Who Actually Pays for Email Security? Across a Million Domains, Just 5.2% Run a Dedicated Gateway

Update — 2026-06-29: Refreshed against LLMSE's current index, now 1,052,674 domains with an identified mail provider (up from ~452,000 at first publication). The original post ranked enterprise email-security adoption across 26 industries (Law & Government 20.5% at the top, Gambling 2.6% at the bottom) and named the leading vendor in each sector. That per-industry ranking has been dropped: mail-provider indices are keyed by bare domain, while LLMSE's category indices are keyed by URL, so the two cannot be intersected read-only — the per-industry and provider-by-industry figures are not reproducible and several were artifacts of the smaller early sample. What remains fully reproducible is reframed here as the spine: overall gateway adoption (now 5.2%, down from a headline 8.1% as the denominator broadened) and the Proofpoint / Mimecast / Barracuda concentration (now 67% of the security tier). External DMARC-adoption and FBI Business Email Compromise loss data carry the threat context. The thesis is unchanged and sharper: a dedicated email-security layer is a small-minority product, not a web-wide default.

In 2024, Americans reported a record $16.6 billion in losses to the FBI's Internet Crime Complaint Center across 859,532 complaints — a 33% jump from the year before (2024 IC3 Annual Report). The single most expensive enterprise threat in that report arrives by email: Business Email Compromise accounted for roughly $2.77 billion of the total, the second-costliest crime category by dollar loss. Email is where the money leaves the building.

The defensive picture is thinner than the threat. Almost every domain on the web inherits whatever spam filtering its mail platform happens to ship with — Google Workspace and Microsoft 365 each include baseline filtering, hosting and registrar mailboxes include very little, and consumer webmail includes whatever the provider runs centrally. A dedicated email-security gateway — the layer that adds advanced threat protection, attachment sandboxing, impersonation detection, and URL rewriting on top of the mailbox — is a separate product, separately bought. The question this post answers is how many domains actually buy it.

We classified 1,052,674 domains in LLMSE's index by their mail provider, detected from MX (mail-exchanger) records, and grouped the providers into tiers by what they primarily do: managed business email, hosting/registrar mail, dedicated security gateways, transactional relays, and privacy-focused mailboxes. Provider market shares are aggregate cardinalities from the live index — no individual domain is identified.

Only 5.2% of domains route mail through a dedicated email-security gateway. The other 94.8% rely on the built-in filtering of a business, hosting, or consumer provider. And the gateway tier that does exist is highly concentrated: three vendors — Proofpoint, Mimecast, and Barracuda — hold 67% of it. The web's dedicated email defenses are not just sparse; they are owned by a handful of companies and bought by a well-resourced minority.

The Data

Every domain with a resolvable MX record is assigned to one mail provider, and providers are grouped into five tiers. The table is the full landscape across the 1.05 million domains with an identified provider.

Tier What it is Domains Share
Business email Google Workspace, Microsoft 365, Zoho Mail, Titan, Open-Xchange 606,027 57.6%
Hosting / registrar / other IONOS, OVH, GoDaddy, Namecheap, regional ISPs, consumer webmail, forwarding 361,786 34.4%
Enterprise security gateway Proofpoint, Mimecast, Barracuda, Cisco, Trend Micro, and 7 more 54,698 5.2%
Transactional / relay Amazon SES, Mailgun, MailChannels, SendGrid 16,368 1.6%
Privacy-focused ProtonMail, Fastmail, Tutanota, Mailbox.org 13,795 1.3%
Total 1,052,674 100%

Two structural facts shape everything below. First, business email is a near-duopoly: Google Workspace (299,017 domains) and Microsoft 365 (273,516) together account for 572,533 domains — 54.4% of every domain with an identified mail provider, split almost evenly (a 1.09-to-1 ratio in Google's favour). The broader provider market is covered in The Email Provider Duopoly. Second, the dedicated-security tier is the smallest tier that matters: at 5.2% it is larger than the privacy and transactional niches but an order of magnitude below the platforms whose filtering most domains silently depend on.

