VCF renewals ▲ 31.4% YoY· Symantec EDR true ups ▲ 18%· Carbon Black avg quote uplift +22%· Mainframe MIPS capacity squeezes ▲· Audit notices ▲ 47% QoQ· Our last 10 deals avg 41% off quote· VCF renewals ▲ 31.4% YoY· Symantec EDR true ups ▲ 18%· Carbon Black avg quote uplift +22%· Mainframe MIPS capacity squeezes ▲· Audit notices ▲ 47% QoQ· Our last 10 deals avg 41% off quote
Wednesday · 27 May · MMXXVIIssue II
Independent · Buyer SideLive
Broadcom Negotiations
VMware · Symantec · CA · Carbon Black · Mainframe · Brocade The buyer's report on Broadcom contract economics. Not affiliated with Broadcom.
Symantec · Trap

The Symantec Email Security renewal clause that locks you into 2027 capacity.

A capacity baseline clause buried in the 2026 Email Security renewal looks like a measurement methodology note. It quietly fixes the buyer's 2027 minimum at the peak of the 2026 mailbox count.
By The Negotiation Desk · Symantec · Archetype: The Trap
Published 10 Nov 2025

The Desk has read seven Symantec Email Security renewal drafts in the last six months. Five of them contain a clause that did not appear in the 2024 template. The clause is short. It runs in most variants to a single paragraph. It looks at first reading like a measurement methodology clarification, the kind of language that procurement teams approve without comment because it does not appear to do anything to the cover page numbers. The clause does specific work. It binds the 2027 renewal minimum to the peak mailbox count observed across the 2026 contract term, and it does so without giving the buyer an opportunity to reset the baseline before the next renewal opens.

Most Email Security customers' mailbox counts fluctuate across a year. Seasonal hiring, acquisitions, integration of an acquired entity's mail estate, the temporary inclusion of contractor mailboxes for a project, all produce short term peaks that exceed the long term average. Under the prior template, those peaks were transient. They affected the current year's true up but did not reset the next year's baseline. Under the new clause, the peak becomes the floor. A buyer who closes 2026 with an average of 18,400 mailboxes but had a transient peak of 23,100 during a third quarter acquisition integration will open the 2027 renewal with a minimum of 23,100 mailboxes priced into the floor. The 4,700 mailbox difference is not negotiable. It is contractually fixed.

How the clause is written

The clause is usually placed in the capacity measurement section or in an appended schedule. It describes itself as a baseline determination methodology and uses language about ensuring measurement consistency across the contract term. It defines the renewal baseline as the higher of the contracted commitment or the highest sustained mailbox count observed for more than a defined window during the contract term. The defined window varies between fourteen and thirty days across the template variants we have seen. The shorter window is more aggressive because it captures more short term peaks. The longer window is less aggressive but still captures most acquisitions and any sustained hiring surge.

The clause also defines who measures. In every variant we have read, the measurement authority is the seller's mail platform telemetry rather than the buyer's directory or HR systems. This matters because the seller's telemetry counts active mailboxes including ones that the buyer's HR system has already marked for deprovisioning but that have not yet been removed from the platform. The seller measures the high water mark from their own infrastructure, and the buyer is bound to it.

"A retail group integrated an acquired regional chain for ninety days during the third quarter. The peak mailbox count became the next year's floor. The integration ended. The mailboxes were removed. The floor stayed."Symantec Practice Lead, The Desk

Why the clause matters more for Email Security than for other Symantec products

Email Security pricing is per mailbox, and the per mailbox rate compounds. A baseline that ratchets up by 4,700 mailboxes against a $24 per mailbox per year rate adds roughly $113,000 to the floor before any other price movement. Across a three year renewal, that is roughly $340,000 of locked in cost that the buyer never used. Across a five year commit, it is $565,000. None of this shows up on the cover page of the 2026 renewal. It surfaces in the 2027 renewal as a floor the buyer cannot move without paying for the privilege of moving it.

