Concentration of email service providers increases impact of service failures and data breaches
Who really sends, receives and, most importantly perhaps, stores your business’ email? Most likely Google and Microsoft, unless you live in China or Russia. And the market share for these two companies keeps growing.
That’s the conclusion reached by a group of computer scientists at the University of California San Diego, who studied the email service providers used by hundreds of thousands of Internet domains-between 2017 and 2021.
"Our research team empirically showed the extent to which email has been outsourced and concentrated to a small number of providers and service providers," said Stefan Savage, a professor in the UC San Diego Department of Computer Science and Engineering and one of the paper’s senior authors.
The team presented their findings at the Internet Measurement Conference 2021, which took place virtually Nov. 2 to 4, 2021.
This concentration has several consequences: it increases the impact of service failures and data breaches; and it exposes companies and users outside the United States to potential subpoenas from U.S. government agencies.
A quick explainer of the difference between domains and service providers: The second half of your email address is your company or agency’s domain-for example, ucsd.edu is the domain for the University of California San Diego. The email service provider is the company that, behind the scenes, provides the infrastructure that allows you to send and receive email and stores your messages-so ucsd.edu’s email service is provided by a combination of Google and Microsoft mail services.
As of June 2021, Google and Microsoft are the dominant providers among popular domains, with 28.5% and 10.8% market share, respectively. In comparison, GoDaddy leads the market of providing services for smaller domains, with a 29% market share. The authors also observed a higher level of concentration over time: Google and Microsoft’s market share increased by 2.3% and 2.9%, respectively, since June 2017.
Some of the growth comes from smaller domains that used to host their own emails. "While self-hosted domains switched to providers across all categories, more than a quarter of them changed their mail provider to Google and Microsoft," said Alex Liu, a UC San Diego computer science Ph.D. candidate and the paper’s lead author.
Google and Microsoft, the two dominant US-based email service providers, appear to be in wide
use by organizations outside the United States — particularly across Europe, North America, South America, large parts of Asia and, to a lesser extent, Russia. For example, 65% of Brazilian domains in the researchers’ dataset host email with Google or Microsoft. But they are not used in China.
However, outsourcing email service to US companies can also have legal implications. Under the 2018 CLOUD Act, US-based providers can be legally compelled to provide stored customer data, including e-mail, to US law enforcement agencies, regardless of the location of the data, or of the nationality or residency of the customer using the data.
Perhaps as a result, Tencent has an overwhelming market share in China, with 41%, as does Yandex in Russia, with 32 % . B oth countries have shown that they prefer to keep control over data access.
In addition, an increasing number of email domains contract with email security providers, such as ProofPoint and Mimecast. These companies can operate as a third-party filter for inbound emails, removing the need to manage security locally. These companies have almost a 7% market share for large commercial companies; and a 17.5% market share for.gov domains.