Three days ago, in A State of TXT, we measured email authentication across the whole resolvable Internet and made a point of excluding the obvious shortcut: "The open Internet is not the Fortune 500. When Google and Yahoo turned on their bulk-sender requirements, the entire deliverability industry spent a year insisting adoption had been transformed... We wanted to measure the transformation against the whole population, not the sales funnel." That post deliberately refused to flatter the numbers by looking only at the companies most likely to have done the work.
This post does the opposite, on purpose. It points the same instrument — a full-corpus, typed DNS crawl from early May 2026 — at exactly the population the deliverability industry loves to cite: the Fortune 500. Not to celebrate them, but to map them. Every company that big has, somewhere in its DNS, a public declaration of who runs its nameservers, who receives its mail, who terminates its TLS, and how seriously it defends its own name in the From: header. None of that is private. All of it is queryable. And almost nobody has counted it across the whole list from the records themselves rather than from a vendor's customer slide.
The conventional picture of enterprise infrastructure comes from market-share decks and self-reported surveys: "80% of the Fortune 500 use Microsoft 365," "Akamai leads the CDN market," "DMARC adoption is surging." Those numbers are real, but they are seat counts and revenue estimates, not a census of what the domains actually point at in production. A survey says a company bought Microsoft 365. The MX record says whether mail to its primary domain enters through Microsoft, Proofpoint, or a box in its own data center. Those are different facts, and only one of them is visible to an attacker doing reconnaissance.
We took the 500 primary corporate domains of the Fortune 500 and resolved each across four layers of the stack — authoritative DNS (NS), inbound mail (MX), the web edge (A/CNAME), and the email-authentication TXT family (SPF, DMARC, MTA-STS, BIMI) — then classified every provider from the answer data. Where our counts can be triangulated against external market data, we say so.
The headline: there is no single "Fortune 500 stack." Authoritative DNS is genuinely fragmented — 140 of 500 companies (28%) run their own nameservers, and no third-party DNS provider exceeds 16% of the list. Inbound mail is the opposite story: a third-party secure email gateway sits in front of 60% of all mail-enabled F500 domains, with Proofpoint alone guarding 48%, while the mailbox layer (overwhelmingly Microsoft 365) hides behind it. The web edge is a near-monopoly of two — Akamai (32%) and Cloudflare (19%) carry just over half of it, and 90% of the F500 sit behind some CDN. And on email authentication the F500 are six times better than the open Internet — 73% enforce DMARC versus 11.7% globally — yet still abandon transport security almost entirely: MTA-STS reaches 2.3%. America's biggest companies have hardened the front door of email and left the loading dock open.
The Data
DomainsProject runs full-corpus, typed DNS measurement passes against its master hostname dataset. The early-May-2026 pass produced separate result archives per record type and per synthetic prefix; this post draws on all of the layers a corporate stack lives in. The universe is the 500 primary corporate domains enumerated by the public Fortune 500 domains dataset (one canonical apex per company), resolved against the May 2026 crawl.
| Layer | Record set | Query target | What it reveals |
|---|---|---|---|
| DNS hosting | NS / SOA | <apex> nameservers |
Who operates authoritative DNS |
| Inbound mail | MX | <apex> mail exchangers |
Where mail enters (gateway / mailbox) |
| Web edge | A / CNAME | <apex> and www.<apex> |
CDN / TLS termination |
| Email auth | TXT (apex) | <apex> SPF |
Sender policy at the apex |
| Email auth | DMARC | _dmarc.<apex> |
Spoofing policy + enforcement |
| Email auth | MTA-STS | _mta-sts.<apex> |
SMTP transport security |
| Email auth | BIMI | default._bimi.<apex> |
Brand logo / verified mark |
Every company resolved to a usable NS answer (directly or via the SOA in the authority section). 438 of 500 publish a working MX record; 498 publish a resolvable web endpoint. The classification, the borderline cases, and the things this crawl genuinely cannot see are spelled out next.
Methodology
Universe and constituency. The 500 domains are the primary corporate domains of the Fortune 500 as enumerated by the gigasheet Fortune 500 dataset, which provides one verified canonical apex per company and is built on the 2022 ranking. This is a deliberate choice, and the caveat that comes with it deserves to be stated plainly: the constituents are the 2022 Fortune 500, measured against a May 2026 crawl — read this post as "the 2022 Fortune 500, where their infrastructure points four years later," not as a live 2026 membership roster. We evaluated refreshing to the 2025 list and rejected it on data-integrity grounds: there is no freely available, machine-readable 2025 (or 2026) Fortune 500 roster with verified per-company domains. The one "all-500" source we found was contaminated — fabricated and garbled company names, companies that have since gone bankrupt or private, non-US firms that belong to the Global 500, duplicate entries for the same company, and revenue figures that do not match reality. Substituting that for a clean 2022 list would inject more error than the constituency drift it removes.
