--- title: "Microsoft Outlook steps up email security with new policies | DMARC Report" description: "Microsoft Outlook steps up email security with new policies from DMARC Report explains practical steps for email authentication, domain protection." image: "https://dmarcreport.com/og/blog/microsoft-outlook-steps-up-email-security-with-new-policies.png" canonical: "https://dmarcreport.com/blog/microsoft-outlook-steps-up-email-security-with-new-policies/" --- Quick Answer The three core email authentication standards - SPF (RFC 7208), DKIM (RFC 6376), and DMARC (RFC 7489) - work together to verify that an email genuinely originates from the domain it claims to represent. Since February 2024, Google and Yahoo require all three for bulk senders. DMARC Report Related: [Free DMARC Checker](/tools/dmarc-checker/) ·[How to Create an SPF Record](/tools/spf-record-generator/) ·[SPF Record Format](/blog/spf-format-checker-dos-and-donts-for-email-authentication/) Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fmicrosoft-outlook-steps-up-email-security-with-new-policies%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Microsoft%20Outlook%20steps%20up%20email%20security%20with%20new%20policies&url=undefined%2Fblog%2Fmicrosoft-outlook-steps-up-email-security-with-new-policies%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fmicrosoft-outlook-steps-up-email-security-with-new-policies%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fmicrosoft-outlook-steps-up-email-security-with-new-policies%2F&title=Microsoft%20Outlook%20steps%20up%20email%20security%20with%20new%20policies "Share on Reddit") [ ](mailto:?subject=Microsoft%20Outlook%20steps%20up%20email%20security%20with%20new%20policies&body=Check out this article: undefined%2Fblog%2Fmicrosoft-outlook-steps-up-email-security-with-new-policies%2F "Share via Email") ![Microsoft Outlook steps up email security with new policies](https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg) ![Dmarc record 9942 150x150](https://media.mailhop.org/dmarcreport/images/2025/04/dmarc-record-9942-150x150.jpg) > The email authentication landscape changed permanently in 2024, says Brad Slavin, General Manager of DuoCircle. Google, Yahoo, and now Microsoft all require DMARC. What used to be a best practice is now a hard prerequisite for reaching inboxes. Organizations that delayed are now paying the price in deliverability. The three core email authentication standards - SPF ([RFC 7208](https://datatracker.ietf.org/doc/html/rfc7208)), DKIM ([RFC 6376](https://datatracker.ietf.org/doc/html/rfc6376)), and DMARC ([RFC 7489](https://datatracker.ietf.org/doc/html/rfc7489)) - work together to verify that an email genuinely originates from the domain it claims to represent. Since February 2024, Google and Yahoo require all three for bulk senders. DMARC Report Microsoft Outlook steps up email security with new policies ```

00:00 ``` / ``` 2:03 ``` RSS Feed ``` Share Link Embed ``` /\*! This file is auto-generated \*/ ’ title=“Embed Code” class=“input-embed input-embed-23603” readonly/> ``` ``` Remember the big shift in [cybersecurity](https://dmarcreport.com/blog/how-to-educate-or-train-employees-on-cybersecurity/) in 2024? That’s when email giants like Google and Yahoo released major updates to their \*\*email policies to tackle [email spoofing](https://thehackernews.com/2024/07/proofpoint-email-routing-flaw-exploited.html), phishing, and spam. In this new policy update, they asked their senders - particularly bulk senders- to verify their sending domain by setting up [email authentication](https://dmarcreport.com/blog/why-email-security-matters-and-how-to-get-it-right/) tools like SPF, DKIM, and DMARC. The good thing is that this update led to significant improvement in the adoption of these protocols. In fact, over the past year, the number of organizations setting up DMARC has nearly doubled. In 2023, around \*\*55,000 domains were implementing DMARC each month. [By the third quarter of 2024, the number jumped to about 110,000 per month. ](https://www.darkreading.com/cybersecurity-operations/time-get-strict-dmarc) Certainly, the adoption of email authentication protocols is picking up, and more and more senders are taking [email security](https://dmarcreport.com/blog/why-email-security-matters-and-how-to-get-it-right/) seriously now, but there is still room for improvement. After all, [cyber attackers](https://www.nbcnews.com/tech/security/us-officials-urge-americans-use-encrypted-apps-cyberattack-rcna182694) are also **getting smarter by the day**. To fill in the gaps and make email security a norm, Microsoft is finally stepping up its game. Let’s take a closer look at what \*\*Outlook’s new rules are and how you can get ready. ![Dmarc analyzer](https://media.mailhop.org/dmarcreport/images/2025/04/dmarc-analyzer-7921.jpg) ## Why is Microsoft bringing in these changes now? The answer is simple: [Email threats](https://www.trendmicro.com/vinfo/us/security/news/threat-landscape/email-threat-landscape-report-2023) have come a long way since their inception. These days, [fraudulent emails](https://www.usatoday.com/story/money/columnist/2023/09/21/ai-cyber-scams-security/70920106007/) don’t really come with a warning signal; they are clever, sneaky, and