I resolved the public MX records for 2,584 SEC EDGAR-linked entities in CipherCue's database and matched each MX hostname against a vendor rule dictionary. The Microsoft 365 share was unsurprising. The gateway market was not.
Among the 1,877 entities with an identified MX vendor, the secure email gateway category (the layer that sits in front of a mailbox provider) is dominated by two companies. Of the 888 non-mailbox MX matches in the data, Proofpoint and Mimecast account for 812 of them, or 91.4%. If you narrow further to the three largest pure secure email gateway vendors (Proofpoint, Mimecast, Cisco), the figure is 92.4%.
91.4% of secure-email-gateway MX matches across SEC-linked companies are Proofpoint or Mimecast (812 of 888 non-mailbox MX matches; 92.4% if narrowed to the three largest pure gateway vendors)
Microsoft is the biggest single vendor at the MX layer (43.6% of identified entities), which is what you would expect. The interesting finding is what the data shows about the choice not to depend on your mailbox vendor for filtering. In the SEC-linked cohort, that choice resolves to one of two companies more than nine times out of ten.
How the matching works
The matching is intentionally simple: suffix rules over MX hostnames. For example, *.mail.protection.outlook.com maps to Microsoft 365 and *.pphosted.com maps to Proofpoint. This avoids guessing from opaque signals, but it also means the counts are conservative: anything hidden behind a gateway or not in the rule dictionary is not attributed.
The cohort is 2,584 SEC EDGAR entities in CipherCue's database with a CIK and an associated apex domain. Of those, 1,877 (72.6%) have at least one MX hostname matching a vendor in the dictionary. The remaining 707 either returned no resolvable MX records, had MX records pointing to vendors not in the dictionary, or have not been resolved in the current observation window (2026-05-03 to 2026-06-09).
The matcher considers every MX hostname returned for the apex, not only the lowest-priority record. So when a domain lists more than one vendor on its MX, each is counted. 21 entities (1.1% of the identified set) match more than one vendor, which is why share columns sum to slightly over 100%. The deduplicated entity-level top-three share is 86.2%.
The full vendor distribution
818
Microsoft
43.6%
mailbox
523
Proofpoint
27.9%
gateway
289
Mimecast
15.4%
gateway
44
Barracuda
2.3%
security
Mailbox platforms Proofpoint & Mimecast Other email security
| Vendor | Category | Entities | Share of identified | Cumulative |
|---|---|---|---|---|
| Microsoft | Mailbox platform | 818 | 43.6% | 43.6% |
| Proofpoint | Gateway | 523 | 27.9% | 71.4% |
| Mimecast | Gateway | 289 | 15.4% | 86.8% |
| Mailbox platform | 149 | 7.9% | 94.8% | |
| Cisco | Gateway | 67 | 3.6% | 98.3% |
| Barracuda | Email security | 44 | 2.3% | 100.7% |
| Fortinet | Email security | 3 | 0.2% | 100.9% |
| Sophos | Email security | 3 | 0.2% | 101.0% |
| Trellix | Email security | 3 | 0.2% | 101.2% |
Isolating the gateway market
The headline Microsoft share doesn't tell you much. Microsoft 365 has been the default mailbox platform for large US organisations for years, and a dominant mailbox vendor isn't a surprising finding. What's more interesting is what the data shows when you remove the mailbox platforms entirely and look only at the layer designed to sit in front of them.
Two of the top six vendors are mailbox platforms: Microsoft 365 and Google Workspace. The other four are email-security or gateway vendors: Proofpoint, Mimecast, Cisco, and Barracuda. Below the top six, the residual long tail (Fortinet, Sophos, Trellix) totals nine entities across the whole cohort.
If you take all non-mailbox MX matches as the denominator (Proofpoint 523, Mimecast 289, Cisco 67, Barracuda 44, plus Fortinet, Sophos, and Trellix at 3 each, totalling 932) then Proofpoint and Mimecast account for 812, or 87.1%. If you exclude Barracuda (which is closer to a mailbox-included email security product than a pure gateway) and the long-tail Others, the denominator narrows to 879, and the combined Proofpoint + Mimecast share rises to 92.4%.
| Denominator definition | Vendors included | Total matches | Proofpoint + Mimecast | Share |
|---|---|---|---|---|
| All non-mailbox MX matches | Proofpoint, Mimecast, Cisco, Barracuda, Others | 932 | 812 | 87.1% |
| Non-mailbox excluding Barracuda | Proofpoint, Mimecast, Cisco, Others | 888 | 812 | 91.4% |
| Three largest pure gateway vendors | Proofpoint, Mimecast, Cisco | 879 | 812 | 92.4% |
The duopoly framing holds regardless of where you draw the category boundary. The buyer who chooses an MX-visible secure email gateway in this cohort is making a choice between two products around nine times out of ten.
