--- title: "Microsoft DMARC Requirements (May 2025): What You Need to Know | DMARC Report" description: "Microsoft began enforcing DMARC, SPF, and DKIM for high-volume senders to Outlook.com, Hotmail.com, and Live.com from May 5, 2025. Non-compliant email is routed to junk, then rejected. Here" image: "https://dmarcreport.com/og/blog/microsoft-outlook-dmarc-requirements-may-2025.png" canonical: "https://dmarcreport.com/blog/microsoft-outlook-dmarc-requirements-may-2025/" --- Quick Answer Microsoft began enforcing DMARC for high-volume senders (5,000+ daily emails to Outlook.com/Hotmail/Live.com) from May 5, 2025\. Requirements: SPF must pass, DKIM must pass, DMARC record with at least p=none, and DMARC alignment with either SPF or DKI Related: [Free DMARC Checker](/tools/dmarc-checker/) Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fmicrosoft-outlook-dmarc-requirements-may-2025%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Microsoft%20DMARC%20Requirements%20%28May%202025%29%3A%20What%20You%20Need%20to%20Know&url=undefined%2Fblog%2Fmicrosoft-outlook-dmarc-requirements-may-2025%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fmicrosoft-outlook-dmarc-requirements-may-2025%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fmicrosoft-outlook-dmarc-requirements-may-2025%2F&title=Microsoft%20DMARC%20Requirements%20%28May%202025%29%3A%20What%20You%20Need%20to%20Know "Share on Reddit") [ ](mailto:?subject=Microsoft%20DMARC%20Requirements%20%28May%202025%29%3A%20What%20You%20Need%20to%20Know&body=Check out this article: undefined%2Fblog%2Fmicrosoft-outlook-dmarc-requirements-may-2025%2F "Share via Email") ![Microsoft DMARC Requirements (May 2025): What You Need to Kn](https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-report-4236.jpg) ## Try Our Free DMARC Checker Validate your DMARC policy, check alignment settings, and verify reporting configuration. [ Check DMARC Record → ](/tools/dmarc-checker/) \*\*Microsoft began enforcing DMARC, SPF, and DKIM for high-volume senders (5,000+ daily emails to Outlook.com, Hotmail.com, and Live.com) from May 5, 2025\. Non-compliant email is initially routed to the Junk folder, with outright rejection following. This matches Google’s and Yahoo’s February 2024 enforcement - the three largest email providers now all require authentication. DMARC ([RFC 7489](https://datatracker.ietf.org/doc/html/rfc7489)) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible `From` header. According to Google’s February 2024 bulk sender requirements, a DMARC policy of at least `p=none` is now mandatory for any domain sending 5,000+ messages per day to Gmail users. Per [Microsoft’s official announcement](https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/strengthening-email-ecosystem-outlook%E2%80%99s-new-requirements-for-high%E2%80%90volume-senders/4399730), the requirements are: SPF must pass, DKIM must pass, DMARC record published with at least `p=none`, and DMARC alignment with either SPF or DKIM. ## What Are the Specific Requirements? | Requirement | Detail | | --------------------- | ---------------------------------------------------------------------- | | **SPF** | Must pass for the sending domain | | **DKIM** | Must pass with valid signature | | **DMARC** | Record published at \_dmarc.yourdomain.com with at least p=none | | **DMARC alignment** | Either SPF or DKIM must align with the From domain | | **Applies to** | Senders of 5,000+ daily messages to Outlook.com, Hotmail.com, Live.com | | **Enforcement start** | May 5, 2025 | | **Consequence** | Junk folder initially → rejection eventually | As of 2025, DMARC is mandatory under multiple compliance frameworks. [CISA BOD 18-01](https://www.cisa.gov/news-events/directives/bod-18-01) requires p=reject for US federal domains. [PCI DSS v4.0](https://www.pcisecuritystandards.org/) mandates DMARC for organizations processing payment card data as of March 2025\. Google and Yahoo require DMARC for bulk senders (5,000+ messages/day) since February 2024, and [Microsoft began rejecting](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure) non-compliant email in May 2025\. The UK [NCSC](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing), Australia’s [ASD](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-email), and Canada’s [CCCS](https://www.cyber.gc.ca/en/guidance/implementation-guidance-email-domain-protection) all