Microsoft enforces DMARC: new delivery rules for high-volume Outlook emails

6. May, 2025

Microsoft is introducing new technical requirements for sending large volumes of email to Outlook addresses. Starting May 5, 2025, email authentication protocols such as SPF, DKIM, and DMARC will become mandatory for senders who dispatch more than 5,000 emails per day to Outlook.com domains (e.g. @outlook.com, @hotmail.com, @live.com).

Affected senders may include online retailers, banks, insurance companies, telecommunication providers, public authorities, educational institutions, as well as ticketing, monitoring, newsletter, and CRM systems.

The goal of these tightened requirements is to improve the verifiability of sender identity, reduce phishing attacks, and increase the deliverability of legitimate messages.
Without properly configured SPF, DKIM, and DMARC records, emails may face limited deliverability, spam filtering, or even full rejection—resulting in a loss of reach and credibility.

Requirements for SPF, DKIM, and DMARC

Microsoft requires the consistent implementation of three email authentication protocols:

SPF (Sender Policy Framework)SPF uses a DNS record to define which mail servers are authorized to send emails on behalf of a domain. This allows receiving servers to verify whether an incoming message originates from an approved sender. SPF helps protect against forged sender addresses (spoofing).
DKIM (DomainKeys Identified Mail)DKIM attaches a cryptographic signature to outgoing emails. This signature can be verified via a public key stored in the domain’s DNS. It ensures that the message has not been altered and that it truly comes from the claimed sender.
DMARC (Domain-based Message Authentication, Reporting and Conformance)DMARC builds on SPF and DKIM and defines how receiving mail servers should handle messages that fail authentication. Microsoft requires:
- At minimum: the policy p=none for monitoring only.
- Recommended: alignment with SPF or DKIM (ideally both).
- A valid DMARC record is mandatory—otherwise, emails may be marked as suspicious.

Consequences of Non-Compliance

Emails that do not meet the authentication standards mentioned above will, according to Microsoft, no longer be delivered as usual:

Phase 1: Messages will be delivered to the recipient’s junk/spam folder.
Phase 2: If non-compliance continues, messages will be fully rejected with the error code: “550 5.7.515 Access denied – message rejected due to sender authentication failure.”

These measures apply specifically to emails sent to Microsoft-owned domains and can have serious consequences for both marketing and transactional messages if no adjustments are made.

Correct Setup of a DMARC Record

A DMARC record is published as a TXT record in the DNS of the sender’s domain. The most important parameters include:

Policy (p)

p=none: Only generate reports, no enforcement.
p=quarantine: Treat messages as suspicious and deliver them to the spam folder.
p=reject: Reject messages that fail SPF or DKIM checks.

Failure Reporting Options (fo)
Determines when forensic (detailed) failure reports should be sent:
- fo=0 (default): Only if both SPF and DKIM fail.
- fo=1: If either SPF or DKIM fails.
- fo=d: Only for DKIM failures.
- fo=s: Only for SPF failures.
Reporting Addresses
- rua: Address for aggregate DMARC reports (summary statistics).
- ruf: Address for forensic failure reports (individual failure details).
Example of a DMARC Record:

_dmarc.example.at. IN TXT “v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.at; ruf=mailto:dmarc-reports@example.at; fo=1”

Recommendations for Organizations

Review SPF, DKIM, and DMARC settings: Use tools such as IKARUS mail.security, dmarcian.com, mxtoolbox.com, or your own DNS-check scripts to validate your configurations.
Gradually enforce your DMARC policy: Start with p=none to collect data, then move to quarantine or reject once you’re confident in your setup.
Ensure transparency in email sending: Collaborate across IT, marketing, and external service providers (e.g. mail gateways, CRM platforms) to maintain a clear overview of all senders and a consistent, correct DNS configuration.

Microsoft’s new DMARC requirements represent an important step toward improving email security. They strengthen trust in digital communication, prevent abuse of sender identities, and help ensure that messages reach their recipients reliably and securely.

Source: Microsoft Tech Community – Outlook’s New Requirements for High-Volume Senders

Security tips conveniently in your inbox: Subscribe to IKARUS News now