This Week in Email

The Independent Email Industry Roundup

Gmail's AI Inbox Is About to Change the Rules

Google's Gemini-powered "AI Inbox" — announced in January — is in beta with Trusted Testers and expected to roll out broadly across the US in Q2. This isn't a filter tweak. It's a fundamental shift from rule-based to meaning-based inbox ranking.

Here's the number that should get your attention: Folderly reports that up to 40% of emails reaching Gmail inboxes are being deprioritized by AI filtering. Not blocked. Not bounced. Just quietly buried. "VIP Sender" status is now dynamic — earned and lost based on engagement signals the AI interprets in real time.

Meanwhile, previously premium-only features like Help Me Write and AI summaries are now available to all personal Gmail users. Google is betting the entire inbox experience on Gemini. If you send email for a living, this is the story to watch this quarter.

Folderly • Google Blog • TechCrunch

NCSC Retiring Mail Check & Web Check — March 31 Deadline

The UK's National Cyber Security Centre is shutting down its free Mail Check and Web Check services on March 31. These tools have monitored SPF, DKIM, and DMARC compliance for UK organizations since 2017. Thousands of public-sector and enterprise domains relied on them.

If you're affected, the migration path is to a commercial EASM (External Attack Surface Management) platform. Sendmarc and Redsift both have migration guides linked below. The deadline is three weeks away — don't wait on this one.

NCSC Blog • Sendmarc • Redsift

Microsoft Basic Auth Phase-Out Has Begun

SMTP AUTH Basic Authentication rejections started March 1, ramping to 100% by April 30. If you have legacy integrations sending via Exchange Online with username/password auth — the clock is ticking.

There's a wrinkle, though. Microsoft has pushed full retirement to December 2026 for existing tenants — the result of significant pushback from enterprises that weren't ready. New tenants from January 2027 won't have the option at all. The April ramp-up will start breaking things for anyone who hasn't migrated to OAuth.

Microsoft Tech Community

The SFMC Security Fallout Isn't Over

January's Salesforce Marketing Cloud security disaster (CVE-2026-22582/83/86) continues to ripple through the industry. The forced migration to AES-GCM encryption doubled URL lengths to roughly 580 characters — which broke DKIM signatures on Microsoft servers and caused an estimated 25% deliverability drop for four days.

Worse: all legacy tracking links were expired overnight, and broken unsubscribe links remain unresolved for many senders. When your security patch breaks people's ability to unsubscribe, you've traded one compliance problem for another.

Email Expert • Validity

Gmail Killing Gmailify & POP Fetching in 2026

Google is deprecating Gmailify (linking non-Google accounts to Gmail) and desktop POP "Check mail from other accounts." New users have been blocked since Q1 2026; existing users will lose access later in the year. All previously synced messages remain, but new emails won't fetch.

Users are directed to set up forwarding at the source or use IMAP via Gmail's mobile apps. If you run a mail server and a meaningful chunk of your users access mail through Gmail's POP fetch, start communicating alternatives now.

Google Support • 9to5Google • TidBITS

DMARCbis Is Almost Here

Draft 41 of DMARCbis is nearing Proposed Standard status, and this is the biggest revision to DMARC since DMARC. The headline change: the Public Suffix List is gone, replaced by a DNS tree walk for organizational domain discovery. The spec is splitting into three separate RFCs.

New tags to know: np for non-existent subdomain policy, psd for public suffix domains, and t=y replaces the old percentage-based testing. The pct, rf, and ri tags are removed. Records still start with v=DMARC1 — no breaking change at the syntax level. Sendmarc published a fireside chat with co-editor Todd Herr that's worth your time.

IETF Draft-41 • Sendmarc / Todd Herr • DMARCwise

iOS 26 Expands Link Tracking Protection to Mail

Apple's next privacy move: iOS 26 will strip gclid, fbclid, and dclid from URLs clicked in Mail. Advanced Fingerprinting Protection is now on by default in Safari.

The important nuance: standard UTM parameters are not stripped. Apple is targeting cross-site tracking identifiers specifically, not campaign attribution broadly. If your measurement strategy already relies on UTMs rather than platform-specific click IDs, you're in good shape.

Email Expert • Within

Postmark Launches Bulk API

Postmark — long known as the "we only do transactional" provider — launched a Bulk API on March 5. Send the same message to thousands of recipients with a single API call, with personalization via template variables and Cc/Bcc support. All bulk sends go through dedicated broadcast IPs, keeping transactional and bulk traffic separate. It's a measured expansion that stays true to their reputation-first approach.

Postmark • Blog deep dive

Mailjet Open-Sources an MCP Server

Mailjet released an open-source MCP (Model Context Protocol) server that lets AI assistants like Claude query email data conversationally. Read-only by default, free, and self-hostable via Node.js. This is the kind of AI integration that actually makes sense — giving your tools a structured way to talk to your email data without building custom API glue.

Mailjet Blog • GitHub

Mautic Facing $50K Budget Shortfall

The open-source marketing automation project has cut its Project Lead hours by 40%, cancelled a developer hire, and is fundraising with an end-of-March deadline. Their $140K annual budget is the bare minimum to keep the project alive. A Hacker News discussion drew significant attention to the crisis.

If you use Mautic — or rely on it as a self-hosted alternative to the big platforms — this is worth paying attention to. Open-source projects don't survive on goodwill alone.

Mautic Blog • HN Discussion