Microsoft vs Proofpoint: 2026 Fortune 500 Email Security Update
Back in 2019, I started running DNS recon against the Fortune 500 to track email security vendor market share. I've done it every year or two since then. This is the 2026 update.
The script I use is Daniel Streefkerk's Invoke-EmailRecon.ps1, piped against the same list of 455 Fortune 500 domains:
get-content fortune_500_emails.txt | .\Invoke-EmailRecon.ps1 | Export-Csv 2026.csv
The Numbers: 2023, 2025, 2026
| Provider | 2023 | 2025 | 2026 | Change ('23→'26) |
|---|---|---|---|---|
| Proofpoint (MX) | 202 | 203 | 204 | +2 |
| Microsoft EXO (MX direct) | 112 | 136 | 148 | +36 (+32%) |
| Cisco IronPort | 33 | 29 | 24 | -9 |
| Mimecast (US) | 26 | 22 | 22 | -4 |
| Self-Hosted | 27 | 20 | 17 | -10 |
| Other/Undetermined | 27 | 24 | 20 | -7 |
Source: Public DNS MX records, June 2026. n=454 (prudential.com timed out).
Proofpoint's MX count looks flat at 204, but that number hides something interesting. 101 of those companies are running Proofpoint in front of Exchange Online — meaning Microsoft is the mailbox platform and Proofpoint is just the filter. In 2025 that number was 97. So Proofpoint's "growth" is mostly companies that haven't finished consolidating yet.
Exchange Online Tenancy
MX records tell you who handles inbound filtering. The EXO tenancy check tells you where the mailboxes actually live.
| EXO Status | 2023 | 2025 | 2026 |
|---|---|---|---|
| Yes | 260 | 279 | 293 |
| Possibly | 126 | 108 | 99 |
| No | 69 | 68 | 62 |
293 of 454 Fortune 500 companies are confirmed Exchange Online tenants — 64.5%, up from 57% in 2023. Microsoft is the underlying mail platform for nearly two-thirds of the Fortune 500 whether or not their MX points directly to Microsoft.
DMARC, DKIM, MTA-STS
DMARC (2026):
- REJECT: 258 (56.7%)
- QUARANTINE: 57 (12.5%)
- NONE: 60 (13.2%)
- No DMARC record: 71 (15.6%)
DMARC REJECT is up from 230 in 2025. That said, 131 Fortune 500 companies still have no enforcement. BEC is the top threat vector for large enterprises and enforcement is the whole point of DMARC — "none" and no record are not protective.
DKIM: 226 of 293 EXO tenants have DKIM enabled (77%), up from 75% in 2025. 67 large enterprises are running Exchange Online without DKIM, which usually means outbound mail is going through a third-party relay.
MTA-STS: 7 of 454 companies. The protocol has been around since 2018 and adoption is still essentially zero.
DNSSEC: 48 companies (10.6%) have DNSKEY records.
Should You Switch?
At Patriot, we've migrated over 40 companies from Proofpoint and Mimecast to Microsoft Defender for Office 365 in the past 12 months. The average migration takes about 90 days — not because it's hard, but because we map every transport rule, quarantine policy, and allow/block list before cutting over.
If your MX points to Proofpoint but your mailboxes are in Exchange Online, you're paying for a third-party filter that Microsoft's native stack can replace. Microsoft Defender for Office 365 now uses purpose-built LLMs for attacker intent detection — they're reporting 99.995% accuracy and blocking 140,000 BEC attempts per day (source). The integration with Sentinel, Defender XDR, and Entra ID is something a third-party filter simply can't replicate.
Contact us at hello@patriotconsultingtech.com for a free comparison of your current Proofpoint or Mimecast config against Microsoft.