Microsoft Enforces SPF, DKIM, DMARC for High-Volume Senders
Microsoft is strengthening its email authentication requirements to be inline with other providers. These changes have been forecast since Google and Yahoo made similar changes in 2024.
Microsoft is now requiring DMARC and its supporting technologies of SPF and DKIM for large senders (5,000 or more emails per day) in their consumer email services outlook.com, hotmail.com and live.com.
Key Authentication Requirements
For domains sending over 5,000 emails per day, Outlook will soon require compliance with SPF, DKIM, DMARC. Non‐compliant messages will first be routed to junk folders. If issues remain unresolved, they may eventually be rejected. Senders will soon start requiring compliance with the following requirements:
- SPF (Sender Policy Framework)
- Must pass for the sending domain.
- Your domain’s DNS record should accurately list authorized IP addresses/hosts.
- DKIM (DomainKeys Identified Mail)
- Must pass to validate email integrity and authenticity.
- DMARC (Domain-based Message Authentication, Reporting, and Conformance)
- At least p=none and align with either SPF or DKIM—preferably both.
Enforcement Timeline
Microsoft encourages all senders, particularly those that send at high volume, to review and update their SPF, DKIM and DMARC records in preparation for enforcement, which begins May 5, 2025.
After May 5, Outlook will begin routing messages from high volume non‐compliant domains to the junk folder, giving senders an opportunity to address any outstanding issues. Additionally, sender whitelists will not be honored if messages fail requirements. Beginning on a future, unannounced date, non-compliant messages will be rejected to further protect users.
Learn how to configure Microsoft 365 to send DMARC-compliant messages.
Additional Best Practices from Microsoft
In addition to the DKIM, SPF and DMARC requirement, Microsoft recommends the following for large senders:
- Use valid “from” or “Reply-To addresses: Ensure the “From” or “Reply‐To” address is valid, reflects the true sending domain, and can receive replies.
- Provide clear unsubscribe links: Provide an easy, clearly visible way for recipients to opt out of further messages, particularly for marketing or bulk mail.
- Maintain clean mailing lists and manage bounces: Remove invalid addresses regularly to reduce spam complaints, bounces and wasted messages.
- Follow transparent mailing practices: Use accurate subject lines, avoid deceptive headers and ensure your recipients have consented to receive your messages.
Microsoft notes that “Outlook reserves the right to take negative action—including filtering or blocking—against non‐compliant senders, especially for critical breaches of authentication or hygiene.”
Who is affected?
If you send 5,000 messages or more per day to Microsoft’s consumer email addresses (@outlook.com, @live.com, @hotmail.com), your email domain must have DKIM, SPF and DMARC records in your DNS starting May 5, 2025.
These messages must pass DMARC Alignment. This includes messages sent on behalf of your organization by third-party email service providers (ESPs) like Constant Contact and MailChimp that use your email domain.
dmarcian can help
At dmarcian, we know that proper deployment is key—and we offer the superior tooling and expertise you need to get it right the first time. We help organizations of all sizes:
- Deploy DMARC the right way—no guesswork, no disruptions
- Gain full visibility into your email ecosystem
- Stay ahead of evolving email security policies
Don’t let your emails get blocked. Get DMARC done right—fast.
Want to continue the conversation? Head over to the dmarcian Forum.