hard to spot, even for the **most vigilant users**. So, now that the [cybercriminals](https://www.voanews.com/a/alleged-leader-of-cybercriminals-extradited-to-us/7741605.html) are evolving, email companies also need to catch up! As of 2025, DMARC is mandatory under multiple compliance frameworks. [CISA BOD 18-01](https://www.cisa.gov/news-events/directives/bod-18-01) requires p=reject for US federal domains. [PCI DSS v4.0](https://www.pcisecuritystandards.org/) mandates DMARC for organizations processing payment card data as of March 2025\. Google and Yahoo require DMARC for bulk senders (5,000+ messages/day) since February 2024, and [Microsoft began rejecting](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure) non-compliant email in May 2025\. The UK [NCSC](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing), Australia’s [ASD](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-email), and Canada’s [CCCS](https://www.cyber.gc.ca/en/guidance/implementation-guidance-email-domain-protection) all mandate DMARC for government domains. Cyber insurers increasingly require DMARC enforcement as an underwriting condition. In this vein, Microsoft recognized that email security can no longer be treated as an option; it is a mandatory aspect of maintaining the hygiene of your email ecosystem. ![Dmarc office 365](https://media.mailhop.org/dmarcreport/images/2025/04/dmarc-office-365-6654.jpg) Starting May 5, 2025, Microsoft will begin enforcing **stricter policies**. So, if your company sends out over **5000 emails per day**, you must have proper authentication - with [SPF](https://autospf.com/blog/spf-guide-understanding-sender-policy-framework/), DKIM, and DMARC correctly configured. If you don’t have these protocols in place, your emails may not reach the inboxes at all. Instead, they might end up in the [junk folders](https://cybernews.com/news/microsofts-breach-notification-emails-end-up-in-spam-folder/) \- or get blocked altogether. _This is like Microsoft’s shot at pushing their senders to be accountable for their outgoing messages and tightening up their email practices_. At the end of the day, it’s all about trust. The [ESP](https://www.activecampaign.com/glossary/email-service-provider) wants its users to feel safe while opening or interacting with any email in their inbox. ![Dmarc report](https://media.mailhop.org/dmarcreport/images/2025/04/dmarc-report-5128.jpg) ## What are the major updates in Microsoft’s latest email-sending policy? Microsoft’s update is mostly in line with [Google and Yahoo’s](https://dmarcreport.com/blog/google-and-yahoos-new-email-authentication-policy-for-2024/) sending policies. That’s to say that, from 5 May 2025 onwards, if you send out more than 5,000 messages per day, you’ll be required to have three email authentication mechanisms in place - SPF, [DKIM](https://dmarcreport.com/what-is-dkim/), and DMARC - just like Google and Yahoo already require. Here’s a breakdown of what each protocol does: ## SPF (Sender Policy Framework) SPF lets you define which servers are allowed to send emails from your domain. Ideally, the list should include it all - from your primary domain to any subdomain that you use to [third-party mail services](https://townemailer.com/what-is-a-third-party-mailing-service/) like Mailchimp or a [CRM platform](https://crm.io/what-is-a-crm-platform). ![What is dmarc](https://media.mailhop.org/dmarcreport/images/2025/04/what-is-dmarc-4589.jpg) If the email comes from a server that is _not_ on your list, Outlook might see it as suspicious and either block it or [mark it as spam](https://pressgazette.co.uk/publishers/digital-journalism/facebook-spam-posts-independent-small-news-publishers/). ## DKIM (DomainKeys Identified Mail) DKIM helps make sure your email hasn’t been changed along the way. When you send an email, a unique signature is added to it. This signature proves the email really came from you and that nothing in it was changed on the way. The receiving [email server](https://www.one.com/en/email/what-is-an-email-server) checks that signature using a [public key](https://www.techtarget.com/searchsecurity/definition/public-key) from your **domain’s settings**. If the two match, the email is trusted. If it doesn’t, the email might be blocked or marked as suspicious. It’s just a way to make sure your message stays the same when it goes from the sender server to the receiver’s. ![Dmarc alignment](https://media.mailhop.org/dmarcreport/images/2025/04/dmarc-alignment-4455.jpg) ## DMARC (Domain-based Message Authentication, Reporting & Conformance) DMARC picks up from where SPF and DKIM left off. What we mean to say is that it confirms whether the \*\*email passes both those checks and then decides what to do if something doesn’t align. Since you are the owner of the domain, you can choose to let them through, send them to spam, or block them. You can do this by setting a [DMARC policy](https://dmarcreport.com/blog/what-is-a-dmarc-policy-and-how-does-it-affect-sending-my-emails/) for your domain. _DMARC also sends you reports that show what’s happening with your domain_. You can see which emails passed the checks, which ones failed, and who sent them. It’s a simple way to know if someone is trying to misuse your