Blog article
- 23 January 2025
- 8 minutes read
- Kieran Frost
- Chief Operating Officer
Microsoft DMARC requirements
On April 2, 2025, Microsoft joined Google and Yahoo in requiring that “domains sending more than 5,000 emails per day” to their consumer email products (outlook.com, live.com, and hotmail.com) will need to have authentication protocols in place or risk having their messages sent to Junk. These include Domain-based Message Authentication, Reporting, and Conformance (DMARC) and its related standards, Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM).
Experts have begun discussing the Microsoft DMARC requirements, including Nicolas Blank, Microsoft 365/Entra MVP and Founder and Group CEO of NBConsult, who shared his thoughts on the topic, saying,
“Microsoft’s update is a strong signal that the email ecosystem is maturing. These new requirements aren’t just about compliance—they’re about customer trust. High-volume senders need to step up and treat deliverability and authentication as core parts of their digital brand strategy, not just IT hygiene.
Microsoft just raised the floor for email senders. If your authentication and unsubscribe practices aren’t up to standard, you won’t reach the inbox. It’s as simple as that.”
J. Peter Bruzzese, Microsoft MVP and Co-Founder of ClipTraining, also commented on the new Microsoft DMARC requirements, stating,
“While Microsoft’s new requirements apply to bulk senders, I believe every domain should have SPF, DKIM, and DMARC in place. These aren’t just technical best practices — they’re essential for protecting deliverability and reputation. Microsoft themselves say it best: ‘All senders benefit from these practices.’ It’s time the industry starts moving in that direction.”
Get ahead of the Microsoft DMARC requirements and enhance your business’s deliverability and reputation with Sendmarc. We make DMARC, SPF, and DKIM implementation and management effortless, ensuring stress-free compliance for your business. We’ve even released a guide outlining what’s needed to ensure compliance.
What are the Microsoft DMARC requirements?
The Microsoft DMARC news comes more than a year after the Google and Yahoo announcements on October 3, 2023, but largely mirrors the requirements set by both companies.
From May 5, 2025, Microsoft will begin enforcing stricter email authentication standards for outlook.com. Bulk senders must now implement the following:
1. SPF
SPF helps prevent spammers from sending messages on behalf of your organization’s domain. It does this by specifying which IP addresses are authorized to send email from a domain.
2. DKIM
DKIM allows your business to attach a digital signature to its emails. This signature verifies that the email hasn’t been tampered with in transit and confirms it was authorized by your business’s domain.
3. DMARC
DMARC builds on SPF and DKIM. It allows domain owners to specify how unauthenticated emails should be handled and provides reports that help monitor and improve email security.
The Microsoft DMARC requirements include a published DMARC record and a minimum policy of p=none. Interestingly, they still require your company’s senders to pass either an SPF or a DKIM check, meaning that senders need to be at a level of DMARC compliance that would allow your organization to be on a stricter DMARC policy.
There are also some email best practice recommendations, but it seems these are general guidelines rather than strict, like the Microsoft DMARC requirements.
Recommended best practices
- Use valid ‘From’ addresses that can accept replies
- Provide easy unsubscribe options
- Maintain clean email lists by removing invalid recipients
- Avoid misleading subject lines and headers
Microsoft DMARC uncertainty
As with the initial Google and Yahoo announcements, there are some areas that aren’t entirely clear. For example, we’re assuming that the 5 000 emails per day are the ones sent to Microsoft infrastructure instead of total sending (which would be impossible for Microsoft to know), but it’s unclear if emails sent to corporate Microsoft 365/Entra accounts would “consume” part of the 5 000.
It’s also unclear whether sending to a mix of Microsoft consumer domain addresses (outlook.com, live.com, and hotmail.com) counts toward a single combined daily total. Plus, do the Microsoft DMARC requirements (like those of Google and Yahoo) consider a domain that sends 5 000 messages in a day once a large sender always?
Even though there’s uncertainty, the message is very clear: Microsoft also believes that DMARC is a core part of solving the problem of impersonation. See how Sendmarc can help your business comply with the new Microsoft DMARC requirements and protect against email-based threats.
Who does the Microsoft DMARC rule affect?
To understand if this affects your business and domain, your company needs to have a good idea of where all email from its domain is going.
Remember, Microsoft (and Google and Yahoo) look at the count of emails coming from a domain, so while your organization might have a look at its (for example) Google Workspace logs and see a number less than 5 000, it’ll also need to look at its email marketing platform, its CRM, etc..
The easiest way to build this picture is by using a DMARC product (like Sendmarc’s), which can look at a domain level and show exactly where the email is coming from.
Then, your business needs to ensure that each of those platforms can pass DMARC checks. Microsoft wants all emails that it receives to align with either SPF or DKIM. And again, a platform like Sendmarc’s is perfect for seeing exactly which mechanisms are in place and (maybe more importantly) where the gaps are.
Why all senders should care about the Microsoft DMARC requirements
While the Microsoft DMARC rule targets high-volume senders, the reality is that every domain should have SPF, DKIM, and DMARC properly configured – no matter how many emails they send. Without these protocols, your company’s emails are more likely to land in recipients’ Spam or Junk folders, even if its domain isn’t being used maliciously.
DMARC, with a policy of p=none, is often seen as a “safe” starting point, but it doesn’t actually stop fraudulent emails from being delivered. It only monitors and reports. That means if someone’s impersonating your organization’s domain – sending phishing emails that look like they’re from your business – they can still reach inboxes.
To actively protect your company’s domain and its recipients, your organization needs to progress from p=none to stricter enforcement levels like p=quarantine or p=reject. These policies tell email receivers to block or flag unauthenticated messages, significantly reducing the risk of phishing and spoofing attacks.
Implementing all three standards—SPF, DKIM, and DMARC—doesn’t just help with compliance. It improves your business’s email deliverability, protects its brand reputation, and ensures its communications are trusted and secure.
At Sendmarc, we can help your company with this analysis and assist with source configuration so your organization’s emails remain unaffected.
We’re so excited to see the Microsoft DMARC news and the company join the fight against domain impersonation. We’re ready and willing to assist anyone who needs help in navigating the new Microsoft DMARC requirements.
