignty, it's a costly overhead.

  • High operational burden — patching, monitoring, scaling
  • Mobile and remote work harder to support
  • Modern collaboration features missing or expensive to add
  • Costs disproportionate for non-sensitive mailboxes

HybridMail is the third option.

One domain. Some mailboxes in the cloud, others on your own infrastructure. Same address book, same policies, same identiqa portal. The user can't even tell where their mailbox lives.

How it works

One domain. Two destinations.

HybridMail acts as an intelligent mail router. Every inbound message hits one address — we route it to the right destination based on policy. Outbound mail looks unified to the world.

@yourcompany.com
Inbound mail
identiqa
HybridMail Router

Powered by Aura AI · Spam, phishing & DLP filtering applied to every message before routing

if user.dept = "Legal" → on-prem if user.role = "C-Level" → on-prem else → cloud
Routed by policy
Cloud
Microsoft 365 / Google Workspace

Standard mailboxes for the majority of users — convenience, mobile, collaboration.

sales@yourcompany.comCloud
marketing@yourcompany.comCloud
support@yourcompany.comCloud
On-Premise
Your own infrastructure

Sensitive mailboxes that must remain under your direct control — sovereignty, jurisdiction, compliance.

ceo@yourcompany.comOn-prem
legal@yourcompany.comOn-prem
research@yourcompany.comOn-prem
Who needs HybridMail

Where the cloud isn't enough.

Most businesses have at least some mailboxes that shouldn't sit in a US-controlled cloud. Here's where HybridMail makes the biggest difference.

Regulated industries

Financial services & insurance

DORA, MaRisk, BaFin, BAIT — financial regulators require demonstrable control over sensitive communications. Keep partner correspondence and customer data on-prem, while regular operations run in the cloud.

Typical split 15–25% on-prem
Critical infrastructure

Public sector & KRITIS

Federal agencies, energy operators, healthcare providers, water utilities — NIS2 and national rules require European data sovereignty for critical communications. HybridMail keeps sensitive mailboxes under jurisdiction.

Typical split 40–60% on-prem
IP-sensitive sectors

Research & manufacturing

R&D, pharma, defense, advanced manufacturing — communications around patents, IP, and trade secrets shouldn't transit foreign clouds. Keep R&D and exec mailboxes on-prem, sales and support in the cloud.

Typical split 10–20% on-prem
HybridMail features

Hybrid by design. Simple by promise.

1

Policy-based routing

Define rules by department, role, security clearance, or individual mailbox. The router decides per message where it lives — invisible to senders and recipients.

2

One identity, two locations

Users keep one address, one calendar, one address book. Whether the mailbox is in M365 or on your own server, the experience is identical. No second login, no separate client.

3

MailShield always in front

Every message — to cloud or on-prem — is filtered by Aura AI for spam, phishing, malware and DLP before delivery. Same protection, same dashboard, same evidence trail across both worlds.

Pricing

Pay for what you actually need to host.

HybridMail pricing scales with the mailboxes you keep on-premise — cloud-resident mailboxes are covered by your existing M365/Workspace license. Includes MailShield protection across both worlds.

Core
€59/mo
Up to 10 on-premise mailboxes. Ideal for small teams keeping just leadership communications sovereign.
Get started
  • Up to 10 on-prem mailboxes
  • Unlimited cloud mailboxes
  • Policy-based routing engine
  • MailShield protection (Core tier)
  • Microsoft 365 + Google Workspace support
Most popular
Pro
€129/mo
Up to 50 on-premise mailboxes. For mid-market businesses with whole departments staying sovereign.
Get started
  • Up to 50 on-prem mailboxes
  • Unlimited cloud mailboxes
  • Advanced routing rules (department, role, geo)
  • MailShield Pro (DLP + Aura AI)
  • Quarantine management across cloud and on-prem
  • Migration support for existing servers
Premium
On request
Unlimited on-premise scale. For regulated industries and large corporates with full sovereignty requirements.
Book a consultation
  • Unlimited on-prem mailboxes
  • Multi-region routing (EU + UK + UAE)
  • MailShield Premium (SIEM integration)
  • Custom routing logic via API
  • SLA with guaranteed response time
  • Dedicated migration team
FAQ

Good to know. Before you decide.