A domain landing in the business-email or hosting tier is not necessarily unprotected — Microsoft 365 and Google Workspace both ship competent default filtering, and Microsoft was named a Leader in the 2025 Gartner Magic Quadrant for Email Security on the strength of Defender for Office 365. But it has no dedicated gateway, and the MX record cannot tell us whether security add-ons sit behind the platform. The 5.2% figure measures the domains that route mail through a security product as their visible mail path, not the full population running some form of protection.

Methodology

This post makes quantitative claims about provider market structure, so the definitions and limits matter.

  • Detection. Mail providers are identified by matching a domain's MX records against a library of provider patterns. Each domain is attributed to a single provider; that provider's tier follows from the classification below.
  • Tier definitions. Enterprise security gateway = the twelve providers whose core product is inbound email threat protection: Proofpoint, Mimecast, Barracuda, SpamExperts, Hornetsecurity, MailProtect, Trend Micro, Cisco Secure Email, Sophos, Symantec Email Security, Forcepoint, and Fortinet. Business email = managed business-mailbox suites (Google Workspace, Microsoft 365, Zoho Mail, Titan, Open-Xchange). Privacy-focused = encrypted/privacy mailboxes (ProtonMail, Fastmail, Tutanota, Mailbox.org, and peers). Transactional / relay = bulk and API send services (Amazon SES, Mailgun, MailChannels, SendGrid, and peers). Hosting / registrar / other is the remainder: web hosts, registrars, regional ISPs, consumer webmail, and forwarding services.
  • Adoption rate. "Gateway adoption" = the security-gateway tier as a share of all 1,052,674 domains with an identified provider. "Vendor share" = a vendor's domain count as a share of the 54,698-domain gateway tier. All are ratios of live Redis cardinalities (ZCARD).
  • Keyspace — and why the per-industry ranking is gone. Mail-provider indices in LLMSE are keyed by bare domain (example.com), whereas category, grade, and server indices are keyed by URL. A set intersection (ZINTERCARD) between a mail-provider index and a category index therefore returns zero — the keys never match — so adoption by industry and vendor share by industry cannot be reproduced from the read-only index. The original post's per-industry table (Law & Government 20.5%, Health 14.1%, Gambling 2.6%) and its provider-by-sector claims depended on a one-time join that no longer reproduces; rather than carry forward numbers we cannot verify, we have dropped them. Provider market share (a pure cardinality ratio) is unaffected and fully reproducible.
  • Why these numbers differ from the original. The original matched 452,000 domains (those it could also tie to a website category) and reported an 8.1% security-gateway share. The current figure is computed over all 1,052,674 domains with an identified provider — a population that now includes far more hosting, registrar, regional-ISP, and consumer-webmail domains that almost never buy a gateway. That broader denominator pulls the rate down to 5.2% even though the absolute count of gateway domains rose from 36,598 to 54,698. The vendor mix shifted too: Proofpoint's within-tier share eased from 38.0% to 33.3% as detection of Mimecast, Barracuda, and the long tail improved.
  • Known limits. (1) An MX record names the mail path, not the security configuration — a Microsoft 365 domain may run a third-party add-on invisible to MX detection, so the gateway tier undercounts total protection. (2) Organisations that self-host or use custom routing may not map to a recognised provider. (3) The total is a sum of provider-tagged domains; a domain with MX records matching more than one provider can be counted more than once, so tier shares describe provider tags, not strictly unique domains. (4) Each domain counts once regardless of organisation size — a 50,000-employee enterprise and a one-person shop weigh equally.

The Scorecard

Plotting the five tiers against each other shows how lopsided the landscape is: managed business email and the hosting/registrar long tail account for 92% of all domains, and the dedicated-security layer is a sliver beside them.

Mail-provider tiers across 1.05M domains. Business email holds 57.6% and hosting/registrar 34.4%, while the dedicated enterprise security-gateway tier is just 5.2% — with transactional and privacy providers smaller still.

At 5.2%, dedicated email security is the exception, not the baseline. The shape is the headline: nine of ten domains live in the two tiers (business email, hosting) whose protection is whatever the platform includes by default, and only one in nineteen adds a purpose-built gateway in front of the mailbox. This is consistent with email security being sold as an enterprise line item — a budget, a procurement cycle, a compliance driver — rather than a default that ships with a domain. The sections below take apart the two findings that follow: who owns that thin security tier, and how the same scarcity shows up in the email-authentication records every domain could publish for free.

