This Week in Email - March 25, 2026

If you follow one theme out of RSA Conference this week, it's this: email security vendors are no longer just using AI to filter messages. They're deploying autonomous agents that red-team, triage, simulate, and respond. Three major announcements landed in the same 48-hour window:

Proofpoint announced the biggest architectural shift in its history: on June 30, it will unify its Secure Email Gateway (SEG) and API-based email protection into a single integrated model. SEG handles perimeter (north-south) traffic; API extends to internal (east-west) email — all from one console. They also introduced AI Data Access Governance and intent-based AI Security for monitoring agent behavior. The SEG vs. API debate that's defined email security for years? Proofpoint just declared it over.

IRONSCALES launched three specialized AI agents: a Red Teaming Agent that gathers OSINT and trains defenses against organization-specific attacks, a Phishing SOC Agent that automates triage workflows, and a Phishing Simulation Agent delivering continuous, AI-generated attack simulations tailored per employee. They also debuted “Email Attack of the Day” — a daily threat intelligence series worth bookmarking.

Darktrace launched managed email security for MSSPs, using Self-Learning AI that adapts per-user and per-organization. They also released a concrete data point: analysis of 32 million phishing emails across their fleet shows AI-assisted phishing techniques increased from 32% to 38% year-over-year. Longer, more targeted attacks designed to beat traditional defenses.

This is the biggest thematic shift in email security positioning since “AI-powered” became table stakes three years ago. Expect every vendor in the space to adopt the “agentic” framing by year end.

Proofpoint • Proofpoint Blog • IRONSCALES • Darktrace

Forrester published its Q1 2026 Wave for Email Marketing Service Providers, evaluating 12 vendors. Two came out on top: Cordial earned highest possible scores in 10 criteria including identity resolution, dynamic messaging, and pricing transparency (used by Levi's, L.L.Bean, Boot Barn). Zeta Global received the highest Strategy score of any vendor, with perfect 5.0 marks in 11 criteria including AI Approach, Innovation, and Roadmap.

Zeta's positioning reflects its aggressive M&A strategy — the $325M Marigold acquisition we covered previously is clearly paying dividends in the analyst community. Worth watching how this reshapes enterprise ESP selection in 2026.

Cordial • Zeta Global • Netcore

Australia's ACMA fined Lululemon A$702,900 for sending over 370,000 marketing emails without unsubscribe links between December 2024 and January 2025. The violation: Lululemon classified emails containing delivery and order confirmations as “service messages,” but those emails also included sales promotions and direct links to marketing content — making them commercial under Australian spam law.

This is the fifth enforcement action ACMA has taken in 18 months against businesses incorrectly treating promotional emails as non-commercial. The lesson is global, not just Australian: blending marketing content into transactional emails without an unsubscribe mechanism is a compliance risk under CAN-SPAM, GDPR, and CASL too.

ACMA • emailexpert

The email vector is central: phishing emails using e-signature, financial, or political themes link to the OAuth authorization URL. Because the initial link points to legitimate Microsoft infrastructure, it bypasses URL reputation checks entirely. Victims land on frameworks like EvilProxy that intercept credentials and session cookies. Microsoft Entra disabled the observed apps, but related activity persists.

Microsoft Security Blog • The Hacker News • BleepingComputer

Validity released its 2026 Email Deliverability Benchmark Report, backed by trillions of global inbox data points. The global average inbox placement rate sits at 83.1% — meaning roughly 1 in 6 technically “delivered” emails never reach a visible inbox. European B2B senders lead at 89–91% (GDPR-driven list hygiene), North America averages around 85%, and Asia-Pacific trails at 78%.

The standout finding: Microsoft Outlook has the lowest deliverability rate among all major providers, down significantly from last year. That tracks with the rate-limiting and blocking issues we've covered in previous issues. Brands with active list hygiene achieve 8–12% higher inbox placement — a real and measurable edge.

Validity

A fraudulent email demanding an “urgent payment” followed almost immediately by a phone call or WhatsApp message that “confirms” the request. LevelBlue tallied 5,000+ dual-channel attacks in 2025: 66% moved to SMS, 32% to WhatsApp, 2% to personal email. BEC remains the costliest email threat ($2.7B+ in adjusted FBI IC3 losses for 2024), and this multi-channel approach renders email-only protection effectively useless.