The gateway market looks different from the rest of the internet
The same MX measurement applied to CipherCue's broader tracked population of 7,566 entities, which skews towards SMB and private companies, produces a noticeably different distribution.
| Vendor | SEC-linked cohort | Broader tracked population |
|---|---|---|
| Microsoft | 43.6% | 59.5% |
| Proofpoint | 27.9% | 13.7% |
| Mimecast | 15.4% | 8.9% |
| 7.9% | 11.5% | |
| Barracuda | 2.3% | 5.2% |
| Cisco | 3.6% | 1.6% |
Proofpoint's share roughly doubles in the SEC-linked cohort. Mimecast's roughly doubles. Microsoft drops by about a third. Google and Barracuda shrink. The gateway duopoly is concentrated in larger, more regulated organisations, not the whole internet.
This is a directional comparison: the broader tracked population is not a random sample of internet domains, so it shouldn't be read as a global market measurement. But the direction is consistent with the way Proofpoint and Mimecast actually sell. Both have been enterprise-priced products with public-company-style buying motions for over a decade. The data shows where they have ended up.
What it means in practice
For a security or IT team at an SEC-linked organisation, the takeaway is concrete: at the public MX layer, your peer group's "independent email security" choice is heavily concentrated in two vendors. Buying a secure email gateway is, at a market-structure level, a binary decision.
That has two practical implications.
First, vendor incidents in this category are not idiosyncratic. When an incident affects Proofpoint or Mimecast, it affects a large share of US public-company email at the same time. Three reference points from the public record:
Mimecast · January 2021
A sophisticated threat actor, later linked to the SolarWinds intrusion, compromised a certificate used by some customers to authenticate the Mimecast Sync and Recover product to Microsoft 365 tenants. Documented in Mimecast's own incident updates.
Proofpoint · 2024
Misconfigurations in Proofpoint's hosted email relay were abused to send large volumes of spoofed messages from customer domains. Reported by Guardio Labs as EchoSpoofing.
Microsoft · January 2024
Microsoft disclosed that Midnight Blizzard had compromised senior leadership email accounts in its corporate tenant. CISA subsequently issued Emergency Directive 24-02. Included for completeness on the mailbox side.
The mechanics and customer impact were different in each case. None is evidence that any of the three vendors is uniquely insecure. The point is structural: when the market is this concentrated, the vendor layer is a shared dependency, and an incident at one of the top two gateway vendors is a US-public-company event by default.
Second, the layer below the gateway is also concentrated. The Microsoft mailbox share is at least 43.6% (the figure visible at MX), and is likely higher because Microsoft can sit behind a Proofpoint or Mimecast gateway invisibly. So the practical stack for a large share of SEC-linked organisations is "Microsoft mailbox, behind one of Proofpoint or Mimecast." Two vendors at the gateway layer plus one dominant mailbox vendor is a thinner combinatorial space than the size of the email security market would suggest.
Checks you can run on your own domain
If you work in security or IT at one of these organisations, the measurement above takes about 10 minutes to reproduce for your apex domain.
- Pull the MX records (
dig MX example.com) and identify your vendor from the hostname suffix. - If your MX points to Proofpoint or Mimecast, identify the mailbox platform behind the gateway from your internal routing config. The MX layer hides this.
- If your MX points directly to Microsoft but you expected a third-party gateway in front of it, verify the routing path. Either the gateway has been removed or it is not visible from public DNS.
- Pull the DMARC record (
dig TXT _dmarc.example.com) and the SPF record. Compare therua=destination and SPF includes against your MX vendor. If monitoring, outbound sending, and inbound filtering all terminate at the same vendor, that is a shared dependency worth documenting. - Map your vendor's last five years of public incidents against your configuration as it stands today. The question is not "is this vendor secure?" but "which of these incidents would have reached us?"