The Vendor Landscape: Three Names Own Two-Thirds of the Gateway Market

Inside the 54,698-domain security tier, the market is concentrated to a degree the broader web rarely is. The twelve gateway vendors, ranked by their share of the tier:

Vendor Domains Share of gateway tier
Proofpoint 18,197 33.3%
Mimecast 11,883 21.7%
Barracuda 6,638 12.1%
SpamExperts 4,082 7.5%
Hornetsecurity 3,739 6.8%
MailProtect 2,797 5.1%
Trend Micro 2,439 4.5%
Cisco Secure Email 2,281 4.2%
Sophos 1,529 2.8%
Symantec Email Security 625 1.1%
Forcepoint 303 0.6%
Fortinet 185 0.3%

Email-security gateway vendor share. Proofpoint leads the 54,698-domain tier at 33.3%, with Mimecast at 21.7% and Barracuda at 12.1% — the top three together holding 67% of the market.

Proofpoint, Mimecast, and Barracuda together hold 67.1% of every domain running a dedicated gateway (36,718 of 54,698). Proofpoint alone holds a third of the tier. The concentration is corroborated externally: in the 2025 Gartner Magic Quadrant for Email Security (published 1 December 2025, evaluating 14 vendors), Proofpoint was named a Leader and placed highest for Ability to Execute, while Microsoft — whose Defender sits inside the business-email tier, not the gateway tier — was also named a Leader. LLMSE's deployment data and the analyst view point the same way: a small group of incumbents anchors the dedicated-gateway market.

The long tail tells the second half of the story. Below the top three, no vendor exceeds 8% of the tier, and the bottom four (Symantec, Forcepoint, Fortinet, and Sophos) together account for under 5%. This is a market where deployment footprint is heavily front-loaded onto a few brands — a structural feature worth weighing against the resilience case, since three vendors' product, pricing, and platform decisions shape the email security posture of two-thirds of the protected web. The same concentration dynamic, measured across DNS, hosting, and mail layers, is quantified in the Infrastructure Concentration Index.

The Authentication Gap: A Lock on the Door, Rarely Turned

A dedicated gateway is one defence against email impersonation; email authentication is the other, and it is free. SPF, DKIM, and DMARC are DNS records that let receiving servers verify a message genuinely came from the domain it claims — the standards designed precisely to blunt the Business Email Compromise and spoofing attacks that drove the IC3's $2.77 billion BEC tally. Publishing them costs nothing but configuration time. Almost no one turns the lock.

DMARC deployment across 73.3M domains in December 2025. 83.9% have no DMARC record, 14.9% publish a policy, and only 2.5% enforce the strict p=reject policy that actually blocks spoofing.

Across 73.3 million domains analysed by Red Sift in December 2025, 83.9% had no DMARC record at all, just 14.9% published any policy, and only 2.5% — roughly 1.8 million domains — enforced the strict p=reject policy that actually blocks spoofed mail. A published p=none policy only monitors; it stops nothing. The enforcement gap is the point: of the minority that publish DMARC, most never advance to a policy that rejects forged messages. The same pattern appears in EasyDMARC's 2025 adoption report, which likewise finds enforcement-grade policies on a small fraction of domains.

The 2.5% authentication-enforcement figure and the 5.2% gateway-adoption figure are not the same measurement, but they rhyme: the web's two principal email defences — one paid, one free — are each deployed by a small minority, and the free one is enforced even more rarely than the paid one is bought. The one bright spot is directional rather than absolute. Red Sift attributes a recent uptick in DMARC adoption to the bulk-sender requirements Google, Yahoo, and Microsoft began enforcing in 2024, which made authentication a precondition for reliable inbox delivery. Where deliverability — not security — created the incentive, domains responded. That is the lever the next section returns to.

The Threat the Gap Leaves Open

The defensive scarcity sits opposite a threat the FBI describes in record terms. The 2024 IC3 report logged the highest annual losses in its 25-year history — $16.6 billion, up 33% year over year, with an average reported loss of $19,372 across the 256,256 complaints that carried a financial loss. Business Email Compromise, at roughly $2.77 billion, was the second-costliest category, and over the past decade BEC losses reported to IC3 total more than $17 billion. These are not phishing nuisances; they are wire-transfer and invoice-fraud losses that land on finance teams, and they arrive through exactly the channel most domains defend with platform defaults.

