Skip to content
VAMP

The 2026 Cost and Operational Burden of Spam on Email Operators

Executive summary

Section titled “Executive summary”

Four findings stand out.

  1. Spam remains industrial in scale. Radicati forecasts 392.5 billion emails/day worldwide in 2026. Kaspersky measured 44.99% of all emails in 2025 as spam. If that spam share held roughly steady into 2026, the world would be dealing with about 176.6 billion spam emails/day; applying the same share to Radicati’s 2025 traffic estimate yields about 169.3 billion spam emails/day. That 2026 figure is a scenario estimate, not a direct 2026 measurement, but it is directionally useful.12

  2. The burden has not disappeared; it has professionalized and centralized. Gmail says it blocks nearly 15 billion unwanted emails/day and stops more than 99.9% of spam, phishing, and malware before inbox delivery. Microsoft says it processes 100 trillion security signals/day and screens 5 billion emails/day for malware and phishing. Cloudflare says 5.6% of the emails analyzed by its email-security stack in 2025 were malicious. In plain English: operators are running enormous filtering, classification, telemetry, and remediation systems just to keep legacy email usable.345

  3. Visible enterprise spend is already material. In March 2026 list pricing, Microsoft Defender for Office 365 Plan 1 and Plan 2 cost $2/user/month and $5/user/month. That is $24–$60/user/year, or roughly $240,000–$600,000/year for a 10,000-seat organization just for the add-on security layer. Office 365 E3 is $23/user/month, or about $2.76 million/year at 10,000 seats; Office 365 E3 plus Defender Plan 2 is about $3.36 million/year. Google’s published Business tiers are $7/$14/$22 user/month for plans capped at 300 users; enterprise pricing is not public. These are not pure “spam-only” numbers, but they are the visible recurring costs organizations pay to run defended mail environments.678

  4. Filtering is effective but not decisive. Operators have reduced bulk junk dramatically, but high-consequence misses still matter. The FBI’s IC3 logged 193,407 phishing/spoofing complaints and 21,442 BEC complaints in 2024; BEC alone accounted for $2.77 billion in reported losses, while total reported cyber-enabled losses reached $16.6 billion. Microsoft reports that BEC represented only 2% of total threats observed, yet 21% of attack outcomes, and that identity-based attacks rose 32% in the first half of 2025. This is the modern email problem in one sentence: the easy junk is often caught, but the remaining misses are expensive.49

Scope, definitions, and method

Section titled “Scope, definitions, and method”

This write-up focuses on the burden borne by entities that operate or administer email systems in 2026: hyperscale mailbox providers, managed email platforms, specialized email-security vendors, and enterprise administrators running Microsoft 365, Google Workspace, hybrid Exchange, or layered secure-email gateways. In 2026, many organizations no longer run a classic self-hosted MTA end-to-end, but they still bear the cost of email operations through licensing, deliverability engineering, policy tuning, quarantine handling, user support, incident response, and fraud recovery.

Methodologically, I prioritized official provider disclosures (Google, Microsoft, Yahoo), government incident statistics (FBI IC3), large-scale security telemetry (Cloudflare, Kaspersky), an industry traffic forecast (Radicati), and one peer-reviewed 2025 paper to frame benchmarking limitations in malicious-email detection. Because vendors measure different things—spam share, malicious share, bulk/graymail, post-delivery remediation, complaint rates—this memo treats “spam burden” broadly as the cost of unwanted, malicious, complaint-generating, and operationally disruptive email.12345910

A final caveat: public cost data are much better than public failure-rate data. Providers publish list prices, platform requirements, and some scale disclosures; they do not publish a standardized, apples-to-apples cross-provider false-positive/false-negative benchmark. The academic literature still notes the lack of a unified, current, open benchmark dataset for malicious-email detection. That means cost estimation can be reasonably grounded, while “failure rate” must be inferred from provider telemetry, remediation workflows, and realized fraud outcomes rather than a single clean benchmark.10

1. The current threat load is still enormous

Section titled “1. The current threat load is still enormous”

Email volume is still growing. Radicati’s 2024–2028 executive summary forecasts 392.5 billion emails/day in 2026, up from 376.4 billion/day in 2025. Kaspersky’s 2025 annual spam/phishing report says 44.99% of all emails sent worldwide in 2025 were spam, and that its systems blocked 144,722,674 malicious email attachments and 554,002,207 phishing-link click attempts. On those two inputs, a reasonable scenario estimate is that the ecosystem is processing on the order of 170–177 billion spam emails/day around the 2025–2026 boundary.12

At hyperscale, the operators’ telemetry is blunt about the workload. Google says Gmail blocks nearly 15 billion unwanted emails every day and stops more than 99.9% of spam, phishing, and malware from reaching inboxes. Microsoft says it screens 5 billion emails/day and processes 100 trillion security signals/day. Cloudflare says 5.6% of the messages analyzed by Cloudflare Email Security in 2025 were malicious. These are not “annoyance” numbers; they describe permanent industrial infrastructure devoted to classifying and containing hostile traffic.345

