We knew it was coming eventually.
Valimail previously reported that Microsoft indicated that updated sender requirements were likely to be announced at some point in the future, and that time is now.
Today, Microsoft announced updated email sender requirements, raising the bar to help better protect email inboxes by making email authentication a prerequisite for successful email delivery to Outlook.com.
“Outlook has always prioritized user safety and reliability; we’re proud to further invest in this solution that will keep our customers safe and reinforce the best practices across the industry. We believe that by raising the bar for large senders, we can inspire lasting change that benefits everyone.”
– Microsoft’s announcement
What are Microsoft’s new requirements?
As Microsoft joins the growing number of global mailbox providers requiring strong authentication to protect global email – safeguarding consumers and companies from spam, phishing, and abuse – Valimail takes pride in being a standard bearer of this message for the past decade.
We’ve watched this landscape evolve from when we stood alone championing the need for authentication to be accessible for senders of all sizes to seeing authentication become the law of the land.
Today, email authentication is a requirement for anyone sending email messages at scale, with the three largest mailbox providers (Google, Yahoo, and Microsoft) now agreeing that it should be required across the board for all. Microsoft’s new requirements mirror similar sender mandates previously put forth by Google and Yahoo. Now, more than ever, email authentication (and DMARC) is required for successful email senders.
While the focus today is on consumer mailboxes, it is safe to assume that these requirements could eventually apply to corporate/enterprise mailboxes.
“Microsoft’s commitment to sender requirements – matching what Google and Yahoo have already established – demonstrates that strong authentication isn’t just a best practice anymore, it’s the new law of the land. This has tremendous impact for senders of all sizes, from their security practitioners to marketers and everyone in between. When you authenticate your mail, you get the deliverability you deserve. Without authentication, you get junked.”
– Seth Blank, CTO of Valimail
Anyone sending more than 5,000 email messages per day to these top consumer mailbox providers – Google’s Gmail, Yahoo Mail, and/or Microsoft’s Outlook.com (covering the domains live.com, hotmail.com, and outlook.com) will need to comply with these sending requirements.
Email authentication (and DMARC) now required
All email messages must pass Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) email authentication checks. Microsoft (along with Yahoo and Google) utilize these checks to validate email message integrity and authenticity.
Additionally, sending domains must have a published DMARC policy, with a policy setting of p=none or better, and there must be proper alignment with either SPF or DKIM authentication settings (Microsoft’s guidelines recommend both be aligned whenever possible).
Senders who aren’t able to comply with these SPF, DKIM, and DMARC email authentication requirements will struggle to reach the inbox and are likely to see their email rejected in the near future.
Additional sender requirements
Microsoft additionally requires that the From and/or reply-to addresses be valid and that they must be able to receive replies. Messages must contain functional unsubscribe links as appropriate, making it easy for recipients to opt out of further email communications.
Transparent mailing practices are required. Avoid deception, ensure that you have consent, employ appropriate list hygiene best practices, and process bounces properly.
Enforcement starts in May 2025
Microsoft indicates that enforcement’s first steps begin on May 5, 2025. Initially, they “will begin routing messages from high-volume non‐compliant domains to the Junk folder” and warn that non-compliant senders are likely to face blocking at some point in the future.
How Valimail can help you meet these requirements
As champions of DMARC – and Microsoft’s go to solution for DMARC and hosted SPF – we could not agree more strongly with the need for DMARC for everyone. This is what Valimail does best. With the best enforcement rates, the best time to enforcement, the most patents and innovation in the space, customers that absolutely love our products, and the #1 market leadership position– you need to do DMARC, and we invite you to do it with us.
We believe that visibility should be free.
Use Valimail Monitor to ensure you’re meeting Microsoft’s requirements and take the first step toward protecting your brand and stopping fraudulent email from being sent on behalf of your domain.