The reason this caveat is acceptable rather than fatal is structural: roughly 5–7% of the Fortune 500 turns over each year, but the provider-share findings are properties of the segment — very large US enterprises — not of any particular constituent. Akamai's enterprise-edge dominance, the gateway-in-front-of-mailbox pattern, and double-digit DMARC enforcement are characteristics of how big American companies build infrastructure; swapping fifty tail constituents for fifty others of the same size and vintage moves the percentages by less than the rounding. A reader who wants "the exact 2025 roster" will not get it here; a reader who wants "how the largest US companies build their DNS, mail, and web stack" gets an answer that a one-year membership refresh would not change. Subdomain-style entries in the source (e.g. corporate.exxonmobil.com) were reduced to their registrable apex; Russian-territorial TLDs are excluded per project policy (none appear here).
Provider classification. Each provider is identified from the answer data, not inferred:
- DNS hosting is read from the apex's NS records (or, where the apex NS query was not in the corpus, the SOA MNAME returned in the authority section). A nameserver host is matched to a provider by its registrable domain (
awsdns-*→ AWS Route 53,*.ns.cloudflare.com→ Cloudflare,*.ultradns.*→ Vercara,*.cscdns.net→ CSC, and so on). Two self-operation cases are distinguished and then combined into Self-operated: same-domain (nameservers under the apex itself, e.g.a.ns.apple.com) and vanity (nameservers under a different domain the company clearly owns, e.g.boeing.comserved fromdns.boeing.net). The vanity case is detected with a shared-infrastructure heuristic: an unrecognized nameserver domain used by exactly one F500 company is treated as self-operated; one shared across several companies is treated as a provider and surfaced. - Inbound mail is the primary MX (lowest preference value). The MX host names the gateway mail enters through —
*.pphosted.com→ Proofpoint,*.mail.protection.outlook.com→ Microsoft 365,*.mimecast.com→ Mimecast,*.iphmx.com→ Cisco. "Secure email gateway" means a third-party inbound filtering service in front of the mailbox; it does not imply the mailbox itself is insecure (Microsoft 365 and Google Workspace include their own native filtering). "No MX" means the apex publishes no mail exchanger — a brand or web-only domain whose mail, if any, lives elsewhere. - Web edge is classified from
www.<apex>where present (falling back to the apex), following the CNAME chain to its terminal target, and — for endpoints served by bare A records — matching the IP against published CDN ranges (Cloudflare, Fastly, AWS CloudFront, Google, and Akamai's common production ranges). "Direct / self-hosted" means no CDN signature was found in either the CNAME chain or the IP. - Email authentication is counted only on an exact version-tag match in the answer:
v=spf1at the apex,v=DMARC1at_dmarc,v=STSv1at_mta-sts,v=BIMI1atdefault._bimi. The prefixed queries return a domain's wildcard SPF noise constantly; those are discarded. DMARC enforcement meansp=quarantineorp=reject; BIMI with VMC means the record carries ana=https://…verified-mark certificate.
Denominators. Provider shares for mail are computed against the 438 mail-enabled companies (those with a real MX); web-edge shares against the 498 web-enabled; DNS against all 500. Where a percentage uses a different base, it is stated inline.
Known limitations. Four, stated plainly. (1) No IPv6. This crawl carried no AAAA query set, so IPv6 readiness — a question worth asking of the F500 — is simply not measurable here and is omitted rather than guessed. (2) Apex-only SPF. We read SPF at the organizational apex. A company that sends mail from subdomains with their own SPF, but publishes none at the bare apex, counts as "no apex SPF" — so the SPF figure is a floor for apex-origin mail, not a verdict on the company's entire sending program. (3) Edge is CNAME/IP-based. Akamai and others also serve via bare A records; our curated CDN ranges catch the common cases but not every prefix, so "Direct / self-hosted" is an upper bound and CDN share a lower bound. (4) Snapshot, not longitudinal. This is one measurement pass; we make no growth claims from it. Reproduction inputs — the 500-domain list, per-apex master table, and classifiers — are archived alongside the crawl.
