This Week in Email - April 29, 2026

Authentication is dominating the conversation right now. DKIM2 is moving faster than anyone expected, Microsoft's SMTP AUTH deadline hits in two days, and double-header bugs are causing real-world rejections at Microsoft that slide past Gmail untouched. Plenty here for both infrastructure teams and practitioners.

A note from John: I'll be at Twilio SIGNAL next week (May 6-7) in San Francisco. If you're a TWIE subscriber and want to grab coffee or say hi between sessions, hit reply on this email and we'll find time. Always good to put faces to inboxes.

Both Spam Resource and Word to the Wise published separate deep-dives on DKIM2 this week — a clear signal this has crossed from "draft document" territory into active practitioner concern. DKIM2 is the IETF successor to DKIM, currently at draft-ietf-dkim-dkim2-spec-01, with deployment expected by end of 2026 — faster than most anticipated.

What does it fix? Three longstanding problems. First: signature breakage when mailing lists, security appliances, or forwarders touch a message — DKIM2 lets intermediaries document changes and re-sign, so recipients can verify the original. Second: replay attacks — DKIM2 embeds envelope sender and recipient data in the signature, so a legitimate signed message can't be recycled by spammers. Third: delayed bounces — mailbox providers will be able to securely bounce spam to the actual ESP rather than a potentially forged envelope address, which has implications for inbound volume handling at the ESP layer.

Al Iverson notes that keys aren't changing (at least not in the current draft), so the sender side may require less rework than you'd expect. Word to the Wise flags that ESPs should start thinking about expanded capacity to handle increased inbound bounce volume. The draft expires October 22, 2026, and is still subject to change.

Sources: Spam Resource — What is DKIM2?, Word to the Wise — DKIM2 and the future of email, Word to the Wise — DKIM2, Asynchronous Bounces and VERP, IETF draft

Microsoft's phased retirement of Basic Authentication for SMTP AUTH hits its final enforcement point on April 30, 2026 — tomorrow. Applications and devices that haven't migrated to OAuth 2.0 will fail. This catches scan-to-email devices (MFPs), legacy SMTP relay configs, and older marketing tools that assumed Basic Auth would always be there.

The nuance worth knowing: Microsoft has separately delayed a complete shutdown for existing tenants to December 2026, at which point Basic Auth becomes disabled-by-default but still re-enableable by admins. So April 30 is a hard cutoff for new enforcement, not necessarily a permanent brick wall — but any team that hasn't migrated should treat this as urgent. This is exactly the kind of thing that becomes a Monday morning crisis call.

Sources: Microsoft Tech Community, Updated timeline, Mailbird explainer

A practical troubleshooting post from Spam Resource documents a subtle bug: messages pass DKIM at Gmail but fail at Microsoft. The cause is duplicate email headers — an RFC violation that Gmail silently corrects before running authentication checks. Microsoft enforces stricter RFC compliance and rejects the message.

The fix is straightforward — audit raw headers to identify and remove the duplicate fields — but the discovery process can be frustrating when your DKIM is technically valid and Gmail happily delivers you. This is a post-enforcement-era behavior shift: what once triggered a soft failure is now a hard rejection. A related post from April 9 covers a similar trap with excessive header lengths.

Sources: Spam Resource — Check for double headers, Spam Resource — Check your header lengths

Spam Resource published a DELIVTERMS entry on MTA-STS this week, timed well alongside a PowerDMARC report showing that 96.8% of Canadian domains have an MTA-STS gap. MTA-STS forces email in transit into TLS-encrypted channels — it's not glamorous, but it's closeable with essentially a single-click deployment for most organizations.

The PowerDMARC Canada report (based on 555 domains across seven industries) tells a familiar story globally: strong foundational DMARC adoption, near-total failure to reach active enforcement. Only 10.7% of domains worldwide have DMARC at strict reject with 100% enforcement. 70.9% have no effective DMARC protection at all. IBM data puts the average Canadian data breach at CA$6.98M; phishing-related breaches at CA$7.91M.

