This Week In Email — March 18, 2026

This week delivered a two-punch Microsoft emergency. First: since early March, Outlook.com has been aggressively rate-limiting and rejecting email from legitimate senders — clean IPs hitting 451 4.7.650 and 550 errors, with vague "temporary rate-limited" notices that loop indefinitely. Microsoft's internal reputation engine misfired, flagging legitimate infrastructure as spam sources.

Then on March 16 at 06:42 UTC, Exchange Online suffered a full-scale global outage — complete loss of mailbox and calendar access worldwide. Downdetector showed 32% of Outlook users unable to log in and 21% not receiving messages. Root cause: network infrastructure unable to process traffic efficiently, triggering cascading failures across M365.

Action: Deliverability practitioners should watch Microsoft-domain bounce queues closely and document all 4xx/5xx errors to support mitigation requests.

Sources: The Register · PYMNTS · Microsoft Q&A · Xcitium

KnowBe4 and Egress published research on a new evasion technique actively exploiting a weakness in NLP-based email security. The method: phishing emails contain malicious content at the top (visible to victims), followed by an average of 157 HTML break lines of whitespace, followed by a large block of benign content (Bank of America signatures, links to legitimate sites) at the bottom. NLP classifiers often operate on probability — if there's enough benign content to "outweigh" the malicious portion, the classifier won't flag with sufficient confidence.

Why it matters: This directly undermines a core assumption in AI-based email security. Defenders running NLP-only solutions should test their vendors against this technique. Scanners that measure intent rather than just content probability are more resilient.

Sources: KnowBe4 · Egress · SC Media · CyberScoop

Microsoft, Europol, and 11 security firms seized 330 domains powering Tycoon 2FA — an adversary-in-the-middle PhaaS platform that hit 500,000+ organizations monthly by relaying auth prompts in real-time to capture live session tokens, bypassing all forms of MFA. Proofpoint counted 3M+ messages in February alone. The biggest coordinated takedown of email phishing infrastructure in recent memory — and a strong argument for FIDO2/passkeys over TOTP.

Sources: CyberScoop · The Hacker News · Cloudflare · SecurityWeek

Google has implemented stricter DKIM validation that is causing previously-valid DKIM signatures to fail authentication checks in Gmail. Common failure causes include: DNS TXT record character limits truncating 2048-bit DKIM keys, multiple DKIM signatures causing the authenticating signature to be ignored, misalignment between the DKIM-signed domain and the visible "From" address, and message forwarding that invalidates signatures.

Action: Verify DKIM record status (Litmus, MXToolbox, etc.), confirm the signing domain matches the visible "From" address, and check DNS record length limits.

Sources: Litmus · Validity

Google released gws — an open-source CLI written in Rust for the entire Workspace suite (Gmail, Drive, Calendar, Sheets, Docs, Chat, Admin). It includes a built-in MCP (Model Context Protocol) server and 100+ "agent skills" enabling AI agents to interact with Workspace data and actions. The CLI dynamically builds its command surface from Google's Discovery Service and outputs structured JSON, making it ideal for AI agent orchestration.

Why it matters: Google is officially enabling AI agents to access Gmail. Combined with recent AI agent funding trends, this marks a significant shift in how email infrastructure will be consumed. Deliverability and anti-abuse implications are significant.

Sources: VentureBeat · GitHub

Jeff Pinkston, VP and GM of Microsoft Defender for Office 365, published Microsoft's quarterly email security benchmark. Key stat: Microsoft Defender removes an average of 70.8% of malicious email post-delivery, reducing dwell time when cyberthreats bypass initial filtering. This is the first time Microsoft has published granular post-delivery remediation data at this level of transparency, acknowledging that initial filtering isn't sufficient — a meaningful percentage of threats get through, and post-delivery detection and ZAP (zero-hour auto-purge) are critical.

Source: Microsoft Security Blog

January's forced encryption upgrade broke tracked URLs and expired all legacy links. SFMC customers with pre-January 21 campaigns should audit unsubscribe and preference center links — broken unsub links create compliance risk.

Sources: Email Expert · Validity

LastPass disclosed an active phishing campaign targeting customers with emails mimicking forwarded internal messages about unauthorized account access. Attackers use spoofed display names and redirect to verify-lastpass.com to harvest master passwords, generating many URL variants to evade detection.

Sources: LastPass Blog · SecurityWeek

Hornetsecurity highlights a growing trend: threat actors using dynamic text randomization ("fuzzing") to evade signature-based detection. Campaigns are fragmented across thousands of low-volume variants, staying below detection thresholds.

