Email Security Adoption by Industry: Who Uses Enterprise-Grade Mail Protection?
The FBI reported $2.77 billion in Business Email Compromise losses in 2024. Over 82% of phishing emails now contain AI-generated content. Yet only 4% of the world's top 10 million domains enforce DMARC at the strictest level, and the email security market remains fragmented across providers, tiers, and industries.
We cross-referenced 451,952 domains from LLMSE's mail provider database against website category classifications to answer a question nobody has answered at this scale: which industries actually use enterprise-grade email security — and which ones don't?
The headline finding: only 8.1% of domains use enterprise email security products like Proofpoint, Mimecast, or Barracuda. Law and government leads adoption at 20.5%. Gambling trails at 2.6%. The 8x gap between the most and least protected industries reveals exactly where email-borne threats find their easiest targets.
The Data
We analyzed 475,529 domains with identified mail providers, matching 451,952 (95.0%) to LLMSE website categories. Mail providers were classified into five tiers:
| Tier | Examples | Domains | Share |
|---|---|---|---|
| Business Standard | Google Workspace, Microsoft 365, Zoho Mail | 309,941 | 68.6% |
| Budget/Hosting | GoDaddy, Namecheap, Hostinger, OVH, IONOS | 52,910 | 11.7% |
| Other | Regional providers, forwarding services, etc. | 39,978 | 8.8% |
| Enterprise Security | Proofpoint, Mimecast, Barracuda, Cisco, Trend Micro | 36,598 | 8.1% |
| Transactional | Amazon SES, Mailgun, SendGrid | 7,062 | 1.6% |
| Privacy-Focused | ProtonMail, Fastmail, Tutanota | 5,463 | 1.2% |
Three numbers stand out immediately:
- 68.6% of domains rely on Business Standard email — Google Workspace and Microsoft 365 provide baseline spam filtering but no dedicated threat protection layer.
- Only 8.1% use enterprise security email, which includes advanced threat protection, sandboxing, impersonation detection, and URL rewriting.
- 11.7% use budget hosting email with minimal security capabilities — these are the most exposed domains on the web.
Enterprise Security Adoption by Industry
The 8.1% average masks dramatic variation across industries. Here's how 26 categories rank on enterprise email security adoption:
| Rank | Category | Domains | EntSec | Rate |
|---|---|---|---|---|
| 1 | Law and Government | 6,286 | 1,291 | 20.5% |
| 2 | Health | 16,478 | 2,321 | 14.1% |
| 3 | Finance | 5,779 | 797 | 13.8% |
| 4 | Automotive | 12,742 | 1,387 | 10.9% |
| 5 | Business and Industry | 132,427 | 13,066 | 9.9% |
| 6 | Food and Drink | 13,678 | 1,330 | 9.7% |
| 7 | Attractions | 6,438 | 628 | 9.8% |
| 8 | Travel | 7,562 | 690 | 9.1% |
| 9 | Education | 21,439 | 1,741 | 8.1% |
| 10 | Sports | 7,201 | 568 | 7.9% |
| 11 | News and Media | 15,501 | 1,213 | 7.8% |
| 12 | Events | 8,299 | 606 | 7.3% |
| 13 | Shopping | 17,626 | 1,150 | 6.5% |
| 14 | Entertainment | 24,867 | 1,521 | 6.1% |
| 15 | Internet and Telecom | 5,889 | 352 | 6.0% |
| — | Average | — | — | 8.1% |
| 16 | Beauty and Fitness | 12,005 | 809 | 6.7% |
| 17 | Arts and Entertainment | 23,437 | 1,323 | 5.6% |
| 18 | Style and Fashion | 4,726 | 246 | 5.2% |
| 19 | Music | 3,921 | 165 | 4.2% |
| 20 | Computer and Electronics | 29,466 | 899 | 3.1% |
| 21 | Games | 6,518 | 193 | 3.0% |
| 22 | Gambling | 10,206 | 263 | 2.6% |
The pattern is clear: regulated industries with compliance obligations lead adoption; consumer-facing and creative industries trail. Law and government, health, and finance — all sectors subject to data protection mandates, breach notification requirements, and regulatory oversight — occupy the top three positions. Gambling, despite handling financial transactions, sits at the bottom.
The Top Three: Why They Lead
Law and Government (20.5%)
Government domains deploy enterprise email security at 2.5x the web average. The subcategory breakdown reveals why:
| Subcategory | Domains | EntSec Rate |
|---|---|---|
| Government | 2,202 | 30.8% |
| Law Firms | 320 | 29.7% |
| Personal Injury Law | 374 | 22.5% |
| Legal Services | 597 | 15.1% |
| Law | 1,569 | 13.8% |
Government agencies lead at 30.8% — nearly one in three government domains uses enterprise email protection. Barracuda leads in government (216 domains), reflecting its historically strong public sector presence through FedRAMP authorization and government-specific product offerings. Proofpoint follows closely (213 domains), with Mimecast third (114 domains).