The structural mismatch is the story. A threat measured in tens of billions of dollars a year is met, on most of the web, by inherited filtering and an unconfigured DNS record. The 5.2% of domains that buy a gateway and the 2.5% that enforce DMARC are disproportionately the regulated, well-resourced organisations with security budgets and compliance mandates — the same profile that dominates the business-email and gateway tiers above. The exposure concentrates on everyone else: the hosting-and-registrar long tail, where neither a dedicated gateway nor an enforced authentication policy is the norm.

What's at Stake

  • A $16.6 billion threat met by default settings — most domains route mail through platforms whose filtering they never chose and cannot tune, against an attack class (BEC) the FBI puts at $2.77 billion a year. The mismatch between threat scale and dedicated defence is the core exposure.
  • Spoofing stays cheap while enforcement stays rare — with only 2.5% of domains enforcing DMARC p=reject, the vast majority remain trivially spoofable, so impersonation and BEC keep working on technically preventable vectors.
  • Concentration cuts both ways — three vendors holding 67% of the gateway tier means hardened, well-resourced defences for those who buy in, but also that a pricing change, an acquisition, or an outage at one incumbent ripples across most of the protected web. Barracuda's and Proofpoint's own histories of disclosed product vulnerabilities show the dedicated tier is not immune.
  • The protection gap is a long-tail problem — gateways and enforced authentication concentrate among regulated enterprises, leaving small businesses, hosting customers, and registrar mailboxes as the soft targets, precisely where security budgets and in-house expertise are thinnest.
  • Deliverability moves the needle where security alone did not — the one measurable uptick in DMARC came from Google/Yahoo/Microsoft bulk-sender mandates, evidence that authentication adoption responds to delivery incentives faster than to security warnings.

What Would Help

  1. Domain owners: publish and enforce DMARC before buying anything. SPF, DKIM, and a DMARC record advanced to p=reject cost nothing but configuration and are the highest-leverage step a small organisation can take — they close the spoofing vector that 83.9% of domains leave wide open. Start at monitoring (p=none), confirm legitimate mail passes, then escalate to enforcement.
  2. Small businesses and hosting customers: know that "we use Microsoft 365" is not a security posture. Platform defaults filter spam, not targeted BEC. If your domain handles invoices or payment instructions, evaluate either a dedicated gateway or your platform's paid threat-protection add-on — and verify it is actually enabled, not just licensed.
  3. Security and IT teams: separate the mailbox decision from the protection decision. The MX record shows most domains never made a deliberate protection choice. Treat email threat protection as its own line item with its own owner, rather than assuming the mail platform covers it.
  4. Platform and gateway vendors: make enforcement the default, not the upsell. The DMARC uptick from bulk-sender mandates shows defaults and preconditions move adoption where advice does not. Shipping authentication and basic threat protection as on-by-default — for the long tail, not just enterprise SKUs — would shrink the gap faster than any campaign.
  5. Researchers and journalists: use the open provider data, and mind the keyspace. Mail-provider market shares are reproducible from LLMSE's index as cardinality ratios; per-industry cross-references are not, because mail keys are bare-domain-keyed and category keys are URL-keyed. Build claims on what the index can actually intersect. The email provider market-share and infrastructure concentration analyses provide the broader context.

Explore the Data

Browse providers on LLMSE's mail provider index, or check the detected mail provider for any domain on its detail page. Advanced search supports filtering by provider — for example, mail:Proofpoint returns the domains in the gateway tier above. The REST API exposes the same classification data programmatically.


This analysis was conducted using LLMSE, which has classified over 3.4 million websites across SEO, EEAT, AEO, WCAG accessibility, readability, GARM brand safety, and privacy dimensions. Mail-provider figures reflect 1,052,674 domains with an identified provider in the index as of June 2026; external email-authentication and loss figures are sourced from Red Sift, EasyDMARC, Gartner, and the FBI IC3 as cited. To analyze your own site, visit llmse.ai/classify.