Sources: Spam Resource — DELIVTERMS: MTA-STS, PowerDMARC Canada DMARC report

Laura Atkins at Word to the Wise pushed back this week on a claim circulating on LinkedIn: that images are pre-fetched even when email lands in spam, making opens unreliable as a placement signal. This is false. Mailbox providers disable image loading in the spam folder as a security measure. Gmail requires users to manually move a message out of spam before images display — meaning spam-folder messages generate no opens at all.

The practical flip side: opens can legitimately be used to distinguish inbox placement from spam placement, because you'll see opens from inbox placement and silence from spam. Not a perfect measurement, but a useful one.

Source: Word to the Wise — The spam folder and opens

VIPRE's Q1 2026 Email Threat Trends Report covers 1.8 billion emails processed in Q1 2026. The headline finding: PDF attachments now account for 63% of malicious attachments, increasingly embedding QR codes to route victims past text-based scanners. Open redirects account for more than 89% of phishing URLs — attackers start with a legitimate domain and redirect from there.

Attackers are also pivoting away from Newly Registered Domains (NRDs) as detection improves, leaning instead on trusted established infrastructure: Microsoft, Cloudflare, TestFlight. Commercial spam represents 46% of all spam volume, delivered mostly through compromised accounts (33%) and free email services (32%). CEO impersonation is down from 73% of BEC in Q1 2025 to 54% now. Swedish emerged as the second-most common BEC language — a notable surge in Nordic targeting.

Source: VIPRE Q1 2026 Email Threat Trends Report

Sublime Security's 2026 Email Threat Research Report (covering 2025 threat data) finds that BEC represents 32% of all email threats by volume — and within that, thread hijacking and fake threads account for 28.1%, surpassing traditional BEC email as the dominant attack pattern. Attackers are inserting themselves into legitimate conversations, making it harder to spot even with trained eyes.

Other key findings: 34.7% of attacks used two or more evasion techniques in the same campaign; 32.8% leveraged emerging platforms (Jotform, Typeform, Notion, WeTransfer, Airtable) rather than well-known phishing infrastructure. AI is accelerating both volume and iteration pace.

Sources: Sublime Security blog, Full report

Law firm Foley Hoag published an April 2026 analysis of BEC legal trends worth reading if you handle financial communications. Context: 63% of treasury practitioners surveyed by AFP named BEC as the #1 avenue for payment fraud attempts in 2025. Thread hijacking — attackers inserting themselves into real email conversations to redirect wire transfers or payment instructions — is now the dominant vector. Understanding the legal risk and response framework is increasingly part of the CISO and CFO brief.

Source: Foley Hoag — BEC: Current Legal Trends and Key Strategies

GreenArrow released v4.357.0 of its email engine this week, with updates focused on monitoring, queue handling, and bounce management for high-volume senders. The company was also a Platinum Sponsor of the Deliverability Summit 2026 in Barcelona (April 20-22), which just concluded.

Source: GreenArrow Email

Worth noting for teams with dependencies on Postmark for time-sensitive transactional email: Postmark experienced a delivery delay incident starting around 7:00 PM UTC on April 2, caused by an infrastructure configuration change that disrupted internal mail routing. Service was restored April 3 at approximately 4:20 AM UTC — roughly nine hours of degraded delivery.

Source: Postmark benchmarks and incident history

Stalwart, the open-source Rust-based mail server with full JMAP/IMAP/SMTP support, presented at FOSDEM 2026 on the question of whether open source can scale to Gmail-level email volumes — exploring a 1,024-node cluster architecture. Version 1.0 is approaching feature completion; webmail development is planned for later in 2026. Worth watching if you're tracking the self-hosted/open-source mail infrastructure space.

