Microsoft Outlook steps up email security with new policies

The email authentication landscape changed permanently in 2024, says Brad Slavin, General Manager of DuoCircle. Google, Yahoo, and now Microsoft all require DMARC. What used to be a best practice is now a hard prerequisite for reaching inboxes. Organizations that delayed are now paying the price in deliverability.

The three core email authentication standards - SPF (RFC 7208), DKIM (RFC 6376), and DMARC (RFC 7489) - work together to verify that an email genuinely originates from the domain it claims to represent. Since February 2024, Google and Yahoo require all three for bulk senders. DMARC Report

Microsoft Outlook steps up email security with new policies

					<button title="Play" aria-label="Play Episode" aria-pressed="false" class="play-btn">
						

Play Episode

					</button>
					<button title="Pause" aria-label="Pause Episode" aria-pressed="false" class="pause-btn hide">
						

Pause Episode

					</button>
					


				

				

					<audio preload="none" class="clip clip-23603">
						<source src="https://media.mailhop.org/dmarcreport/images/2025/04/Microsoft-Outlook-steps-up-email-security-with-new-policies.mp3">
					</audio>
					

						

					

					

						

							<button class="player-btn player-btn__volume" title="Mute/Unmute">
								

Mute/Unmute Episode

							</button>
							<button data-skip="-10" class="player-btn player-btn__rwd" title="Rewind 10 seconds">
								

Rewind 10 Seconds

							</button>
							<button data-speed="1" class="player-btn player-btn__speed" title="Playback Speed" aria-label="Playback Speed">1x</button>
							<button data-skip="30" class="player-btn player-btn__fwd" title="Fast Forward 30 seconds">
								

Fast Forward 30 seconds

							</button>
						

						

							<time class="ssp-timer">00:00</time>
							

/

							<!-- We need actual duration here from the server -->
							<time class="ssp-duration" datetime="PT0H2M3S">2:03</time>
						

					

				

			

								<nav class="player-panels-nav">
												<button class="subscribe-btn" id="subscribe-btn-23603" title="Subscribe">Subscribe</button>
																		<button class="share-btn" id="share-btn-23603" title="Share">Share</button>
										</nav>
						

	



		

						

				

					

					

				

				

					

																																																																								

					

						

RSS Feed

							<input value="https://dmarcreport.com/feed/podcast/dmarc-report" class="input-rss input-rss-23603" title="RSS Feed URL" readonly />
						

						<button class="copy-rss copy-rss-23603" title="Copy RSS Feed URL" aria-label="Copy RSS Feed URL"></button>
					

				

			

									

				

					

					

				

				

					

						Share						

					

						<a href="https://www.facebook.com/sharer/sharer.php?u=https://dmarcreport.com/blog/podcast/microsoft-outlook-steps-up-email-security-with-new-policies/&t=Microsoft Outlook steps up email security with new policies" target="blank" rel="noopener noreferrer" class="share-icon facebook" title="Share on Facebook">
							

						</a>
						<a href="https://twitter.com/intent/tweet?text=https://dmarcreport.com/blog/podcast/microsoft-outlook-steps-up-email-security-with-new-policies/&url=Microsoft Outlook steps up email security with new policies" target="blank" rel="noopener noreferrer" class="share-icon twitter" title="Share on Twitter">
							

						</a>
						<a href="https://media.mailhop.org/dmarcreport/images/2025/04/Microsoft-Outlook-steps-up-email-security-with-new-policies.mp3" target="blank" rel="noopener noreferrer" class="share-icon download" title="Download" download>
							

						</a>
					

				

				

					

						Link						

					

						<input value="https://dmarcreport.com/blog/podcast/microsoft-outlook-steps-up-email-security-with-new-policies/" class="input-link input-link-23603" title="Episode URL" readonly />
					

					<button class="copy-link copy-link-23603" title="Copy Episode URL" aria-label="Copy Episode URL" readonly=""></button>
				

				

					

						Embed						

					