domain. ## What are the other requirements of Microsoft’s new policy? - _After you have configured SPF, DKIM, and DMARC for your domain, Microsoft wants you to ensure that you’re using the right (and clear) address in both the “_ **_From” and “Reply-To” fields_**. Your recipients should be able to tell at first glance that the email is from you. - Another thing: while \*\*sending bulk \*\*or [promotional emails](https://stripo.email/glossary/what-is-a-promotional-email/), it is important to include a separate unsubscribe link that is easy to locate. Your recipients should be able to decide whether they want to engage with your email or not. - _Finally, keep your email list sorted. That means that if there are any duplicates, inactive, or broken email addresses, you should remove them from your list._ Not removing the fluff increases your [bounce rate](https://en.wikipedia.org/wiki/Bounce%5Frate) and impacts your [sender reputation](https://www.campaignmonitor.com/resources/knowledge-base/what-is-email-sender-reputation/). ![Dmarc check](https://media.mailhop.org/dmarcreport/images/2025/04/dmarc-check-4217.jpg) ## What’s next? Your next steps should be all about taking proactive action ! _5 May 2025 is right around the corner, which means you have no time to waste. If you don’t start now, Microsoft will soon start flagging your emails as suspicious or spam, which we assume is the last thing you want_! Protocols like [DMARC](https://dmarcreport.com/) not only \*\*protect your domain from being misused by attackers, but they tell you what’s going on with your domain! To know more about how you can meet the \*\*new industry standards and leverage DMARC reports to level up your email security game, contact us today! ## Sources - [RFC 7208 - Sender Policy Framework (SPF)](https://datatracker.ietf.org/doc/html/rfc7208) - [RFC 7489 - Domain-based Message Authentication, Reporting, and Conformance (DMARC)](https://datatracker.ietf.org/doc/html/rfc7489) ## Topics [ dkim ](/tags/dkim/)[ DMARC ](/tags/dmarc/)[ email security ](/tags/email-security/)[ SPF ](/tags/spf/) ![Vishal Lamba](https://media.mailhop.org/dmarcreport/images/team/vishal-lamba.jpg) [ Vishal Lamba ](/authors/vishal-lamba/) Content Specialist Content Specialist at DMARC Report. Writes vendor-specific email authentication guides and troubleshooting walkthroughs. [LinkedIn Profile →](https://www.linkedin.com/in/vishal-lamba/) ## Take control of your DMARC reports Turn raw XML into actionable dashboards. Start free - no credit card required. [Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) ## Related Articles [ Foundational 8m 10 Critical Learnings From Verizon’s 2021 DBIR - A DMARCReport Perspective Nov 25, 2025 ](/blog/10-critical-learnings-from-verizons-2021-dbir-a-dmarcreport-perspective/)[ Foundational 12m 10 DNS Blacklist Insights That Improve Email Security And Deliverability Fast Nov 14, 2025 ](/blog/10-dns-blacklist-insights-to-improve-email-security-and-deliverability/)[ Foundational 12m 10 Email Spoofing Detection Tools That Dramatically Improve Brand Protection Nov 11, 2025 ](/blog/10-email-spoofing-detection-tools-that-dramatically-improve-brand-protection/)[ Foundational 12m 10 Reasons SPF Filtering Is Critical For Email Security Nov 19, 2025 ](/blog/10-reasons-spf-filtering-is-critical-for-email-security/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"Microsoft Outlook steps up email security with new policies","description":"Microsoft Outlook steps up email security with new policies from DMARC Report explains practical steps for email authentication, domain protection.","url":"https://dmarcreport.com/blog/microsoft-outlook-steps-up-email-security-with-new-policies/","datePublished":"2025-04-09T11:09:17.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2025-04-09T11:09:17.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/vishal-lamba/#person","name":"Vishal Lamba","url":"https://dmarcreport.com/authors/vishal-lamba/","jobTitle":"Content Specialist","description":"Vishal Lamba writes DMARC Report's how-to guides and vendor-specific configuration walkthroughs. His work focuses on step-by-step implementation guides for major email platforms (Google Workspace, Microsoft 365, SendGrid, Mimecast, Proofpoint, Brevo, and others), troubleshooting common SPF and DMARC errors, and translating RFC-level specifications into practical deployment procedures for IT administrators.","image":"https://media.mailhop.org/dmarcreport/images/team/vishal-lamba.jpg","knowsAbout":["SPF Vendor Configuration","Email Platform Integrations","SPF Troubleshooting","Technical Documentation","Step-by-Step Guides"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/vishal-lamba/"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/microsoft-outlook-steps-up-email-security-with-new-policies/"},"articleSection":"foundational","keywords":"dkim, DMARC, email security, SPF","wordCount":1351,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg","caption":"Microsoft Outlook steps up email security with new policies","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"Microsoft Outlook steps up email security with new policies","item":"https://dmarcreport.com/blog/microsoft-outlook-steps-up-email-security-with-new-policies/"}]} ```