mandate DMARC for government domains. Cyber insurers increasingly require DMARC enforcement as an underwriting condition. ## How to Check Your Compliance 1. [Check your SPF record →](/tools/spf-checker/) \- verify it passes and lists your Microsoft 365 include 2. [Check your DKIM selectors →](/tools/dkim-lookup/) \- verify Microsoft’s selectors are published 3. [Check your DMARC record →](/tools/dmarc-checker/) \- verify it exists with at least `p=none` and `rua=` 4. [Run a full authentication check →](/tools/domain-auth-checker/) \- all 5 protocols at once ## What If You’re Not Compliant? If you’re sending 5,000+ messages/day to Microsoft consumer mailboxes without SPF + DKIM + DMARC: 1. Your email is going to Junk right now 2. It will be rejected entirely once Microsoft tightens enforcement 3. Fix it using the [DMARC setup guide](/blog/how-to-set-up-dmarc-complete-guide-2026/) 4. Monitor your compliance with [DMARC Report](https://app.dmarcreport.com/) ## Who Does This Affect? Microsoft’s enforcement targets **consumer mailboxes** (Outlook.com, Hotmail.com, Live.com) - not Exchange Online/Microsoft 365 business accounts (yet). However, Microsoft has signaled that business account enforcement is coming. > With Google, Yahoo, and now Microsoft all enforcing DMARC, there’s no email provider left that accepts unauthenticated bulk mail, says Brad Slavin, General Manager of DuoCircle. The grace period is over. If your domain doesn’t have SPF + DKIM + DMARC published and passing, your email isn’t reaching inboxes. [Generate your DMARC record →](/tools/dmarc-record-generator/) [Start monitoring with DMARC Report →](https://app.dmarcreport.com/) ## Sources - [CISA Binding Operational Directive 18-01](https://www.cisa.gov/news-events/directives/bod-18-01) - [Microsoft Outlook DMARC Enforcement May 2025](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure) (2025) - [PCI DSS v4.0 - DMARC Requirement](https://www.pcisecuritystandards.org/) (2025) - [RFC 7489 - Domain-based Message Authentication, Reporting, and Conformance (DMARC)](https://datatracker.ietf.org/doc/html/rfc7489) ## Topics [ DMARC ](/tags/dmarc/)[ email security ](/tags/email-security/) ![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Take control of your DMARC reports Turn raw XML into actionable dashboards. Start free - no credit card required. [Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) ## Related Articles [ Foundational 8m 10 Critical Learnings From Verizon’s 2021 DBIR - A DMARCReport Perspective Nov 25, 2025 ](/blog/10-critical-learnings-from-verizons-2021-dbir-a-dmarcreport-perspective/)[ Foundational 12m 10 DNS Blacklist Insights That Improve Email Security And Deliverability Fast Nov 14, 2025 ](/blog/10-dns-blacklist-insights-to-improve-email-security-and-deliverability/)[ Foundational 12m 10 Email Spoofing Detection Tools That Dramatically Improve Brand Protection Nov 11, 2025 ](/blog/10-email-spoofing-detection-tools-that-dramatically-improve-brand-protection/)[ Foundational 12m 10 Reasons SPF Filtering Is Critical For Email Security Nov 19, 2025 ](/blog/10-reasons-spf-filtering-is-critical-for-email-security/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"Microsoft DMARC Requirements (May 2025): What You Need to Know","description":"Microsoft began enforcing DMARC, SPF, and DKIM for high-volume senders to Outlook.com, Hotmail.com, and Live.com from May 5, 2025. Non-compliant email is routed to junk, then rejected. Here's what to fix and how to verify compliance.","url":"https://dmarcreport.com/blog/microsoft-outlook-dmarc-requirements-may-2025/","datePublished":"2026-04-03T00:00:00.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2026-04-03T00:00:00.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://dmarcreport.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/microsoft-outlook-dmarc-requirements-may-2025/"},"articleSection":"foundational","keywords":"DMARC, email security","wordCount":2500,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-report-4236.jpg","caption":"Microsoft DMARC Requirements (May 2025): What You Need to Kn","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"Microsoft DMARC Requirements (May 2025): What You Need to Know","item":"https://dmarcreport.com/blog/microsoft-outlook-dmarc-requirements-may-2025/"}]} ```