The composition of that hostile traffic matters. Cloudflare reports that in 2025, deceptive links appeared in 52% of malicious email messages it analyzed, identity deception in 38%, and brand impersonation in 32%. Kaspersky’s 2025 report also documents heavy phishing and BEC activity and highlights campaigns built around government portals, messaging apps, and fabricated business correspondence. The important operator takeaway is that the burden is not just classic bulk junk; it is increasingly about low-volume, identity-driven, socially engineered mail that forces operators to maintain layered detection and post-delivery remediation.25

2. The burden on operators falls into four major cost buckets

Section titled “2. The burden on operators falls into four major cost buckets”

2.1 Filtering, telemetry, and machine-learning infrastructure

Section titled “2.1 Filtering, telemetry, and machine-learning infrastructure”

The first burden is raw infrastructure. Radicati notes that anti-spam technology is “highly effective,” but that vendors must continually update those systems and are investing heavily in machine learning to handle both spam and graymail. Google’s and Microsoft’s daily screening numbers, plus Cloudflare’s malicious-share data, imply not only bandwidth and storage cost but persistent model maintenance, feature engineering, reputation feeds, sandboxing, URL analysis, sender clustering, and post-delivery clean-up. Even when the majority of junk is successfully blocked, the operator still pays for ingest, classification, and policy enforcement.1345

This burden is also getting harder, not easier. Verizon’s 2025 DBIR says the human element remained involved in roughly 60% of breaches, and synthetically generated text in malicious emails had doubled over the prior two years in one partner data set cited by Verizon. Microsoft’s 2025 Digital Defense Report says identity-based attacks rose 32% in the first half of 2025. Those trends matter because they push operators away from cheap static rules and toward more expensive, behavior- and identity-aware detection stacks.411

2.2 Deliverability engineering and sender hygiene

Section titled “2.2 Deliverability engineering and sender hygiene”

The second burden is not inbox defense but mail hygiene and deliverability operations. Modern email operators are now expected to maintain standards compliance, sender reputation, and complaint thresholds just to remain deliverable at major providers.

For bulk senders to Gmail, Google currently requires authentication, low complaint rates, aligned identities, valid forward and reverse DNS, TLS for SMTP connections, RFC-compliant message formatting, DMARC, and one-click unsubscribe for marketing mail. Google says enforcement began in February 2024 and that starting in November 2025 it ramped enforcement on non-compliant traffic to include temporary and permanent rejections. Google also says bulk senders should keep user-reported spam rates below 0.1% and prevent them from reaching 0.3% or higher. Google even added a dedicated compliance status dashboard to Postmaster Tools, which tells you something important by implication: compliance itself is now an operational discipline.12

Yahoo imposes parallel requirements: at minimum SPF or DKIM for all senders, complaint rates below 0.3%, valid forward and reverse DNS, and RFC 5321/5322 compliance; for bulk senders, Yahoo wants SPF and DKIM, a DMARC record, easy unsubscribe, and fast honoring of unsubscribes. This is not merely “best practice.” It is day-to-day work for anyone responsible for keeping a mail domain deliverable.13

In practical cost terms, this means outbound mail operations now require DNS engineering, policy monitoring, sender-reputation monitoring, complaint-loop analysis, unsubscribe processing, TLS posture management, and troubleshooting around provider-specific rejection/error codes. These tasks are easy to undercount because they are often distributed across messaging, security, marketing-ops, and IT teams. The core point is simple: even before spam reaches the inbox, the current ecosystem already taxes legitimate senders with a growing compliance burden because the base protocol model is weak.1213

2.3 Admin workflows: tuning, triage, quarantine, and remediation

Section titled “2.3 Admin workflows: tuning, triage, quarantine, and remediation”

The third burden is human operations. Microsoft’s Defender documentation is revealing here because it openly documents the recurring workflows needed when filtering is imperfect. Microsoft exposes bulk complaint level (BCL) thresholds for bulk/graymail, with defaults of 7 in the default anti-spam policy, 6 in the Standard preset policy, and 5 in Strict. Messages at or above threshold are sent to Junk or Quarantine depending on policy. This is not an abstract control—it is something administrators are expected to tune and review in reporting and insights tools.14

Microsoft also documents dedicated runbooks for false negatives and false positives. Its false-negative guide explicitly describes end-user reporting, admin triage, submission for Microsoft analysis, temporary block entries, quarantine review, and verdict review to understand why the message was allowed and how policy should be improved. Microsoft’s own guide says the basic false-negative workflow takes 5–10 minutes and requires appropriate administrative permissions. That is an unusually concrete illustration of operational burden: when malicious mail gets through, there is a documented labor cost attached to every incident.15

The post-delivery problem is not hypothetical. In Microsoft’s March 2026 benchmark post, the company says Defender removed an average of 70.8% of malicious email post-delivery. That figure is useful not because it proves Microsoft is uniquely better, but because it shows how modern mail operations actually work: operators do not just block bad mail before delivery; they also run continuous post-delivery cleanup because some threats will inevitably reach user mailboxes.16

2.4 Procurement and recurring platform spend

Section titled “2.4 Procurement and recurring platform spend”

The fourth burden is commercial. Some of this spend is unavoidable base-platform cost, and some is incremental email-security spend. Both matter.

