I think we’re aligned on the hard parts here, so let me be precise.

We’re not wide open for abuse nor are we bypassing the hard parts of email reputation. Quite the opposite. We also utilize SES's infrastructure and monitor reputation continuously, but we don’t assume SPF/DKIM/DMARC are sufficient on their own. They’re basics we have implemented, not the entire strategy.

You are correct private IPs per customer make sense once you’re sending meaningful volume (on the order of ~10k+/day per IP). But its inaccurate to say we are sending from a single private IP. IP pools are typically segmented by reputation and traffic profile for customers.

Reputation here is earned at multiple layers: per-IP, per-domain, per-inbox, and over time. We rate-limit, isolate, or revoke bad actors without poisoning unrelated senders. Hopefully this makes sense.