You can tell a lot about an organisation's security posture from one DNS query. When dig MX company.com returns a hostname under pphosted.com or mimecast.com, it means the company has inserted a commercial secure email gateway (SEG) in front of its mailboxes: every inbound message is accepted, scanned, sandboxed, and scored by the gateway before Microsoft 365, Google Workspace, or an on-premises server ever sees it. Our daily email infrastructure report tracks exactly this signal across the Tranco top-1M, and the trend since 2022 is unambiguous: the gateway layer is consolidating, fast.
The numbers: gateways outgrowing the market
As of the 2026-07-05 snapshot, Proofpoint sits in the MX of 1.91% of top-1M domains that publish MX records, up from 0.86% in 2022 — the share has roughly doubled, a gain of just over a percentage point in four years. Mimecast grew from 1.03% to 1.53% over the same window. Those percentages sound small until you remember the denominator: the scan covers 664,715 MX-publishing domains, and each percentage point is thousands of organisations — skewed, by the nature of the product, toward exactly the large enterprises attackers most want to reach.
For context, this growth is happening while the mailbox layer itself consolidates behind Google and Microsoft — a dynamic we cover in our analysis of Microsoft's enterprise pull. The two trends are related: as enterprises standardise on Microsoft 365, many simultaneously decide that the built-in filtering is not enough for their threat model and layer a dedicated gateway on top. The MX record shows the gateway; the mailbox platform behind it becomes invisible to DNS.
What a gateway in the MX actually changes
Architecturally, a SEG deployment rewires the inbound path. The MX points at the vendor's infrastructure; the gateway terminates the SMTP session, applies its full inspection stack, and only then relays accepted mail onward to the real mailbox provider. In practice that means:
- The gateway's verdict comes first and is often final. Reputation scoring of the sending IP and domain, authentication evaluation, content analysis, attachment detonation, and URL rewriting or sandboxing all happen before mailbox-level filtering. Mail rejected here never appears in any user-visible spam folder.
- Policy is centralised and administrator-owned. Unlike consumer-grade filtering that adapts to individual user behaviour, gateway policy is organisation-wide: blocklists, allowlists, impersonation rules, and quarantine handling are set by the security team.
- The perimeter is now a third party. Availability, filtering quality, and incident response for your inbound mail depend on the vendor. That is mostly the point — but it also means a vendor-side outage, misclassification wave, or breach has an organisation-wide blast radius, multiplied across every customer sharing the platform.
The same MX lookup that tells a defender "this company runs Proofpoint" tells an attacker which filter stack their phishing payload must evade — and tells a sales team which security budget exists. Gateway hostnames in MX are among the loudest infrastructure signals in public DNS, and they cannot be hidden.
What consolidation means for administrators
If you are on the defending side, the growth curve carries a few practical implications:
- Monoculture risk is real but usually acceptable. When a large share of enterprise mail flows through two vendors, a filtering blind spot or parsing vulnerability in one of them is simultaneously exploitable across thousands of organisations. Layered controls behind the gateway — mailbox-level detection, user reporting, post-delivery retraction — stop being optional.
- Your DMARC programme still matters. A gateway protects inbound mail; it does nothing to stop others spoofing your domain toward third parties. Gateway customers still need enforcement-grade outbound authentication — see the p=none problem that affects half the DMARC-publishing top million.
- Audit the bypass paths. The classic SEG failure mode is not the filter — it is mail that reaches the mailbox provider directly, skipping the gateway, because the provider's inbound endpoints were never locked down to accept mail only from the gateway. The MX advertises the front door; make sure the side door is closed.
And for legitimate senders
For anyone sending to enterprises — vendors, SaaS notification streams, sales teams — the growing gateway share changes the deliverability calculus. Gateways weight sender reputation and authentication heavily, evaluate URLs aggressively, and give you no feedback loop: there is no "spam folder" signal, just silence or a bounce. We cover the sender-side playbook in our guide to selling into gateway-protected enterprises. The short version: pristine authentication, consistent sending infrastructure, and conservative content are not best practices here — they are the entry ticket.
We publish the Proofpoint and Mimecast MX shares daily, alongside every other provider we classify, in the machine-readable daily dataset. If the perimeter keeps consolidating, the curve will keep showing it.