The Scorecard
Four layers, one table each. The pattern that matters is not any single number but how differently each layer concentrates.
| Layer | Most common answer | Share | Runner-up | Concentration |
|---|---|---|---|---|
| DNS hosting | Self-operated (in-house) | 28.0% | Akamai 15.4% | Fragmented — top vendor <16% |
| Inbound mail | Proofpoint (gateway) | 48.4%¹ | Microsoft 365 30%¹ | Gateway-dominated |
| Web edge | Akamai | 31.9%² | Cloudflare 19.3%² | Duopoly — top two = 51% |
| DMARC enforcement | Enforced (quarantine/reject) | 72.8%¹ | — | 6× the open Internet |
¹ of 438 mail-enabled companies. ² of 498 web-enabled companies.
The four layers do not concentrate the same way, and that is the finding. Authoritative DNS is the most competitive layer in enterprise infrastructure — a plurality run it themselves and the rest is split among a dozen providers. Mail is the most concentrated at the control layer, where a single security vendor screens nearly half of all inbound. The web edge is a clean duopoly. And email authentication is the one layer where being a Fortune 500 company actually predicts the outcome: these firms enforce DMARC at a rate the open Internet does not approach. Each layer is a different market with a different power structure, and a security team that assumes "our vendors" look the same across all four is wrong on three of them.
DNS Hosting: The Layer Nobody Won
140 of the 500 — 28% — run their own authoritative DNS, the single largest category on the list. Splitting the self-operated group reveals two distinct corporate habits: 87 companies serve DNS from nameservers under their own primary domain (Apple's *.ns.apple.com, 3M, Allstate, Amgen, American Electric Power), and another 53 use a vanity DNS domain they own — Boeing answers for boeing.com from boeing.net, Bank of America from ns-bac.org, AbbVie from abbviedns.com, Albertsons from safeway.com. Both are the same strategic choice: keep the most critical control plane in DNS under direct operational control.
| DNS operator | Companies | Share of 500 |
|---|---|---|
| Self-operated (in-house) | 140 | 28.0% |
| Akamai (Edge DNS) | 77 | 15.4% |
| Cloudflare | 49 | 9.8% |
| UltraDNS (Vercara) | 40 | 8.0% |
| CSC | 38 | 7.6% |
| AWS Route 53 | 31 | 6.2% |
| Azure DNS | 25 | 5.0% |
| NS1 (IBM) | 21 | 4.2% |
| MarkMonitor | 14 | 2.8% |
| AT&T Managed DNS | 12 | 2.4% |
| DNS Made Easy | 10 | 2.0% |
| GoDaddy / Network Solutions | 12 | 2.4% |
| Google Cloud DNS | 6 | 1.2% |
| Other / niche | 25 | 5.0% |
No third-party DNS provider reaches one company in six, and the provider mix looks nothing like the consumer Internet. Cloudflare, which dominates DNS for the long tail of the web, is only the third most common operator here behind self-hosting and Akamai — consistent with industry mapping that has Cloudflare, AWS, Google, Vercara, and Akamai all competing for the managed-DNS enterprise without any one running away with it. Two categories that barely register on the open Internet are conspicuous here: brand-protection registrars — CSC (38) and MarkMonitor (14) — together run DNS for 52 companies (10.4%), a signature of legal-department-driven domain management you essentially never see outside large enterprises. And an AT&T managed-DNS cluster (12 companies, all on els-gms.att.net) — Archer Daniels Midland, Boston Scientific, New York Life, Crown Holdings — marks a generation of telco-managed enterprise DNS contracts that the cloud era has not fully displaced. The takeaway for the layer is simple: DNS hosting is where the Fortune 500 are least consolidated, and where "what does everyone use" has no answer.
Inbound Mail: The Gateway in Front of the Mailbox
A third-party secure email gateway sits in front of 60% of all mail-enabled F500 domains — and Proofpoint alone is the primary MX for 212 of them, 48% of the mail-enabled list. This is the single most concentrated control point we found anywhere in the stack, and it is invisible to the usual "who uses Microsoft 365" framing, because the gateway is what answers the MX query while the mailbox sits silently behind it.