						<input type="text" value='<blockquote class="wp-embedded-content" data-secret="OjHNZRp9tL"><a href="https://dmarcreport.com/blog/podcast/microsoft-outlook-steps-up-email-security-with-new-policies/">Microsoft Outlook steps up email security with new policies</a></blockquote><iframe sandbox="allow-scripts" security="restricted" src="https://dmarcreport.com/blog/podcast/microsoft-outlook-steps-up-email-security-with-new-policies/embed/#?secret=OjHNZRp9tL" width="500" height="350" title=""Microsoft Outlook steps up email security with new policies" - DMARC Report" data-secret="OjHNZRp9tL" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" class="wp-embedded-content"></iframe><script>

/*! This file is auto-generated / !function(d,l){“use strict”;l.querySelector&&d.addEventListener&&“undefined”!=typeof URL&&(d.wp=d.wp||{},d.wp.receiveEmbedMessage||(d.wp.receiveEmbedMessage=function(e){var t=e.data;if((t||t.secret||t.message||t.value)&&!/[^a-zA-Z0-9]/.test(t.secret)){for(var s,r,n,a=l.querySelectorAll(‘iframe[data-secret=”‘+t.secret+’”]’),o=l.querySelectorAll(‘blockquote[data-secret=”‘+t.secret+’”]’),c=new RegExp(“^https?:$”,“i”),i=0;i<o.length;i++)o[i].style.display=“none”;for(i=0;i<a.length;i++)s=a[i],e.source===s.contentWindow&&(s.removeAttribute(“style”),“height”===t.message?(1e3<(r=parseInt(t.value,10))?r=1e3:~~r<200&&(r=200),s.height=r):“link”===t.message&&(r=new URL(s.getAttribute(“src”)),n=new URL(t.value),c.test(n.protocol))&&n.host===r.host&&l.activeElement===s&&(d.top.location.href=t.value))}},d.addEventListener(“message”,d.wp.receiveEmbedMessage,!1),l.addEventListener(“DOMContentLoaded”,function(){for(var e,t,s=l.querySelectorAll(“iframe.wp-embedded-content”),r=0;r<s.length;r++)(t=(e=s[r]).getAttribute(“data-secret”))||(t=Math.random().toString(36).substring(2,12),e.src+=”#?secret=“+t,e.setAttribute(“data-secret”,t)),e.contentWindow.postMessage({message:“ready”,secret:t},"")},!1)))}(window,document); //# sourceURL=https://dmarcreport.com/wp-includes/js/wp-embed.min.js ’ title=“Embed Code” class=“input-embed input-embed-23603” readonly/>

					<button class="copy-embed copy-embed-23603" title="Copy Embed Code" aria-label="Copy Embed Code"></button>
				

			

				

Remember the big shift in cybersecurity in 2024? That’s when email giants like Google and Yahoo released major updates to their **email policies to tackle email spoofing, phishing, and spam.

In this new policy update, they asked their senders - particularly bulk senders- to verify their sending domain by setting up email authentication tools like SPF, DKIM, and DMARC. The good thing is that this update led to significant improvement in the adoption of these protocols. In fact, over the past year, the number of organizations setting up DMARC has nearly doubled. In 2023, around **55,000 domains were implementing DMARC each month. By the third quarter of 2024, the number jumped to about 110,000 per month.

Certainly, the adoption of email authentication protocols is picking up, and more and more senders are taking email security seriously now,  but there is still room for improvement. After all, cyber attackers are also getting smarter by the day. To fill in the gaps and make email security a norm, Microsoft is finally stepping up its game. 

Let’s take a closer look at what **Outlook’s new rules are and how you can get ready.

Why is Microsoft bringing in these changes now?

The answer is simple: Email threats have come a long way since their inception. These days, fraudulent emails don’t really come with a warning signal; they are clever, sneaky, and hard to spot, even for the most vigilant users. So, now that the cybercriminals are evolving, email companies also need to catch up!

