Microsoft Outlook steps up email security with new policies
Remember the big shift in cybersecurity in 2024? That’s when email giants like Google and Yahoo released major updates to their email policies to tackle email spoofing, phishing, and spam.
In this new policy update, they asked their senders—particularly bulk senders- to verify their sending domain by setting up email authentication tools like SPF, DKIM, and DMARC. The good thing is that this update led to significant improvement in the adoption of these protocols. In fact, over the past year, the number of organizations setting up DMARC has nearly doubled. In 2023, around 55,000 domains were implementing DMARC each month. By the third quarter of 2024, the number jumped to about 110,000 per month.
Certainly, the adoption of email authentication protocols is picking up, and more and more senders are taking email security seriously now, but there is still room for improvement. After all, cyber attackers are also getting smarter by the day. To fill in the gaps and make email security a norm, Microsoft is finally stepping up its game.
Let’s take a closer look at what Outlook’s new rules are and how you can get ready.
Why is Microsoft bringing in these changes now?
The answer is simple: Email threats have come a long way since their inception. These days, fraudulent emails don’t really come with a warning signal; they are clever, sneaky, and hard to spot, even for the most vigilant users. So, now that the cybercriminals are evolving, email companies also need to catch up!
In this vein, Microsoft recognized that email security can no longer be treated as an option; it is a mandatory aspect of maintaining the hygiene of your email ecosystem.
Starting May 5, 2025, Microsoft will begin enforcing stricter policies. So, if your company sends out over 5000 emails per day, you must have proper authentication— with SPF, DKIM, and DMARC correctly configured. If you don’t have these protocols in place, your emails may not reach the inboxes at all. Instead, they might end up in the junk folders—or get blocked altogether.
This is like Microsoft’s shot at pushing their senders to be accountable for their outgoing messages and tightening up their email practices. At the end of the day, it’s all about trust. The ESP wants its users to feel safe while opening or interacting with any email in their inbox.
What are the major updates in Microsoft’s latest email-sending policy?
Microsoft’s update is mostly in line with Google and Yahoo’s sending policies. That’s to say that, from 5 May 2025 onwards, if you send out more than 5,000 messages per day, you’ll be required to have three email authentication mechanisms in place—SPF, DKIM, and DMARC—just like Google and Yahoo already require.
Here’s a breakdown of what each protocol does:
SPF (Sender Policy Framework)
SPF lets you define which servers are allowed to send emails from your domain. Ideally, the list should include it all—from your primary domain to any subdomain that you use to third-party mail services like Mailchimp or a CRM platform.
If the email comes from a server that is not on your list, Outlook might see it as suspicious and either block it or mark it as spam.
DKIM (DomainKeys Identified Mail)
DKIM helps make sure your email hasn’t been changed along the way.
When you send an email, a unique signature is added to it. This signature proves the email really came from you and that nothing in it was changed on the way. The receiving email server checks that signature using a public key from your domain’s settings. If the two match, the email is trusted. If it doesn’t, the email might be blocked or marked as suspicious.
It’s just a way to make sure your message stays the same when it goes from the sender server to the receiver’s.
DMARC (Domain-based Message Authentication, Reporting & Conformance)
DMARC picks up from where SPF and DKIM left off. What we mean to say is that it confirms whether the email passes both those checks and then decides what to do if something doesn’t align. Since you are the owner of the domain, you can choose to let them through, send them to spam, or block them. You can do this by setting a DMARC policy for your domain.
DMARC also sends you reports that show what’s happening with your domain. You can see which emails passed the checks, which ones failed, and who sent them. It’s a simple way to know if someone is trying to misuse your domain.
What are the other requirements of Microsoft’s new policy?
- After you have configured SPF, DKIM, and DMARC for your domain, Microsoft wants you to ensure that you’re using the right (and clear) address in both the “From” and “Reply-To” fields. Your recipients should be able to tell at first glance that the email is from you.
- Another thing: while sending bulk or promotional emails, it is important to include a separate unsubscribe link that is easy to locate. Your recipients should be able to decide whether they want to engage with your email or not.
- Finally, keep your email list sorted. That means that if there are any duplicates, inactive, or broken email addresses, you should remove them from your list. Not removing the fluff increases your bounce rate and impacts your sender reputation.
What’s next?
Your next steps should be all about taking proactive action!
5 May 2025 is right around the corner, which means you have no time to waste. If you don’t start now, Microsoft will soon start flagging your emails as suspicious or spam, which we assume is the last thing you want!
Protocols like DMARC not only protect your domain from being misused by attackers, but they tell you what’s going on with your domain!
To know more about how you can meet the new industry standards and leverage DMARC reports to level up your email security game, contact us today!