Source: Hornetsecurity

A significant international enforcement action disrupted criminal operations utilizing deceptive email-based schemes including fake casinos and romance scams. Coordinated global efforts are disrupting networks engaged in financial fraud.

Source: Email Expert

unMTA (unmta.com), a new managed email infrastructure service built on the open-source KumoMTA platform, launched this week. CEO Dan Stevens announced it on LinkedIn. The pitch: dedicated MTAs, IPs, and compute per customer at flat-rate pricing — $450/mo (≤5M messages), $800/mo (5–25M), or from $1,150/mo (25M+) — with no per-message fees. It sits between self-hosted open-source deployments and traditional shared-infrastructure ESPs.

Source: unmta.com

Sendmarc published a fireside chat with Todd Herr (Principal Solutions Architect at GreenArrow Email and co-editor of DMARCbis). Key points: DMARCbis introduces a standardized DNS tree walk, removes legacy tags, and adds new tags np, psd, and t. Expected to be published as a Proposed Standard in 2026.

Source: PR Newswire

Litmus published a step-by-step SPF implementation guide for improving deliverability and domain protection, plus a troubleshooting guide for senders suspended due to reputation data issues. Both align with ongoing post-2024 authentication enforcement.

Sources: SPF Guide · Suspension Help

Laura at Word to the Wise announced a free discussion about inboxing trends scheduled for early April, focusing on Gmail and inbox delivery signals for 2026. Should be timely given Gmail's AI Inbox rollout and stricter DKIM enforcement.

Source: Word to the Wise

Zeta Global completed its acquisition of Marigold's enterprise software business for up to $325 million. Acquired products include Selligent, Sailthru, Liveclicker, Cheetah Digital, and Marigold Loyalty/Grow. This is the largest ESP-adjacent consolidation in recent memory. Practitioners using any of these platforms should expect integration changes and migrations in 2026.

Sources: Zeta Global · MarTech

53% of consumers now suspect legitimate brand emails are fraud — MediaPost covers the four big hurdles facing email marketers, including 376B daily messages and growing trust erosion.

Source: MediaPost

Meeting notetaker Read AI launched Ada ([email protected]), an AI-powered email assistant functioning as a "digital twin." Users cc Ada on email threads, and it can find meeting times on calendars, draft replies, and answer questions using context from meetings, email, files, and CRMs. Deploying free to all 5M+ monthly active users — the largest deployment of a digital twin ever.

Sources: TechCrunch · Read AI

Under Article 50 of the EU AI Act, transparency obligations take full effect August 2, 2026 (~5 months out). If an AI system generates email content sent to EU recipients and it would not be obvious the content is AI-generated, the sender must disclose this. Fines: up to €35 million or 7% of global annual turnover. Most email marketers haven't built disclosure processes yet.

Sources: Orrick · SecurePrivacy · LegalNodes

19 US states now have comprehensive privacy laws — Indiana, Kentucky, and Rhode Island take effect this year. Connecticut and Oregon now require Universal Opt-Out recognition. Watch for coordinated enforcement from the 10-state Consortium of Privacy Regulators.

Sources: Gunster · Privacy World · MarTech

Festival of Email / Deliverability Summit — Barcelona, April 19–25
Full week of email events. Deliverability Summit (April 20–22 @ La Pedrera) — practitioner-led, no vendor pitches — NOW SOLD OUT. Also: Sender Symposium (April 24), Emailexpert Academy Masterclasses. festivalofemail.com

Unspam 2026 — April 20–22, Long Beach CA
Really Good Emails + Beefree. Under 250 attendees. Unconference format. 9.2/10 would recommend. reallygoodemails.com

Word to the Wise: Gmail & Inbox Signals Webinar — Early April
Free webinar on Gmail inboxing trends and delivery signals for 2026. wordtothewise.com

Inbox Expo 2026 — May 26–28, Atlanta GA
Email Industries' annual conference. Focus: deliverability, authentication, AI, compliance. inboxexpo.com

M3AAWG 67th General Meeting — Montreal, June 8–11
CFPs now open. m3aawg.org

NCSC Mail Check / Web Check shutdown: March 31 — UK public sector orgs need alternatives. Multiple vendors (Valimail, dmarcian, Hexiosec, Sendmarc, Red Sift, Intruder) offering migration paths.

Mautic fundraiser deadline: End of March — The $40K–$60K target is approaching.

Yahoo Mail international storage cuts: May 5 — 15GB for European/UK users. Clean lists now.

Microsoft SMTP AUTH Basic Auth — Extended to December 2026, but migration planning should be underway.

iOS 26 Link Tracking Protection — Apple Mail stripping gclid/fbclid/dclid from clicks. UTM params safe.