Who sends, receives and, perhaps most importantly, stores your company’s email? Most likely Google and Microsoft unless you live in China or Russia. And the market share for these two companies continues to grow.
That’s the conclusion of a group of computer scientists at the University of California San Diego who studied the email service providers used by hundreds of thousands of Internet domains between 2017 and 2021.
“Our research team has empirically demonstrated the extent to which email is outsourced and concentrated to a small number of carriers and service providers,” said Stefan Savage, a professor in the UC San Diego Department of Computer Science and Engineering and one of the senior authors of the paper. .
The team presented their findings at the Internet Measurement Conference 2021, which took place virtually from November 2-4, 2021.
This concentration has several consequences: it increases the impact of service errors and data breaches; and it exposes businesses and users outside of the United States to potential subpoenas from U.S. government agencies.
A brief explanation of the difference between domains and service providers: The second half of your email address is the domain of your company or agency, for example ucsd.edu is the domain for the University of California San Diego. The email service provider is the behind-the-scenes company that provides the infrastructure that allows you to send and receive email and store your messages, so ucsd.edu’s email service is provided by a combination of Google and Google email services. Microsoft.
As of June 2021, Google and Microsoft will be the dominant providers among popular domains, with 28.5% and 10.8% market share respectively. By comparison, GoDaddy leads the market in providing services for smaller domains, with a market share of 29%. The authors also found a higher level of concentration over time: Google and Microsoft’s market share increased by 2.3% and 2.9% respectively since June 2017.
Some of the growth is coming from smaller domains that used to host their own emails. “As self-hosted domains switched to providers across all categories, more than a quarter of them switched their email providers to Google and Microsoft,” said Alex Liu, a UC San Diego computer science Ph.D. student and the lead author of the article.
More affected during outages, data breaches
Concentration of email service providers has resulted in much larger service outages. In August and December 2020, global outages impacted Gmail and Drive: Gmail alone has an estimated 1.5 billion users. Outlook last experienced a disruption in October 2021, with an estimated 400 million people using the service.
The concentration of email service providers also puts more people at risk in the event of a data breach. An oft-cited example is the Yahoo data breach that exposed at least 500 million user accounts. Recently, a flaw in a Microsoft Exchange protocol has been shown to have leaked hundreds of thousands of credentials.
Google and Microsoft, the two dominant US-based email service providers, appear to be widely used by organizations outside the United States, particularly in Europe, North America, South America, much of Asia and, to a lesser extent mate, Russia. For example, 65% of Brazilian domains in the researchers’ dataset host email with Google or Microsoft. But they are not used in China.
However, outsourcing email services to US companies can also have legal consequences. Under the CLOUD Act of 2018, U.S.-based providers may be required by law to provide stored customer data, including email, to U.S. law enforcement agencies, regardless of the location of the data or the nationality or residence of the customer using the data.
Perhaps as a result, Tencent has an overwhelming market share in China at 41%, as does Yandex in Russia at 32%. Both countries have shown that they prefer to maintain control over access to data.
In addition, more and more email domains are contracting email security providers, such as ProofPoint and Mimecast. These companies can act as a third-party filter for incoming emails, eliminating the need to manage security locally. These companies have nearly 7% market share for large commercial companies; and a 17.5% market share for .gov domains.
The research was funded by the National Science Foundation, the University of California San Diego, the EU H2020 CONCORDIA project and Google.
The research is published in Proceedings of the 21st ACM Internet Measurement Conference.