Law firms match government at 29.7%, driven by client confidentiality obligations and professional liability exposure. Mimecast dominates in law firms (64 domains) — its archiving and compliance features align with legal industry requirements for email retention and e-discovery.
Health (14.1%)
Healthcare's 14.1% enterprise security adoption rate is nearly double the web average — but still alarmingly low given the sensitivity of the data at stake.
| Subcategory | Domains | EntSec Rate |
|---|---|---|
| Healthcare Industry | 9,565 | 17.8% |
| Conditions and Diseases | 119 | 15.1% |
| Infectious Diseases | 52 | 15.4% |
| Substance Abuse | 194 | 10.8% |
| Health Products | 1,568 | 9.7% |
| Mental Health | 1,396 | 8.0% |
| Health Education | 1,679 | 5.9% |
Healthcare Industry organizations (hospitals, health systems, medical practices) lead at 17.8% — but this means over 82% of healthcare industry domains lack enterprise email protection. Given that 74% of healthcare organizations breached via email in 2025 lacked effective DMARC (according to Paubox), and email-related breaches accounted for 170 incidents reported to HHS OCR in 2025, this protection gap has measurable consequences.
Proofpoint dominates healthcare with 948 domains (40.8% of healthcare enterprise security), reflecting its strong position in HIPAA-regulated organizations. Mimecast follows with 639 domains (27.5%).
Mental health and health education trail at 8.0% and 5.9% respectively — smaller organizations with fewer compliance resources and lower budgets for dedicated security solutions.
Finance (13.8%)
Finance's overall 13.8% rate masks extreme variation across subcategories:
| Subcategory | Domains | EntSec Rate |
|---|---|---|
| Banking | 1,055 | 30.8% |
| Insurance | 123 | 27.6% |
| Loans and Mortgages | 195 | 20.5% |
| Financial Planning | 363 | 11.8% |
| Investing | 1,744 | 7.9% |
| Financial Management | 1,778 | 8.4% |
Banking leads at 30.8% — identical to the government rate, and consistent with the regulatory pressure banks face under PCI DSS 4.0 (which mandated DMARC at quarantine or reject by March 2025, with non-compliance penalties of $5,000–$100,000 per month). Proofpoint leads in banking with 148 domains, followed by Mimecast (83) and Cisco Secure Email (35). Cisco's presence in banking is notably stronger than in other sectors, reflecting its established enterprise networking relationships with financial institutions.
Investing and financial management trail at 7.9–8.4% — below the web average. These are largely content and advisory sites rather than transaction-processing institutions, so they face less direct regulatory pressure on email infrastructure despite handling sensitive financial information.
The Bottom Three: Why They Trail
Computer and Electronics (3.1%)
The technology sector's 3.1% rate is counterintuitive — these are organizations that build and sell security products. The explanation: tech companies disproportionately rely on Google Workspace (37.6%) and self-hosted solutions. Many technology organizations manage their own email security stacks rather than outsourcing to enterprise providers, making them invisible to our MX-record-based detection. This is undercounting, not underprotection.
Games (3.0%)
Gaming companies are predominantly small studios, indie developers, and content sites using budget hosting or basic business email. The 39.4% Google Workspace rate (highest after Music) and 13.2% Microsoft 365 rate (lowest of any category) reflect a tech-forward, cost-conscious industry where email security is not a regulatory requirement.
Gambling (2.6%)
Gambling's last-place finish is the most consequential finding. At 2.6%, gambling domains are 8x less likely than government domains and 5.4x less likely than healthcare domains to use enterprise email security. Only 263 out of 10,206 gambling domains with mail data use enterprise protection — despite the industry processing billions in financial transactions.
The explanation lies in gambling's unique structure: 46.5% of gambling domains use business standard email (lowest of any major category), while 20.2% use budget hosting providers — the highest budget/hosting share of any category. This reflects the prevalence of affiliate sites, offshore operators, and smaller gambling platforms that prioritize operating costs over security infrastructure.
Enterprise Security Provider Market Share
Among the 36,598 domains using enterprise email security, three vendors control 78.2% of the market:
| Provider | Domains | Market Share |
|---|---|---|
| Proofpoint | 13,894 | 38.0% |
| Mimecast | 9,918 | 27.1% |
| Barracuda | 4,779 | 13.1% |
| Cisco Secure Email | 1,991 | 5.4% |
| Trend Micro | 1,562 | 4.3% |
| Hornetsecurity | 1,410 | 3.9% |
| Sophos | 937 | 2.6% |
| SpamExperts | 773 | 2.1% |
| MailProtect | 526 | 1.4% |
| Symantec Email Security | 445 | 1.2% |
| Forcepoint | 225 | 0.6% |
| Fortinet | 139 | 0.4% |
Proofpoint's 38.0% share aligns with its position as the highest-ranked vendor in the 2025 Gartner Magic Quadrant for Email Security. Proofpoint claims to serve 90% of the Fortune 500 and stop 95 million BEC attacks per year. In our data, Proofpoint leads in 19 of 26 categories — with Travel being the only major category where Mimecast surpasses it (220 vs. 193 domains).