The clause matters more for Email Security than for endpoint or for DLP because the underlying entity, the mailbox, is more transient than an endpoint or a sensitive data location. Endpoint counts move with hardware lifecycle, which is slow. DLP locations move with policy scope, which is deliberate. Mailbox counts move with hiring, with M&A, with contractor onboarding, all of which are operational and frequent. The clause turns operational volatility into contractual permanence.

What buyers can negotiate

Three positions work in our experience. The first is to redefine the baseline as a rolling twelve month average rather than a peak. This converts the clause from a ratchet into an average, which preserves the seller's interest in protecting against under provisioning while removing the operational volatility problem. Most deal desks will accept this on accounts with material spend because it does not change the long term yield, only the short term spike capture.

The second position is to define exclusions for specific events. Mailbox counts attributable to a defined acquisition or to a defined integration project should be excluded from the baseline if removed within a stated period. This requires the buyer to flag the events at the time they occur, which means the procurement function and the security function have to talk to each other on a cadence that most enterprises do not maintain. The clause exclusion is the forcing function for the cadence.

The third position is to allow buyer measurement to be authoritative for the baseline determination. The seller's measurement remains authoritative for the current year true up, which is the seller's actual revenue exposure. The baseline determination, which is the buyer's future exposure, runs from the buyer's directory or HR system. This split usually produces resistance but is achievable on accounts that have material leverage from a credible alternative scenario.

The numbers

Email Security drafts in our sample containing the clause5 of 7
Typical peak to average mailbox count spread8% to 24%
Per mailbox rate range observed (enterprise tier)$19 to $34 per year
Floor inflation on a typical 18,000 mailbox account$72K to $190K per year
Five year locked in cost on a single acquisition spike$310K to $620K
Negotiable on a careful renewalrolling average, exclusions, buyer measurement

What we have seen on live deals

A global insurer renewed Email Security in late 2025 with the clause in the draft. The procurement team approved the renewal. The buyer's mailbox count peaked at 31,200 during a fourth quarter acquisition integration that closed in February. The integration's mailboxes were removed by April. The 2026 contract billed on the peak. The 2027 renewal opens with a floor of 31,200, even though the operational mailbox count is back to 24,800. The buyer is locked into the difference.

A regional bank in EMEA caught the clause before signing in early 2026. We helped them negotiate the rolling twelve month average baseline and explicit exclusions for any acquisition related mailbox additions removed within ninety days. The deal desk accepted both positions in exchange for an extra year on the commit. The 2027 floor will reflect the actual operational baseline rather than a transient peak. The work was in the clause language. No cover page numbers changed.

The takeaway

  • The new Symantec Email Security baseline clause is in roughly seventy percent of 2026 renewal drafts we have reviewed. It binds the next renewal floor to the peak mailbox count observed during the contract term, with seller telemetry as the authoritative measurement.
  • Email Security is more exposed to this clause than other Symantec products because mailbox counts fluctuate with hiring, with acquisitions and with contractor onboarding. The clause turns operational volatility into contractual permanence.
  • Three positions are negotiable. A rolling twelve month average baseline rather than a peak. Defined exclusions for acquisitions and project surges removed within a stated period. Buyer measurement as authoritative for baseline determination. Each is achievable on accounts with material spend or with a credible alternative scenario.
Reading a Symantec Email Security draft and unsure which clauses are new? Write to the Desk → Two analyst calls, no pitch.

Three related articles

Symantec · The Tell
Three signs your Symantec endpoint renewal is overpriced
Symantec · The Exit
What Cloud SWG migration economics look like against Zscaler
Outcomes · Case
A retail conglomerate cut its Symantec DLP renewal by 52 percent
Cross references. Service: Renewal Negotiation. Practice: Symantec Cloud SWG and Email Security. Calculator: Audit exposure estimator.
Correspondence Invited

Write before the quote becomes a position.

Two analyst calls. No pitch. We tell you what we would do, what the leverage actually is, and whether we are the right firm. If we are not, we will say so.
Who we work for. Buyer side only. No reseller relationship with Broadcom. No partnership of any kind. We do not earn anything from products sold or renewed. Only from outcomes delivered against the contract.