Sources: FOSDEM 2026 talk, Stalwart blog

The Sinch Mailgun Email Impact Report 2026 (1,234 respondents across US, UK, France, Germany, Spain) leads with a number that should be uncomfortable for any email program owner: 18% of emails fail to reach the inbox. That's up to one-fifth of your email ROI evaporating before a subscriber even sees the message.

78% of respondents say email is critical to business success. AI is widely adopted, but almost entirely for basic content generation — optimization, segmentation, and deliverability applications remain significantly underutilized. Organizations using AI more strategically report meaningfully better outcomes.

Sources: Sinch press release, CustomerThink coverage

Constant Contact acquired select assets from GURU Media Hub in January 2026, including GURU Conference (29,000+ annual attendees), SubjectLine.com, and the Certified GURU marketing certification program. Founder Jay Schwedelson becomes a Constant Contact Brand Ambassador while retaining creative control. GURU 2026 is scheduled for November 12-13, 2026 — free and virtual.

Sources: Constant Contact press release, PR Newswire

Spam Resource flagged that Adobe is actively recruiting for an email deliverability consultant role, requiring 2-4 years of experience. If you know someone looking, or are looking yourself.

Source: Spam Resource — Now Hiring: Adobe

Google rolled out AI Inbox and AI Overviews to Gmail in January 2026, powered by Gemini 3. AI Overviews summarizes email threads in natural language — available free to all users. AI Inbox restructures the inbox around briefing-style summaries, topics, and to-dos rather than a chronological message list.

The deliverability implication practitioners are still working out: if subscribers regularly see an AI-generated summary instead of your actual subject line and preheader, the content strategy and design decisions built around first-impression hook copy shift significantly. Opens triggered by AI-summarized inbox views may not reflect genuine engagement. Watch this space.

Sources: Google Blog, Folderly deliverability analysis

Apple Mail Privacy Protection now accounts for approximately 49% of email opens — pre-loading pixels regardless of whether a human actually opened the message. Litmus estimates roughly half of all reported opens in 2026 are artificially inflated. Add Gmail's AI Inbox (subscribers may consume content via summary without triggering a pixel load) and the signal degrades further.

Practitioners are shifting toward clicks, conversions, and audience retention as primary engagement signals. Opens still have diagnostic value — particularly for inbox vs. spam placement detection — but treating reported open rate as a reliable measure of engagement is increasingly hard to defend.

Sources: Litmus State of Email 2026, Benchmark Email open rate analysis

Australia's ACMA fined Lululemon A$702,900 in March 2026 for sending over 370,000 commercial emails without unsubscribe mechanisms between December 2024 and January 2025. Lululemon classified the messages as "service emails" — shipping updates, order confirmations — but because they contained promotional content and direct links to sales, Australian law treated them as commercial messages requiring opt-out capability.

Lululemon entered a court-enforceable compliance undertaking with an independent review requirement. The lesson: any message that mixes transactional information with promotional links is legally commercial in many jurisdictions. Unsubscribe is not optional, and "it's a service email" is not a defense once you put a sale link in it.

Sources: ACMA announcement, Emailexpert coverage

Multiple compliance sources are flagging that by August 2026, AI-generated emails sent to EU recipients may need to carry machine-readable markers identifying them as AI-generated, include human-readable disclosures, and be technically detectable as AI-produced content. The requirements are still emerging and not fully codified, but brands using AI content generation at scale should start tracking this now.

Source: Mailbird EU compliance guide

M3AAWG announced a significant organizational refresh in February 2026, replacing its previous working group structure with four core Priorities and newly aligned Committees. Worth noting for anyone involved in anti-abuse work or industry standards participation — the engagement model has changed.

Upcoming meetings: 67th General Meeting, June 8-11, 2026, Montréal (Le Centre Sheraton); 68th General Meeting, October 26-29, 2026, Paris.

Sources: M3AAWG new era announcement, 67th meeting details

This Week In Email — thisweekin.email