Mimecast's 27.1% reflects its strength in compliance-heavy industries. Mimecast leads Proofpoint in law firms (64 vs. 13 domains) and is competitive in government (114 vs. 213). Its 2024 pivot toward "Human Risk Management" through three acquisitions (Elevate Security, Aware, Code42) signals a strategic shift beyond pure email security.
Barracuda's 13.1% is concentrated in education (445 domains, where it rivals Proofpoint) and government (216 domains, where it actually leads). Barracuda's cloud-first, MSP-friendly model resonates with organizations that prefer managed solutions — particularly K-12 school districts and local government agencies.
Provider Dominance by Industry
The leading enterprise security provider varies by sector:
| Category | #1 Provider | #2 Provider | Notes |
|---|---|---|---|
| Business and Industry | Proofpoint (5,042) | Mimecast (4,046) | Proofpoint leads 1.25:1 |
| Healthcare | Proofpoint (948) | Mimecast (639) | Proofpoint leads 1.48:1 |
| Education | Proofpoint (541) | Barracuda (445) | Barracuda nearly ties — strong K-12 |
| Government | Barracuda (216) | Proofpoint (213) | Barracuda leads by 3 domains |
| Law Firms | Mimecast (64) | Proofpoint (13) | Mimecast leads 4.9:1 |
| Banking | Proofpoint (148) | Mimecast (83) | Cisco #3 with 35 — unusually strong |
| Travel | Mimecast (220) | Proofpoint (193) | Mimecast leads by 14% |
Google Workspace vs. Microsoft 365: The Platform Split
Beyond enterprise security, the business standard tier reveals a geographic and sectoral split between the two dominant email platforms:
| Category | Google Rate | M365 Rate | Ratio |
|---|---|---|---|
| Games | 39.4% | 13.2% | 3.0:1 |
| Computer and Electronics | 37.6% | 13.9% | 2.7:1 |
| Gambling | 29.7% | 12.3% | 2.4:1 |
| Music | 43.2% | 19.8% | 2.2:1 |
| — | — | — | — |
| Average | 37.2% | 28.7% | 1.3:1 |
| — | — | — | — |
| Health | 29.3% | 36.5% | 0.8:1 |
| Automotive | 30.1% | 34.4% | 0.9:1 |
| Law and Government | 25.1% | 40.0% | 0.6:1 |
| Attractions | 20.1% | 50.4% | 0.4:1 |
Google Workspace dominates tech-forward, creative, and digital-native industries — Games (3.0:1), Computer and Electronics (2.7:1), and Music (2.2:1). These sectors value Google's collaboration tools, API ecosystem, and startup-friendly pricing.
Microsoft 365 dominates regulated, traditional, and institutional sectors — Attractions (likely museums, cultural institutions; 0.4:1 in Google's favor), Law and Government (0.6:1), Health (0.8:1), and Automotive (0.9:1). These industries have deeper Microsoft enterprise agreements, Active Directory dependencies, and compliance requirements that favor the Microsoft ecosystem.
The M365 dominance in regulated sectors has security implications: Microsoft was named a Gartner Magic Quadrant Leader for Email Security for the first time in 2025, but 98% of organizations using Exchange Online Protection still consider third-party security solutions important. The industries most dependent on M365 are precisely those that most need supplemental email protection.
The Regulatory Gap
Our data reveals a disconnect between regulatory pressure and actual enterprise security adoption:
| Industry | EntSec Rate | Key Regulation | Regulatory Pressure |
|---|---|---|---|
| Banking | 30.8% | PCI DSS 4.0 (Mar 2025) | High — $5K–$100K/month fines |
| Government | 30.8% | Various federal mandates | High — CISA directives |
| Insurance | 27.6% | State insurance regulations | Medium-High |
| Healthcare Industry | 17.8% | HIPAA | High — but enforcement lag |
| Education (College) | 11.1% | FERPA | Low — weak enforcement |
| Investing | 7.9% | SEC/FINRA | Medium — content advisory focus |
Banking and government have responded to direct, enforceable mandates with measurable penalties. The PCI DSS 4.0 DMARC requirement (effective March 2025, fines of $5,000–$100,000 per month) appears to have driven banking adoption to 30.8%.