Computer Weekly • Doing More Today

Attackers weaponize SOC workload — deliberately overwhelming security teams with high volumes of low-quality phishing to create noise, then slipping targeted attacks through during the distraction. Exploits analyst fatigue rather than technical defenses. The Hacker News →

Word to the Wise: SPF ?all — Steve at WttW explored AOL's shift from ~all (softfail) to ?all (neutral), which tells receivers “we publish SPF but don't want you using it for policy decisions.” SPF can still pass for DMARC alignment, but the signal is weaker. Worth reviewing if you're troubleshooting alignment. Word to the Wise →

Spamhaus: Oracle network users must update DNSBL config before April 8 — if you're running free Spamhaus DNS Blocklist lookups via Public Mirrors on Oracle's network, email may be incorrectly blocked after the deadline. Act now. Spamhaus →

Yahoo Mail storage cuts: May 5 deadline — free storage drops from 1TB to 15–20GB. Accounts over the limit after August 27 lose the ability to send or receive entirely. Expect increased bounce rates from Yahoo/AOL domains as users hit caps. emailexpert → • Spam Resource →

KumoMTA shipped its sixteenth release with 30+ enhancements. The headline feature: a full Access Control System (authentication, authorization, and accounting) for all API interactions — table stakes for enterprise deployments handling billions of messages. Also new: inter-node message transfer via Lua functions that preserve metadata across cluster nodes, KumoProxy with RFC 1929 auth and Lua scripting, and AWS V4 signature support.

KumoMTA Blog

KumoMTA 2026 State of MailOps Report — core finding from real MailOps conversations: “MailOps didn't get more complicated — it got less forgiving.” Provider policy shifts have compressed reaction timelines from weeks to hours. The cost of being slightly wrong increased dramatically. KumoMTA →

Stalwart Mail Server v0.15 — spam classifier redesigned from scratch using a logistic regression classifier trained with the FTRL-Proximal algorithm (Google's approach for large-scale online learning). Search layer rewritten to leverage PostgreSQL/MySQL native full-text search, plus new Meilisearch support. Webmail planned for 2026, built as a Rust SPA. Stalwart Labs →

SendPost joins emailexpert as an Enterprise Member, expanding the community's vendor partnership roster. emailexpert →

Gmail's Gemini-powered overhaul — announced in January, described as “the biggest update in 20 years” — continues its Q1 rollout. AI Overviews (thread summaries) and enhanced Help Me Write/Proofread are now live for all personal users. The more consequential feature, AI Inbox — which reorganizes email around summaries, topics, and to-dos rather than individual messages — remains in trusted tester and is expected to roll out broadly soon.

If Gmail moves to a summary-first view, the implications for email marketing metrics (opens, clicks, read time) could be significant. Combined with Google's stricter DKIM enforcement and the Workspace CLI (covered in previous issues), Google is reshaping the entire email experience from both sides.

Google Blog • Tom's Guide • TechCrunch

Happening Now

RSAC 2026 San Francisco (Mar 23–26) — major email security announcements covered above — rsaconference.com

April

Word to the Wise Gmail/Inbox Signals Webinar (early April) — free, focusing on 2026 Gmail delivery trends — wordtothewise.com

Festival of Email Barcelona (Apr 19–25) — Deliverability Summit (Apr 20–22) SOLD OUT — main stage streaming online (Apr 15 – May 2). Sender Symposium (Apr 24). — festivalofemail.com

Unspam 2026 Long Beach, CA (Apr 20–22), under 250 attendees — reallygoodemails.com

CFPs Open

M3AAWG Montreal (Jun 8–11) — m3aawg.org

NCSC Mail Check / Web Check shutdown: March 31 — 5 days away. UK public sector orgs must have alternatives in place. NCSC →

Spamhaus DNSBL + Oracle: April 8 — update config or risk incorrect blocking. Spamhaus →

Yahoo Mail storage cuts: May 5 — 15–20GB for free users. Full block after August 27.

Proofpoint unified SEG+API: June 30 — major architectural change for the email security market.

EU AI Act Article 50: August 2 — disclosure requirements for AI-generated email content to EU recipients. Fines up to €35M or 7% of global turnover.

Microsoft SMTP AUTH Basic Auth: December 2026 — extended retirement date, but migration planning should be underway.

iOS 26 Link Tracking Protection — Apple Mail stripping gclid/fbclid/dclid from clicks. UTM params safe.