At current Microsoft list prices, Defender for Office 365 Plan 1 costs $2/user/month and Plan 2 costs $5/user/month. That is $24–$60 per user per year. For a 10,000-seat organization, the visible incremental cost is about $240,000–$600,000/year just for the Defender add-on layer.6

Base suite pricing is higher still. Office 365 E3 is $23/user/month and Office 365 E5 is $38/user/month. At 10,000 seats, that is about $2.76 million/year for E3 and $4.56 million/year for E5. Office 365 E3 plus Defender Plan 2 is about $3.36 million/year. These are not “spam-only” expenditures—those suites cover collaboration and productivity broadly—but they are the visible recurring cost of running a modern enterprise mail environment that includes defended inboxes, identity, policy, and admin tooling.7

Google’s public pricing is more opaque at large scale. Its Business tiers are $7/$14/$22 per user per month, but those published plans are capped at 300 users; enterprise pricing is custom. For a 300-user organization, the annualized visible cost of those tiers is about $25,200, $50,400, and $79,200 respectively. For larger Google environments, public enterprise list pricing is not available, which itself is analytically important: the market does not expose anti-spam cost transparently because it is increasingly bundled into broader collaboration and security contracts.8

The market for layered security on top of the base suite is also large. Proofpoint says customers include more than half of the Fortune 1000. Mimecast says more than 42,000 businesses worldwide use its platform. In Microsoft’s own March 2026 benchmark, layering integrated cloud email security (ICES) on top of Defender improved marketing and bulk email filtering by 13.7% on average, but only 0.29% for spam and 0.24% for malicious messages, while overlapping detections remained common. Because that benchmark is Microsoft-authored, it should be treated cautiously; still, it points to a very plausible economic reality: many organizations pay for overlapping defenses to capture small incremental gains in the hardest categories.161718

3. Failure rates: what can be said rigorously in 2026

Section titled “3. Failure rates: what can be said rigorously in 2026”

The honest answer is that public, comparable failure-rate data remain poor. A 2025 peer-reviewed paper in Cybersecurity argues that malicious-email research still suffers from inconsistent and outdated datasets and a lack of a unified open standard for evaluation. Providers publish useful telemetry, but not a common benchmark that lets buyers compare Gmail, Microsoft 365, Proofpoint, Mimecast, and others on the same open dataset with the same definitions.10

What can be said rigorously is this:

  • Gmail claims its AI defenses stop more than 99.9% of spam, phishing, and malware before inbox delivery.3
  • Cloudflare still found 5.6% of the messages analyzed by its email-security system to be malicious in 2025.5
  • Microsoft’s March 2026 benchmark says post-delivery remediation removed 70.8% of malicious mail that reached inboxes, which implies meaningful residual miss volume after initial filtering.16
  • Microsoft documents formal false-negative and false-positive workflows, which means misses and misclassifications are not edge cases; they are routine enough to require published operational playbooks.15

The practical conclusion is that bulk spam filtering is often very good, but the email-security problem that remains in 2026 is increasingly about identity compromise, social engineering, thread hijacking, brand impersonation, and BEC. Microsoft says BEC was only 2% of total threats observed but 21% of attack outcomes, and that attackers often start with phishing or password spraying, then pivot to inbox rule manipulation, internal phishing, and thread hijacking. The FBI’s IC3 reported $2.77 billion in BEC losses in 2024. The modern burden on operators is therefore not simply maximizing spam catch rate; it is managing the residual, high-impact misses that exploit trust.49

4. What this means for mail operators in 2026

Section titled “4. What this means for mail operators in 2026”

The current email ecosystem imposes cost in at least five distinct ways.