| Inbound MX | Companies | Share of mail-enabled (438) |
|---|---|---|
| Proofpoint | 212 | 48.4% |
| Microsoft 365 (direct) | 131 | 29.9% |
| Cisco (IronPort) | 28 | 6.4% |
| In-house mail | 27 | 6.2% |
| Mimecast | 20 | 4.6% |
| Google Workspace (direct) | 13 | 3.0% |
| Other gateway / vendor | 7 | 1.6% |
| (No MX — brand/parked) | 62 | — (of 500) |
Read this against the survey number and the two facts reconcile into one story. External research consistently finds around four in five Fortune 500 companies use Microsoft 365, and our data does not contradict it — it explains where that mailbox lives in DNS. Only 131 companies point their MX directly at Microsoft; the rest of the M365 footprint is hidden behind Proofpoint, Cisco, and Mimecast, which screen inbound mail before forwarding it to the cloud mailbox. The MX record therefore measures the security layer, not the mailbox layer, and at the security layer the Fortune 500 are remarkably consolidated: combine Proofpoint, Cisco, Mimecast and the other gateways and 263 companies (60%) put a dedicated third-party filter in front of their mail, versus 144 that go straight to a cloud provider's native filtering. Two structural notes worth flagging: 62 of the 500 publish no MX at all — brand, redirect, or web-only domains (amazon.com among them) whose mail lives on a different name — and the heavy gateway concentration means a single Proofpoint outage degrades inbound mail for nearly half the Fortune 500 simultaneously, a correlated-failure surface that the "everyone's on M365" narrative completely hides.
The Web Edge: A Duopoly With a Long Tail
Akamai still owns the Fortune 500's front door — it serves the web edge for 159 companies (32%), and together with Cloudflare (96, 19%) the two carry just over half of the entire list. Ninety percent of the Fortune 500 sit behind some CDN; only 51 companies serve their primary site directly with no edge signature at all.
| Web edge / CDN | Companies | Share of web-enabled (498) |
|---|---|---|
| Akamai | 159 | 31.9% |
| Cloudflare | 96 | 19.3% |
| AWS CloudFront | 32 | 6.4% |
| Fastly | 32 | 6.4% |
| Imperva | 29 | 5.8% |
| Microsoft / Azure | 24 | 4.8% |
| WP Engine | 13 | 2.6% |
| Other CDN (Vercel, F5, Edgio…) | 62 | 12.4% |
| Direct / self-hosted | 51 | 10.2% |
The edge is where the F500's choices diverge most sharply from the rest of the web — toward the incumbent, not away from it. On the open Internet, Cloudflare's free tier makes it the default front end for a plurality of all sites; among the Fortune 500 it runs second to Akamai by a wide margin, which tracks with market analysis showing Akamai still leading enterprise CDN on revenue (~$4.2B) and deep enterprise relationships even as its overall share compresses under CloudFront and Cloudflare growth. Our 32% Akamai figure sits squarely inside the 30–40% enterprise-CDN range that market researchers assign it. The split below the top two is instructive: Imperva (29) and a meaningful Fastly presence (32) show that a slice of the F500 buys the edge primarily for security (Imperva) or for developer-grade performance (Fastly), and the 62-company "other CDN" tail — Vercel, F5 Distributed Cloud, WP Engine, investor-relations specialists like Equisolve — is where modern and legacy approaches coexist. The duopoly is real, but unlike mail it is a duopoly of performance and security edge, where the second source is a genuine competitor rather than a filter in front of a hidden incumbent.
Email Authentication: Hardened at the Top, Hollow Below
This is the layer where being a Fortune 500 company changes the answer. In A State of TXT we measured the whole mail-capable Internet and found 71.3% publishing SPF, 34.1% publishing DMARC, and only 11.7% enforcing it. The Fortune 500, measured the same way against the same crawl, look like a different species — for the policies they bother with.
| Control | F500 (of 438 mail-enabled) | Open Internet¹ |
|---|---|---|
| SPF at apex | 54.1% | 71.3% |
| DMARC published | 91.6% | 34.1% |
| DMARC enforced (quarantine/reject) | 72.8% | 11.7% |
DMARC p=reject (strictest) |
57.8% | — |
| MTA-STS | 2.3% | 0.14% |
| BIMI | 17.4% | 0.08% |
| BIMI with VMC | 13.9% | — |
¹ Mail-capable apexes, same May 2026 crawl, from A State of TXT.
The Fortune 500 enforce DMARC at 72.8% — more than six times the open-Internet rate, and well above the ~42% enforcement that Valimail's 2026 report finds across its broader commercial sample — which is consistent with Valimail also reporting that large enterprises in its customer base maintain p=reject at far higher rates than the market. The publish-versus-enforce gap that defines the open Internet largely closes here: where two-thirds of all Internet DMARC records sit uselessly at p=none, a clear majority of the F500 (57.8%) run the strictest p=reject. This is the deliverability industry's success story, and on this metric it is earned.
