Who really sends, receives and, most importantly perhaps, stores your business’ email? Most likely Google and Microsoft, unless you live in China or Russia. And the market share for these two companies keeps growing.
That’s the conclusion reached by a group of computer scientists at the University of California San Diego, who studied the email service providers used by hundreds of thousands of Internet domains– between 2017 and 2021.
“Our research team empirically showed the extent to which email has been outsourced and concentrated to a small number of providers and service providers,” said Stefan Savage, a professor in the UC San Diego Department of Computer Science and Engineering and one of the paper’s senior authors.
The team presented their findings at the Internet Measurement Conference 2021, which took place virtually Nov. 2 to 4, 2021.
This concentration has several consequences: it increases the impact of service failures and data breaches; and it exposes companies and users outside the United States to potential subpoenas from U.S. government agencies.
A quick explainer of the difference between domains and service providers: The second half of your email address is your company or agency’s domain–for example, ucsd.edu is the domain for the University of California San Diego. The email service provider is the company that, behind the scenes, provides the infrastructure that allows you to send and receive email and stores your messages–so ucsd.edu’s email service is provided by a combination of Google and Microsoft mail services.
As of June 2021, Google and Microsoft are the dominant providers among popular domains, with 28.5% and 10.8% market share, respectively. In comparison, GoDaddy leads the market of providing services for smaller domains, with a 29% market share. The authors also observed a higher level of concentration over time: Google and Microsoft’s market share increased by 2.3% and 2.9%, respectively, since June 2017.
Some of the growth comes from smaller domains that used to host their own emails. “While self-hosted domains switched to providers across all categories, more than a quarter of them changed their mail provider to Google and Microsoft,” said Alex Liu, a UC San Diego computer science Ph.D. student and the paper’s lead author.
More affected during outages, data breaches
Concentration of email service providers has led to much bigger service outages. In August and December 2020, global outages affected Gmail and Drive–Gmail alone has an estimated 1.5 billion users. Outlook most recently suffered an outage in October 2021– an estimated 400 million people use the service.
The concentration of email service providers also puts more people at risk in the event of a data breach. One often-cited example is the Yahoo data breach that exposed at least 500 million user accounts. Recently, a flaw in a Microsoft Exchange protocol has been shown to have leaked hundreds of thousands of credentials.
Google and Microsoft, the two dominant US-based email service providers, appear to be in wide use by organizations outside the United States — particularly across Europe, North America, South America, large parts of Asia and, to a lesser extent, Russia. For example, 65% of Brazilian domains in the researchers’ dataset host email with Google or Microsoft. But they are not used in China.
However, outsourcing email service to US companies can also have legal implications. Under the 2018 CLOUD Act, US-based providers can be legally compelled to provide stored customer data, including e-mail, to US law enforcement agencies, regardless of the location of the data, or of the nationality or residency of the customer using the data.
Perhaps as a result, Tencent has an overwhelming market share in China, with 41%, as does Yandex in Russia, with 32 %. Both countries have shown that they prefer to keep control over data access.
In addition, an increasing number of email domains contract with email security providers, such as ProofPoint and Mimecast. These companies can operate as a third-party filter for inbound emails, removing the need to manage security locally. These companies have almost a 7% market share for large commercial companies; and a 17.5% market share for .gov domains.