Microsoft Outlook to Enforce Stricter Email Authentication Rules for High-Volume Senders
This change will go into effect on May 5, 2025.
Published: Apr 07, 2025
Key Takeaways:
- Microsoft Outlook will require high-volume senders to implement SPF, DKIM, and DMARC protocols.
- Emails from domains that don’t meet these requirements will be sent to the Junk folder.
- Senders should review and update their DNS records.
Microsoft is set to roll out stricter security measures for high-volume email senders in Outlook, targeting domains that send over 5,000 messages daily. The new rules aim to boost email authentication and crack down on spam, spoofing, and phishing threats.
What are the new email security requirements coming to Microsoft Outlook?
Starting on May 5, Microsoft Outlook will enforce a new policy requiring high-volume email senders to comply with three key authentication protocols: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC). These protocols help verify that emails are from legitimate sources.
“After May 5th, 2025, Outlook will begin routing messages from high volume non‐compliant domains to the Junk folder, allowing senders to address any outstanding issues. NOTE: that in the future (date to be announced), non-compliant messages will be rejected to further protect users,” the Microsoft Defender for Office 365 team explained.
How to prepare for this change?
Microsoft recommends that high-volume email senders follow good email hygiene practices to maintain quality and trust. This includes using valid sender addresses that can receive replies, offering clear unsubscribe options, and removing invalid contacts from mailing lists. Senders should also use accurate subject lines and transparent messaging to reduce spam complaints, manage bounces, and ensure recipients have given their consent.
The new email security rules will apply to users sending messages through Outlook.com, including consumer domains like hotmail.com, live.com, and outlook.com. These changes are designed to better protect customers from spam and spoofing attacks. It’s important to note that adding a sender to the Safe Senders list will not override these new authentication requirements.
To prepare for this change, Microsoft urges users to review their Domain Name System (DNS) records for SPF, DKIM, and DMARC. This involves making sure each protocol is correctly set up and meets all necessary criteria to ensure emails are properly authenticated.