Action required: Microsoft is enforcing new email standards

UPDATE: Microsoft joined Google and Yahoo in requiring that “domains sending more than 5,000 emails per day” to their consumer email products (outlook.com, live.com, and hotmail.com) will need to have authentication protocols in place or have their messages rejected, rather than quarantined as first stated. These include Domain-based Message Authentication, Reporting, and Conformance (DMARC) and its related standards, Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM).

“Microsoft’s update is a strong signal that the email ecosystem is maturing. These new requirements aren’t just about compliance—they’re about customer trust. High-volume senders need to step up and treat deliverability and authentication as core parts of their digital brand strategy, not just IT hygiene.”

“While Microsoft’s new requirements apply to bulk senders, I believe every domain should have SPF, DKIM, and DMARC in place. These aren’t just technical best practices — they’re essential for protecting deliverability and reputation. Microsoft themselves say it best: ‘All senders benefit from these practices.’ It’s time the industry starts moving in that direction.”

Get ahead of the Microsoft DMARC requirements and enhance your business’s deliverability and reputation with Sendmarc. We make DMARC, SPF, and DKIM implementation and management effortless, ensuring stress-free compliance for your business. We’ve even released a guide outlining what’s needed to ensure compliance.

What are the Microsoft DMARC requirements?

The Microsoft DMARC news comes more than a year after the Google and Yahoo announcements on October 3, 2023, but largely mirrors the requirements set by both companies.

From May 5, 2025, Microsoft will begin enforcing stricter email authentication standards for outlook.com. Bulk senders must now implement the following:

1. SPF

SPF helps prevent spammers from sending messages on behalf of your organization’s domain. It does this by specifying which IP addresses are authorized to send email from a domain.

2. DKIM

DKIM allows your business to attach a digital signature to its emails. This signature verifies that the email hasn’t been tampered with in transit and confirms it was authorized by your business’s domain.

3. DMARC

DMARC builds on SPF and DKIM. It allows domain owners to specify how unauthenticated emails should be handled and provides reports that help monitor and improve email security.

The Microsoft DMARC requirements include a published DMARC record and a minimum policy of p=none. Interestingly, they still require your company’s senders to pass either an SPF or a DKIM check, meaning that senders need to be at a level of DMARC compliance that would allow your organization to be on a stricter DMARC policy.

There are also some email best practice recommendations, but it seems these are general guidelines rather than strict, like the Microsoft DMARC requirements.

• Recommended best practices

• Use valid ‘From’ addresses that can accept replies

• Provide easy unsubscribe options

• Maintain clean email lists by removing invalid recipients

• Avoid misleading subject lines and headers

Microsoft DMARC uncertainty

As with the initial Google and Yahoo announcements, there are some areas that aren’t entirely clear. For example, we’re assuming that the 5 000 emails per day are the ones sent to Microsoft infrastructure instead of total sending (which would be impossible for Microsoft to know), but it’s unclear if emails sent to corporate Microsoft 365/Entra accounts would “consume” part of the 5 000.

It’s also unclear whether sending to a mix of Microsoft consumer domain addresses (outlook.com, live.com, and hotmail.com) counts toward a single combined daily total. Plus, do the Microsoft DMARC requirements (like those of Google and Yahoo) consider a domain that sends 5 000 messages in a day once a large sender always?

Even though there’s uncertainty, the message is very clear: Microsoft also believes that DMARC is a core part of solving the problem of impersonation. See how Sendmarc can help your business comply with the new Microsoft DMARC requirements and protect against email-based threats.

Who does the Microsoft DMARC rule affect?

To understand if this affects your business and domain, your company needs to have a good idea of where all email from its domain is going.

Remember, Microsoft (and Google and Yahoo) look at the count of emails coming from a domain, so while your organization might have a look at its (for example) Google Workspace logs and see a number less than 5 000, it’ll also need to look at its email marketing platform, its CRM, etc..

The easiest way to build this picture is by using a DMARC product (like Sendmarc’s), which can look at a domain level and show exactly where the email is coming from.

Then, your business needs to ensure that each of those platforms can pass DMARC checks. Microsoft wants all emails that it receives to align with either SPF or DKIM. And again, a platform like Sendmarc’s is perfect for seeing exactly which mechanisms are in place and (maybe more importantly) where the gaps are.

Why all senders should care about the Microsoft DMARC requirements

DMARC is the best technology standard to secure your business against fraudulent email activity. It thoroughly evaluates the source of an email to ensure that only legitimate emails ever reach an inbox.

The details of implementing Google and Yahoo’s new bulk sender requirements for email authentication may seem overwhelming, but you don’t need to embark on your journey to compliance alone.

Sendmarc is a leader in email security that your business can rely on for fast, seamless, and scalable DMARC implementation for organizations of any size.

If you’d like to see if your domain is vulnerable to impersonation, you can check its score here. Or contact us today to see how we can assist you in meeting the new email authentication requirements in the easiest way possible.

Source: https://sendmarc.com/dmarc/microsoft-dmarc-requirements