First, it imposes compute and tooling cost on providers and vendors at industrial scale. The filtering problem is not shrinking; it is being fought with larger ML, telemetry, and remediation systems. Google’s and Microsoft’s daily screening figures alone make that plain.34

Second, it imposes recurring subscription cost on enterprises. Even if an organization outsources mail to Microsoft 365 or Google Workspace, the burden persists as licensing, policy administration, add-on security plans, and often third-party layered defenses. At enterprise scale, visible recurring spend is easily high six figures and often low-to-mid seven figures annually, before labor and fraud losses are counted.678

Third, it imposes deliverability engineering cost. Modern mail operators are expected to maintain SPF/DKIM/DMARC, TLS, reverse DNS, complaint monitoring, unsubscribe handling, and postmaster tooling just to maintain deliverability with Gmail and Yahoo. Those are operational obligations created by the weakness of the underlying trust model.1213

Fourth, it imposes human-operational cost. Quarantine review, false-negative triage, user reporting, policy tuning, and post-delivery clean-up are part of the normal operating model. The receiver still pays in analyst time, helpdesk time, admin time, and user productivity loss.141516

Fifth, it leaves behind residual fraud cost. Even after all that spend and all that filtering, the U.S. still reported $16.6 billion in cyber-enabled losses in 2024, with $2.77 billion from BEC alone. Those are not purely “mail operator” costs, but they are the clearest evidence that today’s receiver-heavy defense model remains structurally expensive.9

Conclusion

Section titled “Conclusion”

The most defensible conclusion is not that current anti-spam systems are failing. They are working hard and often working well. The defensible conclusion is that they are compensating for a protocol and ecosystem that still make abuse too cheap for senders and too costly for receivers. That cost is now visible as hyperscale filtering infrastructure, deliverability engineering, recurring platform and security spend, admin remediation workflows, and large residual fraud losses.3459671516

In 2026, the burden of spam is therefore best understood as a permanent operating expense of the email ecosystem, not as a nuisance variable. Large providers bear it as compute, telemetry, and anti-abuse engineering. Enterprises bear it as subscription spend, configuration burden, false-negative handling, user training, and incident response. The world has become better at filtering bad mail; it has not solved the underlying economic asymmetry that makes bad mail cheap to send and expensive to defend against.123459

That is the market reality any successor model has to beat.

References

Section titled “References”

Footnotes

Section titled “Footnotes”

  1. The Radicati Group. Email Statistics Report, 2024–2028 Executive Summary. https://www.radicati.com/wp/wp-content/uploads/2024/10/Email-Statistics-Report-2024-2028-Executive-Summary.pdf 2 3 4 5

  2. Kaspersky Securelist. Spam and phishing in 2025. https://securelist.com/spam-and-phishing-report-2025/118785/ 2 3 4 5

  3. Google. Gmail introduces new requirements to fight spam. https://blog.google/products-and-platforms/products/gmail/gmail-security-authentication-spam-protection/ 2 3 4 5 6 7 8

  4. Microsoft. Microsoft Digital Defense Report 2025 – Safeguarding Trust in the AI Era (PDF). https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf 2 3 4 5 6 7 8 9 10

  5. Cloudflare. Cloudflare Radar 2025 Year in Review. https://radar.cloudflare.com/year-in-review/2025 2 3 4 5 6 7 8

  6. Microsoft. Microsoft Defender for Office 365. https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-defender-office-365 2 3 4

  7. Microsoft. Compare Office 365 Enterprise Plans and Pricing. https://www.microsoft.com/en-us/microsoft-365/enterprise/office-365-plans-and-pricing 2 3 4

  8. Google Workspace. Compare Flexible Pricing Plan Options. https://workspace.google.com/pricing 2 3

  9. FBI Internet Crime Complaint Center (IC3). 2024 IC3 Annual Report (PDF). https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf 2 3 4 5 6

  10. Zhang et al. A combined feature selection approach for malicious email detection with benchmark dataset. Cybersecurity (Springer). https://link.springer.com/article/10.1186/s42400-024-00309-6 2 3

  11. Verizon. 2025 Data Breach Investigations Report – Executive Summary (PDF). https://www.verizon.com/business/resources/reports/2025-dbir-executive-summary.pdf

  12. Google Workspace Admin Help. Email sender guidelines FAQ. https://support.google.com/a/answer/14229414?hl=en 2 3

  13. Yahoo Sender Hub. Sender Best Practices. https://senders.yahooinc.com/best-practices/ 2 3

  14. Microsoft Learn. Bulk complaint level values – Microsoft Defender for Office 365. https://learn.microsoft.com/en-us/defender-office-365/anti-spam-bulk-complaint-level-bcl-about 2

  15. Microsoft Learn. How to handle malicious emails that are delivered to recipients (false negatives) using Microsoft Defender for Office 365. https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/how-to-handle-false-negatives-in-microsoft-defender-for-office-365 2 3 4

  16. Microsoft Security Blog. From transparency to action: What the latest Microsoft email security benchmark reveals. https://www.microsoft.com/en-us/security/blog/2026/03/12/from-transparency-to-action-what-the-latest-microsoft-email-security-benchmark-reveals/ 2 3 4 5

  17. Proofpoint. Company Overview. https://www.proofpoint.com/us/company/about

  18. Mimecast. Company Overview. https://www.mimecast.com/company/