This Week in Email - April 8, 2026

Security — Featured

Microsoft Defender Security Research just published a detailed analysis of what might be the most sophisticated phishing campaign we've seen yet. Since March 15, 10–15 distinct campaigns have been launching every 24 hours, compromising hundreds of organizations daily. The technique: generative AI crafts role-specific phishing emails — RFPs, invoices, manufacturing workflows — then routes victims through automated redirects on trusted serverless platforms like Railway, Cloudflare Workers, and AWS Lambda.

The key innovation is timing. Device codes are generated only when the victim clicks, which bypasses the 15-minute expiration window that was supposed to make device code auth safe. The campaign aligns with the EvilTokens PhaaS toolkit and effectively bypasses MFA entirely by abusing OAuth's legitimate device code flow. Microsoft's recommendation: disable device code flow wherever possible.

Sources: Microsoft Security Blog · The Register · Help Net Security

Authentication

I published a deep dive this week on DKIM2, the proposed successor to DKIM currently under IETF draft. If you work in email infrastructure, this is the spec to start tracking now. DKIM2 addresses the problems we've been working around for years: forwarding breakage, header ambiguity, and key management complexity that makes rotation feel like defusing a bomb.

The headline improvements: standardized header signing, expanded reporting and feedback loops, simplified key rotation, and — critically — better compatibility with intermediary mail servers that currently break DKIM signatures. Google and Yahoo are backing this. It won't land tomorrow, but when it does, it'll be the most significant change to the authentication stack since DMARC.

Source: ThatMoodyGuy.com

AI & Email

Google officially launched Gmail's AI Inbox feature to AI Ultra subscribers ($249.99/mo) in the US. Powered by Gemini 3, it's a "productivity-focused interface" that scans unread messages and generates prioritized summaries with direct email links. Two-section layout: prioritized highlights and actionable summaries. Optional, can be disabled, and US-only for now.

The $250/mo price tag limits adoption today, but expansion to lower tiers is expected. For email marketers, the bigger question isn't who has it now — it's what happens when AI summarization becomes the default way most Gmail users interact with their inbox. If your emails can't survive being reduced to a bullet point, that's a problem.

Sources: 9to5Google · Ubergizmo · gHacks

Platforms

Apple Business launches April 14 with business email, calendar, and directory services using custom domains — a direct play against Google Workspace and Microsoft 365. Free tier, up to 500 users per org, 5GB iCloud storage per account. Apple is betting that organizations already deep in the Apple ecosystem want an integrated solution without paying for someone else's.

Meanwhile, Amazon WorkMail is shutting down. No new customers after April 30, 2026, with complete shutdown — web client, APIs, IMAP/SMTP endpoints, everything — on March 31, 2027. AWS recommends Kopano Cloud as an alternative. One major player entering the business email market, another exiting. The landscape is shifting.

Sources: Apple Newsroom · 9to5Mac · AWS Docs

Regulatory

Governor Ferguson signed HB 2274, amending Washington's Commercial Electronic Mail Act (CEMA). Two changes that matter: statutory damages drop from $500 to $100 per violation, and plaintiffs now must prove senders "knew or reasonably could have known" that subject lines were false or misleading. Strong bipartisan support — 86-11 in the House, 43-5 in the Senate.

This was prompted by a litigation surge following the April 2025 Brown v. Old Navy ruling. The new law takes effect June 11, but it does not apply retroactively to pending litigation — those cases still face the old $500 standard. And California's $1,000/email penalties remain unchanged. Still, if you're a sender with Washington exposure, this is meaningful relief.

Sources: National Law Review · Kelley Drye · Spam Resource

Starting April 9, queries to Spamhaus free DNSBLs from Oracle IP space will return error code 127.255.255.254 instead of real blocklist data. If your mail infrastructure queries Spamhaus via Oracle's DNS resolvers, you must migrate to Spamhaus Technology's free Data Query Service (DQS) immediately. Failure to act risks blocking all inbound email.

Sources: Spamhaus · Security Boulevard

Microsoft's authentication enforcement for Outlook, Hotmail, and Microsoft 365 reaches full effect on April 30. After that date, unauthenticated email will be increasingly blocked or throttled. Domains without SPF/DKIM/DMARC alignment will be treated as risky. This completes the trifecta — Google, Yahoo, and now Microsoft all requiring proper authentication.

Sources: Redsift · eGen Consulting

Al Iverson at Spam Resource analyzed a two-day Gmail glitch from January where the Promotions tab stopped working and all emails landed in Primary. The result: engagement went up slightly, but unsubscribes went up even more. The takeaway is counterintuitive but important — the Promotions tab actually protects marketers by letting users engage on their own terms. Forcing emails into Primary backfires.

Sources: Spam Resource · WoWDeals

Foley Hoag published a legal analysis of BEC trends that's worth your time if you handle financial transactions over email. IBM reports 16% of all 2025 data breaches involved AI-powered attacks, with 37% of those using AI-generated phishing. Courts are increasingly scrutinizing who bears liability — payor vs. payee — when wire transfers are misdirected via email compromise. Vendor Email Compromise (VEC), where attackers target trusted third-party vendor accounts, is a growing vector.

Sources: Foley Hoag · JD Supra

Also noteworthy: Gmail AI privacy controls remain confusing — Google says Workspace content isn't used for AI training, but privacy settings are "buried in two separate locations" and some users report being re-enrolled in features they previously disabled. A trust issue for the email ecosystem. WTOP →

Microsoft fixed a bug that prevented Classic Outlook users from sending emails via Outlook.com accounts. Error 0x80070005 was blocking users, particularly when Outlook.com accounts were linked to Exchange. Server-side fix deployed April 3. Affected users previously had to use New Outlook or the web client as workarounds.

Sources: BleepingComputer · WinBuzzer

Also noteworthy: Microsoft delays New Outlook forced migration to March 2027 — pushed back about a year following continued complaints about missing features and compatibility issues. If you've been dragging your feet on migrating, you just got more time. Office Watch →

This Month

CFPs Open

Light Moment