Do my users notice which mailbox lives where?
No. HybridMail is designed so that users see one unified email address, one calendar, one address book. Mailboxes can move between cloud and on-prem without the user being aware — the routing happens at the infrastructure layer. For users with on-prem mailboxes, normal modern clients (Outlook, Apple Mail, Thunderbird, mobile apps) work without modification.
What does "on-premise" mean in practice — do I need to run my own server?
You have three options. (1) Run your existing on-prem mail server (Exchange, Postfix, Zimbra, Kerio etc.) and let HybridMail route to it. (2) Use identiqa-hosted sovereign mailboxes in EU data centres under your control — we operate the infrastructure but the data stays in your jurisdiction. (3) Hybrid setup with both. Most customers start with option 2 because it removes operational burden while preserving sovereignty.
How is HybridMail different from Microsoft 365 hybrid mode?
Microsoft's "hybrid" connects on-prem Exchange to Exchange Online — but the on-prem side has to be Exchange, and Microsoft sees all traffic. HybridMail is provider-agnostic: you can mix M365 with Postfix, Google Workspace with Zimbra, or any combination. The router and filtering layer is independent — your on-prem mail never transits Microsoft or Google infrastructure.
Can I migrate gradually, or does it require a big-bang switch?
Gradual migration is the norm. Most customers start by routing all mail through HybridMail (one MX change), keeping every mailbox where it currently lives. Then they move individual mailboxes between cloud and on-prem as needed — using the routing engine to flip them with no downtime. There's no need to migrate everything at once.
How does this affect compliance — DORA, NIS2, GDPR?
HybridMail is specifically designed for regulated environments. On-prem mailboxes give you demonstrable control over storage location, processing jurisdiction, and access — meeting requirements that pure-cloud setups struggle with (especially DORA's third-party risk requirements and CLOUD Act exposure). Audit logs cover both the routing layer and individual mailbox access. We work directly with your compliance team during onboarding.
Where are identiqa-hosted on-prem mailboxes located?
We operate sovereign infrastructure in our own data centres in Germany, Ireland, Portugal and Cyprus — fully under EU jurisdiction. Customers can choose specific regions, and high-security customers can opt for single-tenant deployments. The infrastructure runs on our own hardware in colocation, never on third-party cloud platforms (no AWS, no Azure, no GCP).
Does HybridMail include MailShield, or do I need both?
MailShield protection is included in every HybridMail tier — Core includes MailShield Core, Pro includes MailShield Pro (with DLP and Aura AI), Premium includes MailShield Premium (with SIEM integration). You don't need a separate MailShield subscription if you're on HybridMail.
Modular protection

Cybersecurity isn't a single product. It's a system.

Combine the modules that fit your IT landscape. Existing customers automatically receive additional discounts.

MailShield
AI-powered email security — included in every HybridMail tier, also available standalone.
From €79/mo
SecureDomain
AI-powered protection for your domains and DNS records — including email signing.
From €7/mo
WebShield
The firewall for your websites and online shops.
From €79/mo
AppShield
Makes your internal applications invisible on the internet — access only for authorized users.
From €49/mo
WebAuth
Secures your employees' logins against the most common attack vector.
From €9/mo
All modules
See the complete ProtectionGrid: six modules, one platform, one login.
View all →
Free consultation

Talk through your architecture.

HybridMail rollouts are highly individual — what should stay sovereign, what can move to the cloud, how to migrate without disruption. Leave your details and our architecture team will get back to you within 2 hours for a real conversation about your specific setup.

500+
customers worldwide
< 2h
response time

Get in touch

By submitting this form, you agree to our privacy policy. We'll get back to you within 2 hours during business hours.

500+
customers
CISO as a Service
Cybersecurity is a CEO topic. But not your full-time job.
Your dedicated CISO takes over: strategy, implementation, ongoing oversight. You focus on your business — we secure it.
Request CISO → See services