New DMARC requirements for Outlook.com

On 2nd April 2025, Microsoft confirmed New DMARC requirements for Outlook.com.  This applies to consumer services at Outlook.com, which also supports hotmail.com and live.com.  The purpose is to strengthen its ecosystem against all email traffic, and also against high-volume senders.

Outlook is enhancing its commitment to protecting user inboxes and maintaining trust in the digital ecosystem by introducing new requirements and best practices for email authentication.  Some measures apply to domains sending over 5,000 emails daily and include mandatory SPF, DKIM, and DMARC settings, but ultimately stricter standards will affect all emails.

By enforcing stricter standards, Outlook aims to reduce spoofing, phishing, and spam, thereby offering stronger brand protection and better deliverability for legitimate senders.  Outlook has always prioritized user safety and reliability. It is proud to invest further in solutions that safeguard customers and promote best practices across the industry. By raising the bar for large senders, Outlook hopes to inspire lasting change that benefits everyone.

You can read the full article from Microsoft.com Tech Community here..

What is required?

For domains sending over 5,000 emails per day, SPF, DKIM, DMARC will be required.  Non‐compliant messages will marked as Junk, and may eventually be rejected altogether.  Here are the requirements for compliance:

• SPF (Sender Policy Framework)
  • Must Pass for the sending domain.
  • Your domain’s DNS record should accurately list authorized IP addresses/hosts.
• DKIM (DomainKeys Identified Mail)
  • Must Pass to validate email integrity and authenticity.
• DMARC (Domain-based Message Authentication, Reporting, and Conformance)
  • At least p=none and align with either SPF or DKIM (preferably both).

Recommendations for good email hygiene:

Large senders should also adopt these practices to maintain quality and trust:

• Compliant P2 (Primary) Sender Addresses: Ensure the “From” or “Reply‐To” address is valid, reflects the true sending domain, and can receive replies. 

• Functional Unsubscribe Links: Provide an easy, clearly visible way for recipients to opt out of further messages, particularly for marketing or bulk mail. 

• List Hygiene & Bounce Management: Remove invalid addresses regularly to reduce spam complaints, bounces, and wasted messages. 

• Transparent Mailing Practices: Use accurate subject lines, avoid deceptive headers, and ensure your recipients have consented to receive your messages. 

Outlook reserves the right to take negative action, including filtering or blocking—against non‐compliant senders, especially for critical breaches of authentication or hygiene. 

When will these change happen?

Enforcement begins in May.

All senders sould review and update their SPF, DKIM, and DMARC records, especially those that send at high volume.

After May 5th, 2025, Outlook will begin routing messages from high volume non‐compliant domains to the Junk folder.  In future (date to be announced), non-compliant messages will simply be rejected to further protect users.

Take Action:

If you send bulk emails and you are not sure if you are compliant, get in touch with us here at CTO.  We can help you adhere to best practices and advise you accordingly.  Why not book a Teams call with us?

If you’ve put off deploying SPF, DKIM or DMARC for whatever reason – now is the time to get it done.

We spoke about it back in February 2024 here where Google and Yahoo started being stricter with their consumer services.  Its only a matter of time until most email servers around the work enforce compliance.

Thanks, Faye.

 

Frequently Asked Questions (FAQ)

1. Why is Outlook requiring these changes specifically for high‐volume senders?
   • Large senders have a broader impact on inbox safety. By focusing on senders of 5,000+ messages a day, we significantly reduce the likelihood of spam and spoofing campaigns reaching our user base. 
2. How do SPF, DKIM, and DMARC help me as a sender?
   • These authentication protocols verify your emails for recipients. Compliant senders often see improved deliverability, fewer bounce‐backs, and stronger brand credibility.
3. Do I still need to do this if I send fewer than 5,000 emails/day?
   • While enforcement first targets large senders, all senders benefit from these best practices. Strong authentication protects your reputation.
4. What exactly is a “functional” unsubscribe link?
   • It’s a link placed in your email that allows recipients to quickly opt out of future mail. It should be easy to find and reliable when clicked.
5. Will these changes stop all spam?
   • No system eliminates spam entirely, but these measures make it much harder for malicious actors to succeed and give legitimate senders higher trust.
6. What does “alignment” mean for DMARC?
   • Alignment ensures the “From” domain matches (or sub domain) the domain used by SPF and/or DKIM. This prevents bad actors from exploiting your domain name.
7. My SPF record has multiple include statements—could that cause issues?
   • If you exceed 10 DNS lookups, your SPF check might fail. Tools exist to “flatten” your record or reduce the number of includes.
8. Why does Outlook recommend ARC for forwarding/mailing lists?
   • Forwarding can break DMARC alignment. ARC preserves the original authentication checks, preventing legitimate forwarded mail from being wrongfully flagged.
9. How often should I clean my mailing lists?
   • Aim to remove inactive or invalid addresses regularly—monthly or quarterly. This lowers bounce rates, cuts costs, and reduces spam complaints.
10. If I use a 3rd‐party email vendor, do I still need SPF, DKIM, DMARC records in my domain DNS?
    • Yes. Even if you outsource sending, authentication is tied to your domain. Coordinate with your provider to ensure correct DNS settings.
11. How does Outlook handle DMARC aggregate (rua) and forensic (ruf) reports?
    • We send RUA to the addresses specified in your DMARC record. You can analyse these to see who is sending on behalf of your domain, spot domain abuse, and confirm alignment. We don’t have plans to send RUF.
12. Can separate mail systems have unique DKIM selectors?
    • Yes. Managing multiple selectors (e.g., selector1, selector2) helps maintain clarity and isolate reputation concerns across various business units or campaigns. Learn more about how to configure DKIM here.
13. Does publishing a strict DMARC policy (p=reject) offer better security?
    • Absolutely, once your legitimate sources are aligned, p=reject is the most effective at thwarting domain spoofing. We advise moving gradually (none → quarantine → reject) to avoid unintended mail loss.
14. If someone regularly reports my emails as spam despite authentication, what can I do?
    • Authentication ensures emails are from you, but user perception still matters. Review your content, frequency, and opt‐out process to ensure recipients remain engaged and not overwhelmed. 
15. Will adding to safe senders list bypass the new enforcement? 
    • No. Safe Sender list won’t be honoured.

Any further questions please give us a call.

Many thanks,

Faye