Healthcare lags despite HIPAA — at 17.8%, the healthcare industry has the widest gap between regulatory obligation and actual protection. The 74% of healthcare organizations breached via email in 2025 that lacked effective DMARC illustrates the consequences. Healthcare organizations face resource constraints, fragmented IT environments, and a prioritization of clinical systems over email infrastructure.
Education is most exposed — at 8.1% overall and just 11.1% even for college education (which includes well-resourced universities), education faces the worst combination of high targeting and low protection. Only 3.3% of .edu domains globally enforce DMARC at the reject level. With FERPA providing weaker enforcement mechanisms than HIPAA or PCI DSS, education lacks the regulatory pressure that drives adoption in other sectors.
Key Findings
1. Only 8.1% of the web uses enterprise email security
The vast majority of domains — 91.9% — rely on business standard email (Google Workspace, Microsoft 365), budget hosting providers, or other non-security-focused mail solutions. Enterprise email security remains a product for regulated enterprises and large organizations, not the general web.
2. Law, health, and finance lead — but even they leave gaps
The top three industries average 16.1% adoption. Banking and government reach 30.8% — meaning nearly 70% of domains in even the best-protected subcategories lack enterprise email security. For healthcare industry organizations at 17.8%, over four in five domains are unprotected.
3. Gambling is the most exposed industry handling financial transactions
At 2.6%, gambling's enterprise security rate is 5.4x below healthcare and 11.8x below banking — despite processing billions in transactions. The 20.2% budget hosting email rate (highest of any major category) compounds the risk. With 34 U.S. jurisdictions imposing ad content restrictions and regulators increasing scrutiny, gambling's email security posture is a compliance liability.
4. Proofpoint, Mimecast, and Barracuda own 78.2% of the enterprise market
The enterprise email security market is highly concentrated. Proofpoint alone holds 38.0%, consistent with its $2B+ ARR and position as the 2025 Gartner MQ Leader for Email Security. But market concentration also means three vendor decisions — on pricing, features, or platform direction — affect the email security posture of most protected organizations.
5. The platform split predicts the security gap
Industries that favor Microsoft 365 (law, government, health, automotive) have higher enterprise security adoption rates. Industries that favor Google Workspace (tech, games, music) have lower rates. This correlation suggests that Microsoft's enterprise sales channels and compliance positioning create organizational awareness of email security needs that Google's self-service model does not.
6. AI-powered threats are outpacing adoption
With 82.6% of phishing emails now containing AI-generated content and AI phishing achieving 4x higher click-through rates than human-crafted attacks, the 8.1% enterprise security adoption rate represents a structural vulnerability. The regulatory convergence of PCI DSS 4.0, Google/Yahoo sender requirements, and EU NIS2 is pushing adoption — but the threat landscape is evolving faster than organizational response.
Methodology
This analysis cross-referenced LLMSE's mail provider database (475,529 domains with identified mail providers via MX record resolution) against website category classifications. Of these, 451,952 (95.0%) were matched to category data in the LLMSE classification database as of February 26, 2026.
Mail providers were identified through MX record pattern matching against 187 providers (370 patterns). Providers were classified into tiers: Enterprise Security (12 providers specializing in email threat protection — Proofpoint, Mimecast, Barracuda, Hornetsecurity, SpamExperts, Cisco Secure Email, Trend Micro, Sophos, Symantec Email Security, MailProtect, Forcepoint, Fortinet), Business Standard (5 providers — Google Workspace, Microsoft 365, Zoho Mail, Open-Xchange, Titan Email), Privacy-Focused (5 providers), Budget/Hosting (11 providers), and Transactional (5 providers).
Limitations: (1) MX records identify the mail provider but not the specific security configuration — a Google Workspace domain may have third-party security add-ons not visible in MX data. (2) Technology companies frequently self-host email or use custom configurations that don't map to recognized providers. (3) The "enterprise security" tier captures organizations routing mail through dedicated security platforms; it underestimates organizations using integrated security features within M365 Defender or Google Workspace security add-ons. (4) Domain-level analysis counts each domain equally regardless of organization size — a 50,000-employee hospital and a solo medical practice each count as one domain.
External statistics on BEC losses, DMARC adoption rates, and AI-powered threats are sourced from FBI IC3 reports, Verizon DBIR, EasyDMARC, Gartner, and other cited sources. These provide industry context but were not generated from LLMSE data.
Explore the Data
Browse mail providers on LLMSE's mail provider index. Check mail provider detection for any domain using the domain detail page. Filter sites by mail provider using advanced search — for example, search for mail:Proofpoint to explore all Proofpoint-protected domains. The REST API provides programmatic access to all classification data.
This analysis was conducted using LLMSE, which has classified over 1.4 million websites across SEO, EEAT, WCAG accessibility, readability, and GARM brand safety dimensions. All data reflects the database as of February 2026. To analyze your own site, visit llmse.ai/classify.