Microsoft DMARC Requirements (May 2025): What You Need to Know
Quick Answer
Microsoft began enforcing DMARC for high-volume senders (5,000+ daily emails to Outlook.com/Hotmail/Live.com) from May 5, 2025. Requirements: SPF must pass, DKIM must pass, DMARC record with at least p=none, and DMARC alignment with either SPF or DKI
Related: Free DMARC Checker
Try Our Free DMARC Checker
Validate your DMARC policy, check alignment settings, and verify reporting configuration.
Check DMARC Record →**Microsoft began enforcing DMARC, SPF, and DKIM for high-volume senders (5,000+ daily emails to Outlook.com, Hotmail.com, and Live.com) from May 5, 2025. Non-compliant email is initially routed to the Junk folder, with outright rejection following. This matches Google’s and Yahoo’s February 2024 enforcement — the three largest email providers now all require authentication.
DMARC (RFC 7489) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible From header. According to Google’s February 2024 bulk sender requirements, a DMARC policy of at least p=none is now mandatory for any domain sending 5,000+ messages per day to Gmail users.
Per Microsoft’s official announcement, the requirements are: SPF must pass, DKIM must pass, DMARC record published with at least p=none, and DMARC alignment with either SPF or DKIM.
What Are the Specific Requirements?
| Requirement | Detail |
|---|---|
| SPF | Must pass for the sending domain |
| DKIM | Must pass with valid signature |
| DMARC | Record published at _dmarc.yourdomain.com with at least p=none |
| DMARC alignment | Either SPF or DKIM must align with the From domain |
| Applies to | Senders of 5,000+ daily messages to Outlook.com, Hotmail.com, Live.com |
| Enforcement start | May 5, 2025 |
| Consequence | Junk folder initially → rejection eventually |
As of 2025, DMARC is mandatory under multiple compliance frameworks. CISA BOD 18-01 requires p=reject for US federal domains. PCI DSS v4.0 mandates DMARC for organizations processing payment card data as of March 2025. Google and Yahoo require DMARC for bulk senders (5,000+ messages/day) since February 2024, and Microsoft began rejecting non-compliant email in May 2025. The UK NCSC, Australia’s ASD, and Canada’s CCCS all mandate DMARC for government domains. Cyber insurers increasingly require DMARC enforcement as an underwriting condition.
How to Check Your Compliance
- Check your SPF record → — verify it passes and lists your Microsoft 365 include
- Check your DKIM selectors → — verify Microsoft’s selectors are published
- Check your DMARC record → — verify it exists with at least
p=noneandrua= - Run a full authentication check → — all 5 protocols at once
What If You’re Not Compliant?
If you’re sending 5,000+ messages/day to Microsoft consumer mailboxes without SPF + DKIM + DMARC:
- Your email is going to Junk right now
- It will be rejected entirely once Microsoft tightens enforcement
- Fix it using the DMARC setup guide
- Monitor your compliance with DMARC Report
Who Does This Affect?
Microsoft’s enforcement targets consumer mailboxes (Outlook.com, Hotmail.com, Live.com) — not Exchange Online/Microsoft 365 business accounts (yet). However, Microsoft has signaled that business account enforcement is coming.
With Google, Yahoo, and now Microsoft all enforcing DMARC, there’s no email provider left that accepts unauthenticated bulk mail, says Brad Slavin, CEO of DuoCircle. The grace period is over. If your domain doesn’t have SPF + DKIM + DMARC published and passing, your email isn’t reaching inboxes.
Generate your DMARC record → Start monitoring with DMARC Report →
Sources
Topics
CEO
Founder and CEO of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base.
LinkedIn Profile →Take control of your DMARC reports
Turn raw XML into actionable dashboards. Start free — no credit card required.