In a significant move to bolster email security and user trust in emails, Microsoft has announced new requirements for high-volume email senders targeting Outlook.com, Hotmail.com, and Live.com users. This initiative aligns with similar measures introduced by Google and Yahoo in 2024, reflecting a broader industry trend toward stricter email authentication standards.
Microsoft’s New Requirements for Outlook.com
Effective May 5, 2025, Microsoft will enforce new requirements for domains sending over 5,000 emails daily to its email addresses, including outlook.com, hotmail.com, and live.com. In effect, this means businesses with a large enough mailing list will be affected in May, yet it is useful for smaller businesses to follow this article, not only to futureproof themselves, but to maintain the security of their brand, which reduces spoofing, ensures high deliverability, and reduces spam complaints. These requirements include:
- SPF (Sender Policy Framework): Emails must pass SPF checks, ensuring that the sending domain’s DNS records accurately list authorized IP addresses. It’s a simple string of text that exists in a “TXT” record on a domain’s DNS zone. For example, if a sender uses Google to send email, their SPF record might look like this: “v=spf1 include:_spf.google.com -all”.
- DKIM (DomainKeys Identified Mail): Emails must pass DKIM validation to confirm message integrity and authenticity. DKIM allows authentication too, but instead of verifying based on the source IP address, it applies a cryptographic signature to a “hash” of the message. The hash all but ensures mathematical uniqueness, and the signature proves that it was signed by an authorized sender. If the message is modified in transit, or signed by a hacker, the DKIM verification will fail.
- DMARC (Domain-based Message Authentication, Reporting, and Conformance): Domains must have a DMARC policy of at least “p=none”. DMARC is simpler to understand. Once SPF or DKIM “align” and “pass”, then DMARC will validate correctly. Should the message fail and not be authenticated, the policy set by the domain admin will apply, which will be one of the following: “p=none”, “p=quarantine”, or “p=reject”.
Microsoft also recommends best practices such as:
- Maintaining valid “From” or “Reply-To” addresses
- Providing one-click unsubscribe options
- Managing bounce rates
- Ensuring transparent mailing practices
Google and Yahoo’s 2024 Initiatives
In early 2024, Google and Yahoo implemented similar requirements for bulk email senders (those sending over 5,000 emails per day):
- Email Authentication: Authentication with SPF and/or DKIM, with a DMARC policy of at least “p=none”.
- Spam Complaint Rates: Senders to Google addresses must maintain spam complaint rates below a set threshold.
- Unsubscribe Mechanisms: All promotional emails must include one-click unsubscribe options. Not only does this make it easy to unsubscribe, it allows email clients to handle the unsubscribe for you, so that as a user you don’t need to click on links within the email.
Microsoft, Google, and Yahoo have all implemented similar controls aimed to reduce spam, prevent phishing attacks, and improve overall email deliverability.
Implications for Email Senders
The collective actions by major email providers signify a shift from recommended best practices to enforced standards. This builds on a long process by the internet community to create a secure email infrastructure. Email as we know it is built on a protocol called “SMTP”, which originated in the early 80s. The first specification for SPF was released in 2006, followed shortly by DKIM in 2007, and DMARC a decade ago in 2015.
For a while, adoption of SPF, DKIM, and DMARC was too low for individual companies and email inboxes to require it, but traction has slowly and steadily grown, and now we are at a point where mail providers can begin to require the authentication protocols. This mirrors the rollout of SSL/TLS certificates, adoption was gradual, and optional, but once required by major players, such as search engines and browsers, it essentially becomes a requirement for all companies communicating in the market.
Microsoft, Google, and Yahoo’s moves make SPF, DKIM, and DMARC authentication a requirement to send email. Although these requirements have started fairly lax with a simple “p=none” policy, it is likely that in the near future providers will require handling policies of “p=quarantine” and “p=reject. Organizations should promptly assess and update their email practices to align with these standards, allowing for high email deliverability while also ensuring the domain is secured to avoid spoofing.
Organizations must now prioritize:
- Email authentication (SPF, DKIM, DMARC)
- Transparent opt-out mechanisms
Failure to comply with these new requirements can lead to emails being marked as spam or rejected outright, impacting communication effectiveness and brand reputation.
