When you email a mid-market company on Google Workspace, your message meets Gmail's filter. When you email a bank, a hospital network, or a Fortune-scale manufacturer, it usually meets something else first: a secure email gateway (SEG) that sits in front of the mailbox provider entirely. The gateway's job is to assume you are an attacker until proven otherwise — and cold email looks a lot like the things it was built to stop.
This layer is growing fast. As of the 2026-07-05 snapshot of our daily Tranco top-1M scan, Proofpoint is the primary MX for 1.91% of domains with MX, up from 0.86% in 2022 — more than doubling in four years. Mimecast grew from 1.03% to 1.53% over the same period. Small percentages of a million domains, but these are not random domains: they skew heavily toward exactly the large, regulated organisations enterprise sellers target.
The gateway build-out, charted
The trend matters more than the level: enterprises are consolidating their inbound perimeter onto dedicated security vendors rather than relying on Microsoft's or Google's built-in filtering alone. Our analysis of the enterprise perimeter shift covers the market side; here we focus on what it does to your sequences.
How a gateway judges your cold email
1. Reputation scoring before content
Gateways maintain their own sender-reputation graphs across their whole customer base. A domain that suddenly appears and emails forty of a vendor's customers in one morning gets flagged network-wide — something no single-tenant filter can see. Young domains, freshly rotated IPs, and burst-pattern volume are all scored before a single word of your copy is read.
2. URL rewriting and sandboxing
Every link in your email is rewritten to pass through the vendor's click-time scanner (Proofpoint URL Defense, Mimecast URL Protect). Consequences for you: the scanner "clicks" your links to inspect the destination, so your sequencer records phantom clicks; and redirect-chain trackers — the standard open/click machinery of every outreach tool — look exactly like the obfuscation phishers use, which costs you score.
3. Attachment detonation
Attachments are opened in a sandbox before delivery. Even clean PDFs add latency and risk quarantine. On a first touch to a gateway-fronted domain, attachments are pure downside — link to a hosted page instead, or better, send nothing but text.
Spotting a gateway before you send
The gateway announces itself in DNS. One lookup:
$ dig +short MX enterprise-prospect.com
10 mxa-00123456.gslb.pphosted.com.
10 mxb-00123456.gslb.pphosted.com.pphosted.com is Proofpoint; *.mimecast.com is Mimecast. Other patterns in our 310+ MX classification rules cover Barracuda, Cisco, Fortinet and more — the full provider breakdown is in the daily email infrastructure report. Tag these domains in your CRM as a distinct segment; they need different treatment and different expectations. The general MX-checking workflow is in our pre-send MX guide.
The gateway playbook
- Send from an aged, consistent domain. Gateway reputation is cross-customer and slow-moving. A domain with months of clean, steady sending beats any copywriting trick.
- Strip the tracking. No open pixel, no click-redirect wrappers, ideally no links at all on the first touch. If you must link, link once, to your root domain, in plain text.
- No attachments on touch one. Ever.
- Throttle per organisation. Gateways see all mail to all their customers. Hitting one company's whole buying committee in an hour is a pattern; three people over a week is a conversation.
- Measure replies, not opens. Scanner activity inflates clicks and pixel-blocking kills opens. For gateway segments, reply rate is the only trustworthy metric.
A gateway rarely bounces cold email — it quarantines. Your sequencer shows "delivered," the prospect sees nothing, and you conclude your copy is bad. Before rewriting a sequence that underperforms at enterprise domains, verify placement: run a test against seed mailboxes behind real filtering stacks and see which folder — if any — your email actually reaches.