As of 2025, DMARC is mandatory under multiple compliance frameworks. CISA BOD 18-01 requires p=reject for US federal domains. PCI DSS v4.0 mandates DMARC for organizations processing payment card data as of March 2025. Google and Yahoo require DMARC for bulk senders (5,000+ messages/day) since February 2024, and Microsoft began rejecting non-compliant email in May 2025. The UK NCSC, Australia’s ASD, and Canada’s CCCS all mandate DMARC for government domains. Cyber insurers increasingly require DMARC enforcement as an underwriting condition.

In this vein, Microsoft recognized that email security can no longer be treated as an option; it is a mandatory aspect of maintaining the hygiene of your email ecosystem.

Starting May 5, 2025, Microsoft will begin enforcing stricter policies. So, if your company sends out over 5000 emails per day, you must have proper authentication - with SPF, DKIM, and DMARC correctly configured. If you don’t have these protocols in place, your emails may not reach the inboxes at all. Instead, they might end up in the junk folders - or get blocked altogether.

This is like Microsoft’s shot at pushing their senders to be accountable for their outgoing messages and tightening up their email practices. At the end of the day, it’s all about trust. The ESP wants its users to feel safe while opening or interacting with any email in their inbox.

What are the major updates in Microsoft’s latest email-sending policy?

Microsoft’s update is mostly in line with Google and Yahoo’s sending policies. That’s to say that, from 5 May 2025 onwards, if you send out more than 5,000 messages per day, you’ll be required to have three email authentication mechanisms in place - SPF, DKIM, and DMARC - just like Google and Yahoo already require.

Here’s a breakdown of what each protocol does:

SPF (Sender Policy Framework)

SPF lets you define which servers are allowed to send emails from your domain. Ideally, the list should include it all - from your primary domain to any subdomain that you use to third-party mail services like Mailchimp or a CRM platform.

If the email comes from a server that is not on your list, Outlook might see it as suspicious and either block it or mark it as spam.

DKIM (DomainKeys Identified Mail)

DKIM helps make sure your email hasn’t been changed along the way.

When you send an email, a unique signature is added to it. This signature proves the email really came from you and that nothing in it was changed on the way. The receiving email server checks that signature using a public key from your domain’s settings. If the two match, the email is trusted. If it doesn’t, the email might be blocked or marked as suspicious.

It’s just a way to make sure your message stays the same when it goes from the sender server to the receiver’s.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC picks up from where SPF and DKIM left off. What we mean to say is that it confirms whether the **email passes both those checks and then decides what to do if something doesn’t align. Since you are the owner of the domain, you can choose to let them through, send them to spam, or block them. You can do this by setting a DMARC policy for your domain.

DMARC also sends you reports that show what’s happening with your domain. You can see which emails passed the checks, which ones failed, and who sent them. It’s a simple way to know if someone is trying to misuse your domain.

What are the other requirements of Microsoft’s new policy?

• After you have configured SPF, DKIM, and DMARC for your domain, Microsoft wants you to ensure that you’re using the right (and clear) address in both the “From” and “Reply-To” fields. Your recipients should be able to tell at first glance that the email is from you.

• Another thing: while **sending bulk **or promotional emails, it is important to include a separate unsubscribe link that is easy to locate. Your recipients should be able to decide whether they want to engage with your email or not.

• Finally, keep your email list sorted. That means that if there are any duplicates, inactive, or broken email addresses, you should remove them from your list. Not removing the fluff increases your bounce rate and impacts your sender reputation.

What’s next?

Your next steps should be all about taking proactive action !

5 May 2025 is right around the corner, which means you have no time to waste. If you don’t start now, Microsoft will soon start flagging your emails as suspicious or spam, which we assume is the last thing you want!

Protocols like DMARC not only **protect your domain from being misused by attackers, but they tell you what’s going on with your domain!

To know more about how you can meet the **new industry standards and leverage DMARC reports to level up your email security game, contact us today!

Sources

• RFC 7208 - Sender Policy Framework (SPF)
• RFC 7489 - Domain-based Message Authentication, Reporting, and Conformance (DMARC)