Two caveats keep it honest, and one finding undercuts the celebration. First, apex SPF (54%) is actually lower than the open-Internet rate, which looks paradoxical until you remember the measurement: we read SPF at the bare organizational apex, and many large companies — Microsoft's own microsoft.com among them — publish no SPF at the apex while running rigorous SPF on the subdomains they actually send from. Apex SPF is a floor, not a verdict. Second, DMARC at the apex is partly a compliance artifact of the Google/Yahoo bulk-sender mandate — necessary, but a checkbox these firms had the resources to tick. The finding that undercuts the story is MTA-STS at 2.3% and BIMI's verified-mark layer at 13.9%: the same companies that hardened the content of email against spoofing have almost entirely ignored the transport layer that protects mail in transit between servers. America's best-resourced security organizations enforce who can write their name and then ship that mail over opportunistic, downgradeable TLS. The top of the stack is hardened; the bottom is hollow.
What's at Stake
- Correlated mail failure — with a third-party gateway in front of 60% of mail-enabled F500 inboxes and Proofpoint alone screening 48%, a single gateway provider's outage degrades inbound mail across a large fraction of the Fortune 500 at once; the "everyone runs Microsoft 365" framing hides this concentration entirely.
- The web edge is a two-vendor dependency — Akamai and Cloudflare jointly front 51% of F500 sites, so an edge-provider incident is a Fortune-500-scale event, as recent CDN outages have repeatedly demonstrated.
- DNS is the resilient layer precisely because it is fragmented — 28% self-operation plus a dozen providers means no single DNS failure takes down a large share of the list; it is the one layer where the F500's diversity is a structural strength rather than an accident.
- Transport security is the open flank — MTA-STS at 2.3% means the overwhelming majority of the Fortune 500 accept downgradeable SMTP, leaving server-to-server mail exposed to interception and DNS-spoofing-based downgrade attacks that DMARC does nothing to stop.
- The apex SPF gap is a reconnaissance tell — domains that enforce DMARC but publish no apex SPF advertise a specific configuration posture; defenders and attackers read the same records, and the gap between published policy and complete policy is itself information.
What Would Help
- Security teams: inventory your own stack from the outside, the way an attacker does. Every fact in this post came from public DNS in seconds. Resolve your NS, MX,
www,_dmarc,_mta-sts, anddefault._bimiand confirm they say what you think they say — the gap between the architecture diagram and the records is where incidents start. Use the stats dashboard and dataset to benchmark against peers. - Email administrators: close the transport gap. If you have already reached
p=reject— and 58% of the F500 have — MTA-STS is the cheapest remaining win in email security: a static policy file and one TXT record that stops opportunistic-TLS downgrade. At 2.3% adoption it is the highest-leverage, lowest-effort control the Fortune 500 are collectively ignoring. - CISOs: treat gateway and edge concentration as a board-level dependency, not a procurement detail. If your inbound mail and your web edge both run through the same one or two vendors as half your peer set, you share their failure modes. Document the correlated-outage exposure and decide deliberately whether a second source is worth it — don't inherit the concentration by default.
- Registrars and managed-DNS providers: the enterprise DNS market is still genuinely open. No third-party operator holds even 16% of the Fortune 500, and 28% self-operate. That is a contestable market, and the brand-protection (CSC, MarkMonitor) and telco-managed (AT&T) footholds show enterprises will pay for operational control and legal alignment, not just anycast performance.
- Researchers and journalists: this is a repeatable annual benchmark. Provider shares across DNS, mail, edge, and email-authentication, measured from records rather than surveys, form a "State of the Fortune 500 Stack" that can be re-run each year to track real migration — Akamai-versus-Cloudflare at the edge, gateway consolidation in mail, and whether MTA-STS ever leaves the basement.
Methodology: 500 primary corporate domains of the Fortune 500 (2022 constituents, via the public gigasheet Fortune 500 dataset), resolved across NS/SOA, MX, A/CNAME, apex TXT, _dmarc, _mta-sts, and default._bimi against a DomainsProject full-corpus typed DNS crawl from early May 2026. Providers classified from answer data; self-operation detected via a shared-infrastructure heuristic; web edge via CNAME chains and published CDN IP ranges. IPv6/AAAA was not in this crawl and is not reported. Russian-territorial TLDs excluded per project policy. This is a single snapshot; no growth claims are drawn from it. Explore the broader dataset at /dataset and per-TLD statistics at /stats/.