How does Talos Intelligence monitor global email volume trends?
Michael Ko
Co-founder & CEO, Suped
Published 26 Jul 2025
Updated 15 Aug 2025
7 min read
Understanding how major threat intelligence organizations monitor global email volume is crucial for anyone involved in email deliverability or security. These organizations, like Talos Intelligence, possess immense visibility into email traffic worldwide, providing insights that go far beyond what individual senders can observe. Their data helps shape industry best practices and influence how mailbox providers filter incoming mail.
Such global monitoring helps to identify emerging threats, detect spam campaigns, and understand overall email ecosystem health. It allows for a macro-level view of email trends, including shifts in legitimate traffic versus malicious volumes. This deep understanding is vital for maintaining a robust email infrastructure and ensuring messages reach their intended recipients.
The foundation of Talos monitoring
Talos Intelligence, operated by Cisco, leverages a vast network infrastructure to gather data. Their ability to monitor global email volume trends stems from their unparalleled visibility, which comes from a combination of proprietary technologies and strategic data collection points across the internet. This comprehensive approach gives them a unique vantage point on the email landscape.
The core of their monitoring capabilities is built on what was formerly known as SenderBase, now integrated into the larger Talos threat intelligence platform. This platform doesn't simply rely on Cisco's email security appliances, like IronPort, managing Mail Exchanger (MX) records directly. Instead, it aggregates data from various sources to compute email volume.
Their monitoring extends beyond merely counting messages. They analyze patterns, identify anomalies, and uncover new threats as part of a 24-hour global traffic view. This continuous analysis helps them understand the constantly evolving threat landscape and its impact on overall email volume and traffic trends.
Data collection methodologies
Talos utilizes a diverse set of signals to determine email volume across the board. One key component involves DNS query-based analysis. As email servers query DNS records, such as MX records, to route mail, Talos can observe these queries, providing insights into sender activity even if the mail isn't directly flowing through their network security products.
This DNS-based monitoring can, however, be affected by factors like the increasing adoption of DNSSEC (Domain Name System Security Extensions), which adds a layer of security to DNS but might alter traditional observation methods. Beyond DNS, Talos also monitors traffic on Cisco-branded routers used across internet backbones, providing a direct view of network traffic patterns and anomalies.
For specific email threats, Talos Email Filtering technology also plays a role by inspecting various elements of emails, including URLs, file hashes of attachments, and leveraging multiple scanning engines. This multi-layered security approach contributes to their overall understanding of email volume, especially when analyzing trends related to spam, malware, and phishing attacks.
Understanding the log scale
When Talos reports on email volume magnitude, they typically use a log scale with a base of 10. This means that a small increment on their scale represents a large increase in actual email volume. For example, moving from a magnitude of 2 to 3 means the volume has increased tenfold. This logarithmic representation helps to visualize vast differences in scale, making it easier to track significant shifts in global email traffic, from everyday communication to large-scale spam campaigns or denial-of-service attacks.
Understanding this scale is critical when interpreting their data, as a seemingly minor change on their charts can indicate a substantial real-world impact. For instance, a decrease from a magnitude of 5 to 4 suggests that the monitored email volume has dropped by 90%, which is a massive shift. This logarithmic approach allows them to present data on phenomena ranging from typical email flow to massive spam bursts, which can reach hundreds of billions of messages daily.
Interpreting volume data
A value of 1 on the Talos volume magnitude scale represents 10 messages, 2 represents 100 messages, 3 represents 1,000 messages, and so on. This approach highlights the exponential nature of changes in email traffic. Therefore, a graph showing what appears to be a slight dip might actually indicate a dramatic reduction in the absolute number of emails observed.
For more detailed information on their volume magnitude calculations, you can refer to the official Talos Reputation Center documentation. Their reports often include comprehensive analyses of various threats, such as phishing attacks and business email compromise, providing insights into how these trends impact overall email volume.
Factors influencing reported trends
Talos's global threat intelligence capabilities are influenced by several factors that might lead to shifts in their reported email volumes. For example, if more and more Email Service Providers (ESPs) are establishing direct peering agreements, it could mean less email traffic flows through third-party networks, including parts of Cisco's infrastructure. This could potentially alter the volume observed by Talos without necessarily indicating a decrease in overall global email traffic.
Another factor could be a decrease in the number of organizations using Cisco's IronPort appliances as their primary MX gateway. While Talos's monitoring isn't solely dependent on this, a shift in market share could impact their direct observation points.
Changes in global spam volumes and the effectiveness of spam filtering technologies also influence reported trends. If spam filters become more efficient at blocking malicious email at earlier stages, it might appear as a decrease in the volume reaching inboxes or being detected by certain systems. It's a complex interplay of infrastructure, filtering, and evolving threat tactics that shapes the data.
Importance for email deliverability
Monitoring email volume and trends is essential for email marketers and deliverability professionals. Fluctuations in email volume can directly impact sender reputation and deliverability. A sudden, unexplained increase might indicate a compromised account or a spam trap hit, while a decrease could suggest issues with infrastructure or changes in recipient behavior.
Staying informed about general trends reported by organizations like Talos can help benchmark your own performance and identify broader shifts in the email ecosystem. For instance, if global spam rates are declining, but your personal spam rates are increasing, it signals a specific issue with your sending practices that needs addressing.
Furthermore, understanding the mechanisms by which large intelligence groups gather their data sheds light on the complexity of email security. This knowledge can inform your strategies for avoiding email blocklists (or blacklists) and improving overall email deliverability. Leveraging comprehensive monitoring tools is crucial for both security and marketing.
Views from the trenches
Best practices
Maintain strong authentication protocols like SPF, DKIM, and DMARC to validate your sending domain and mitigate spoofing attempts.
Regularly monitor your sending reputation and IP health, proactively addressing any issues before they escalate into blocklist (or blacklist) listings.
Segment your audience and tailor content to improve engagement, reducing bounce rates and spam complaints.
Warm up new IPs gradually, increasing email volume over time to build a positive sending history.
Common pitfalls
Ignoring sudden drops or spikes in reported email volume without investigating the underlying causes.
Misinterpreting logarithmic scales for email volume data, leading to underestimation or overestimation of changes.
Assuming direct network peering or changes in MX records are the sole reasons for perceived volume shifts in intelligence reports.
Failing to adapt email sending strategies based on global threat intelligence trends, such as increased phishing campaigns.
Expert tips
Utilize
DNS query logs to gain insights into how external systems interact with your domain, which can indirectly reflect email activity.
Collaborate with your ESP to understand their network peering and traffic routing strategies, as these can influence how global monitors see your volume.
Diversify your data sources for email volume trends, consulting multiple threat intelligence reports to get a more complete picture.
Marketer view
Marketer from Email Geeks says they agree that a massive decrease in global email volume showing on Talos seems not right and wonders if more ESPs are doing peering, not going through Cisco infrastructure.
2021-03-08 - Email Geeks
Expert view
Expert from Email Geeks says that even without peering, ESPs have no reason to go through Cisco's network unless Cisco is managing their MX.
2021-03-09 - Email Geeks
Key takeaways on email volume monitoring
Talos Intelligence plays a significant role in providing a macro view of email traffic and threat intelligence. Their advanced methodologies, encompassing DNS analysis, network monitoring, and email content filtering, enable them to identify global trends and anomalies.
While internal factors like peering agreements or the adoption of new MX solutions can influence their reported data, the underlying insights into email volume, spam, and malicious activity remain invaluable. For deliverability professionals, understanding how these global monitors operate is key to ensuring email program health and navigating the complex email ecosystem.
