We Analyzed 229,000 U.S. Micro-Nonprofits. The Infrastructure Gap Is Worse Than the Security Gap.

There are 229,829 active nonprofits in the United States that file IRS Form 990-N — the e-Postcard. These are organizations with gross receipts under $50,000 a year. Youth baseball leagues. Church food pantries. Volunteer fire company auxiliaries. Animal rescues running on donations and weekend labor.

We pulled the full IRS bulk data file, extracted every domain associated with an active 990-N filer from the last five tax years, and ran DNS enrichment across 208,078 unique domains — MX lookups, DMARC checks, DKIM checks, provider classification.

The results reframe the "nonprofits need better cybersecurity" conversation entirely. The problem isn't that these organizations are ignoring security. The problem is that a third of them don't have email infrastructure to secure.

---

30.7% Have No Email Infrastructure at All

63,790 domains returned no MX record. No mail server. No inbox. These domains exist — they're registered, some have websites — but they do not receive email.

That number needs context. A youth soccer league with a .org domain and a WordPress site built by a board member's nephew is not "neglecting email security." They never set up email in the first place. The treasurer uses a personal Gmail account. The domain is a sign, not a system.

This is a capacity gap, not a negligence problem.

Google Workspace Owns This Segment

Of the 208,078 domains we checked, 27.1% (56,362) run Google Workspace. Office 365 sits at 11.2% (23,261). The remaining 31% is fragmented across hundreds of providers — secureserver.net, IONOS, Hostinger, Zoho, and a long tail of hosting-bundled mail.

Google's dominance here isn't surprising. Google for Nonprofits offers Workspace at no cost to eligible 501(c)(3) organizations. For an org running on under $50K a year, "free" and "the same Gmail interface everyone already knows" is the entire buying decision.

What's notable is how stable this is. We broke down provider share by tax year:

Year	Google Workspace	Office 365
2020	25.9%	11.0%
2021	27.8%	10.4%
2022	29.9%	11.0%
2023	28.7%	13.0%
2024	26.4%	12.3%
2025	27.1%	11.0%

Google has held steady around 27% for five years. Office 365 around 11%. No migration wave in either direction. The platform decisions these orgs made years ago are the platform decisions they're living with now.

84,000 Chapter and Affiliate Structures

84,417 of the 229,829 organizations were flagged as chapter or affiliate structures — their mailing address differs from their principal address, indicating they operate under a parent organization but maintain independent filings.

This matters for infrastructure conversations. A local Rotary chapter, a regional Habitat for Humanity affiliate, a state-level chapter of a national veterans organization — these entities often:

• Register their own domains independently
• Have no central IT governance from the parent org
• Make their own platform decisions (or don't make them at all)
• Are not covered by the parent organization's security policies

If you've worked in enterprise IT, this pattern looks familiar. It's the subsidiary problem. Decentralized operations, no shared infrastructure, no unified security posture. Except here, the "subsidiary" is staffed by volunteers and funded by bake sales.

What Didn't Change

The year-over-year stability is the quiet finding. Google's share didn't climb. Office 365 didn't gain ground. The "no MX" segment didn't shrink.

These organizations aren't migrating. They aren't adopting new platforms. The infrastructure decisions — or non-decisions — made in 2020 are largely unchanged in 2025. That tells us something about how technology adoption works at this scale: it doesn't, unless something forces it.

Google's free tier locked in 27% of this market years ago. Nothing has moved the needle since. For the 30.7% with no email infrastructure, five years of digital transformation discourse changed nothing.

A Minimum Viable Security Stack

Telling a volunteer-run animal rescue to "implement DMARC with a reject policy and monitor aggregate reports" is not a serious recommendation. Here's what is:

For orgs with no email infrastructure (30.7%): If you have a domain but no email, add a DMARC record with p=reject and a null MX record. This tells the world "nobody sends email from this domain." It costs nothing, takes five minutes in your registrar's DNS panel, and prevents anyone from spoofing your domain.

For orgs with email but no DMARC (56.2% of email-capable): Start with p=none and a free monitoring service. You'll see who's sending email as your domain within a week. Graduate to p=quarantine once you confirm your legitimate mail flows are authenticated.

For chapter/affiliate structures: The parent organization should publish a DNS template. One page. "Here are the three TXT records every chapter domain needs." Most chapters would add them if someone just told them what to paste.

The Bigger Picture

Micro-nonprofits operate with enterprise-level risk exposure — they handle donor PII, process financial transactions, manage community data — but without enterprise resources. The 229,829 organizations in this dataset collectively serve millions of communities. Their infrastructure fragility is a public interest problem, not just a technical one.

The data doesn't support "nonprofits are failing at cybersecurity." It supports something more specific: the smallest organizations in the nonprofit sector were never equipped to participate in email security infrastructure in the first place. A third of them don't even have email. The rest are split between a dominant free platform and a fragmented long tail of hosting providers.

If you're building tools for this segment — or advising organizations in it — start with infrastructure presence, not security compliance. You can't secure what doesn't exist.

---

Data: IRS Form 990-N (e-Postcard) bulk data download, DNS-enriched March 2026. 229,829 active filers, 208,078 unique domains.