What sits above the MX layer
The DMARC reporting destination (the rua= address in a DMARC TXT record) and the SPF include list show a different vendor concentration: who handles deliverability, monitoring, and outbound mail authorisation. These vendors do not appear on MX records.
| Vendor | SEC entities observed (SPF or DMARC layer) |
|---|---|
| Salesforce | 382 |
| Amazon (SES) | 180 |
| dmarcian | 158 |
| DMARC Analyzer | 156 |
| Mailchimp | 154 |
| Twilio (SendGrid) | 127 |
| Fortra (PhishLabs / Agari) | 36 |
The DMARC monitoring layer is split mainly between dmarcian and DMARC Analyzer. The transactional / outbound layer is dominated by Salesforce Marketing Cloud, Amazon SES, Mailchimp, and SendGrid. These are different vendors from the MX-layer concentration, and the concentration is materially weaker.
Method note
Cohort: 2,584 entities tagged with a SEC EDGAR CIK and an associated apex domain in CipherCue's database as of 2026-06-09. CIK assignment alone does not prove the entity is a currently listed US operating company; SEC EDGAR includes a broader set of filers including former issuers, investment vehicles, and non-US issuers that file with the SEC. The cohort skews toward public-company and SEC-reporting infrastructure, but should not be read as a complete census of currently listed US operating companies unless additional listing filters are applied.
MX vendor matching: Each entity's apex domain MX hostnames were resolved using public DNS. Each MX hostname returned was matched against CipherCue's vendor rule dictionary (suffix rules over MX hostnames, for example *.mail.protection.outlook.com for Microsoft 365, *.pphosted.com for Proofpoint). The matcher considers all MX hostnames returned for the apex, not only the lowest-priority record, so when a domain lists multiple vendors on its MX, each is counted. An entity is counted once per matched vendor. 21 entities (1.1% of the identified set) match more than one vendor, which is why share columns sum to slightly over 100%. The rule dictionary approach is deliberately auditable: each vendor attribution should be explainable by a hostname suffix match rather than a model inference.
Coverage: 1,877 of 2,584 SEC-linked entities (72.6%) have at least one MX hostname matching a vendor in the dictionary. The remaining 707 either returned no MX, had MX records pointing to vendors not in the dictionary, or have not been resolved in the current window. This is a snapshot, not a longitudinal aggregate.
Snapshot window: MX observations between 2026-05-03 and 2026-06-09.
What this measurement does and does not capture: An MX match identifies the vendor at the MX layer only. It does not identify integrated cloud email security (ICES) layers that sit in front of a mailbox (for example, Abnormal, Sublime, Material), nor does it identify the mailbox product behind a third-party gateway. The share figures should be read as the floor of vendor concentration at the public MX layer, not a measurement of the full email security stack.
Gateway calculation: The 91.4% figure uses all non-mailbox MX matches except Barracuda: Proofpoint (523) + Mimecast (289) + Cisco (67) + Fortinet (3) + Sophos (3) + Trellix (3) = 888. 812 of 888 = 91.4%. The 87.1% figure includes Barracuda in the denominator: 932 total, 812 / 932 = 87.1%. The 92.4% figure narrows to the three largest pure secure email gateway vendors visible in the MX data: Proofpoint (523) + Mimecast (289) + Cisco (67) = 879. 812 of 879 = 92.4%. Barracuda's classification is the judgement call: it sells a hosted mailbox product alongside its email security product, so reasonable analysts would put it in either bucket.
Comparative population: The "Broader tracked population" column draws on all CipherCue entities with an identified MX vendor (7,566 entities) as of the same snapshot window. This population is not a random sample; it is the entities CipherCue tracks, which skews towards companies that have appeared in a public signal (breach filing, KEV-affected stack, SEC 8-K, ICO action). It should be treated as directional, not a global market measurement.
External references: CISA Emergency Directive 24-02 (April 2024), Mimecast incident disclosures (January 2021), Guardio Labs report on EchoSpoofing / Proofpoint relay abuse (July 2024). Cited as named-vendor incidents with public primary sources, not as proof of any specific systemic risk.
Reproducibility: The SEC EDGAR CIK list is public (the EDGAR company facts dataset). MX records are public. Any researcher with access to the EDGAR company list and a DNS resolver can replicate the cohort and the vendor counts.
Applying this to another cohort
CipherCue tracks MX, SPF, DMARC, TLS, headers, breach filings, and other external observations across tracked entities. The same method can be applied to a portfolio, sector list, supplier list, or competitor set.
To apply this analysis to a specific cohort, request a demo.