Microsoft to Enforce Bulk Sender Authentication Requirements Starting May 5
 Microsoft to Enforce Bulk Sender Authentication Requirements Starting May 5
1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5, rated)
Loading...
April 24, 2025 0

Microsoft to Enforce Bulk Sender Authentication Requirements Starting May 5

in Beyond Hashed Out, Hashing Out Cyber Security

Microsoft joins Gmail and Yahoo in expanding their efforts to control the spam and malicious emails that make it into users’ inboxes by enforcing stringent bulk email sender requirements

On April 2, Microsoft announced its plans to step up its commitment to hardening consumer email inboxes against spammers and scammers through stricter email security settings. The company’s plans, which will take effect on May 5, aim to protect Outlook.com accounts (i.e., Microsoft Outlook’s web-based email service) by:

  • targeting domains sending 5,000+ emails per day
  • mandating specific DNS-based email security configurations, and
  • reducing malicious email activities (e.g., spam and phishing-related issues) by enforcing industry email security best practices

So, what precisely do these changes mean for organizations that send out at least that many messages daily? And what additional steps can you take to further strengthen your email security and authentication initiatives?

Let’s hash it out.

An Overview of What’s Happening Starting May 5

Microsoft is mandating new email authentication-related measures to reduce the volume of phishing, spoofing, and spam messages received by users of their @hotmail.com, @live.com, and @outlook.com domains. The measure, which is part of the company’s overarching effort to improve consumer email security, aims to:

  • force sender organizations to move email security toward the top of their list of priorities,
  • push email senders to implement and adhere to industry email security best practices, and
  • reduce the amount of spam that reaches users’ inboxes.

So, who will these changes affect, and what do the specific changes entail?

Who Will Be Impacted by These Changes

Microsoft’s announcement states the new measures are directed toward “domains sending more than 5,000 emails per day” to users with consumer email addresses ending in @hotmail.com, @live.com, and @outlook.com. However, there’s an important caveat: these new bulk sender limits and authentication requirements also affect organizations that send a total of 5,000 or more messages that come from subdomains as well (not just the primary domains).  

But what about business domains? The author of the Microsoft announcement shared the following response to a reader’s question:

“We don’t plan to expand this to Enterprise yet. Enterprise environments have complex mail flows that can break DMARC. We’ll get there eventually, but not with this release. This is focused only on Microsoft’s consumer services.”

Bulk Senders Must Implement These New DNS-Based Security Measures

As someone who sends at least 5,000 emails, you must implement the following email security standards to be compliant with the new rule:

  1. Sender Policy Framework (SPF): Your SPF record must be properly configured and contain a list of all authorized hostnames (domains) and IP addresses. As such, only send emails from one of those specified authorized hostnames or IP addresses to ensure a successful SPF check (i.e., return message “pass” instead of “neutral,” “fail,” “softfail,” or “none”). NOTE: Ensure your SPF isn’t set to exceed 10 DNS lookups; otherwise, the SPF may fail.
  2. DomainKeys Identified Mail (DKIM): Ensure your DKIM record is properly configured (i.e., your key pairs are properly set up and the public key is published on the DNS), and ensure all authorized emails are signed using the domain’s private key. (Verify the email server signs all outgoing messages.) These steps, along with ensuring you’ve got TLS enabled on your email server, will help ensure that the DKIM check will return a “pass” result.
  3. Domain-based Message Authentication, Reporting, and Conformance: This means you must set a minimum policy of p=none (as a minimum) and align with one of the other two methods. (NOTE: Using the “none” policy [i.e., p=none] means you’re telling it not to use any special handling, so we’d instead recommend using the stricter policy p=reject.)

Here’s what it looks like in Outlook webmail when you receive a message that’s sent from a domain that passes both the SPF and DKIM checks:

An example of what SPF and DKIM records check results look like in Outlook.com web mail services
Image caption: An example of the SPF and DKIM records that can be seen currently in Outlook Webmail when you right-click on a message, select View, and select View Message Details.

How These Changes May Affect Your Organization

If You’re Not an Affected Sender

If you’re an organization that hasn’t sent 5,000+ emails in a single day at least once, then you’ll be happy to know that the changes won’t directly impact you. However, that doesn’t mean that your organization couldn’t benefit from implementing the security measures discussed a few moments ago (SPF, DKIM, and DMARC), so it’s best to implement them anyway.

If You Are an Affected Sender

If you’re part of an organization that does send a minimum of 5,000 emails daily, then these new security rules will definitely apply to you, and you’ll need to implement them before May 5.

Not adhering to these new requirements will impact your organization in several key ways:

  • Non-compliant emails will initially be routed to recipients’ junk folders. This automatic junking of messages means that you’ll never get your messages in front of the eyes of recipients who don’t bother checking that folder for legitimate messages that get flagged by spam filters.
  • At a later (undisclosed) date, non-compliant messages will be rejected outright. Whenever Microsoft sets this more stringent measure in motion, it means that any non-compliant messages won’t make it to users’ mailboxes at all.
  • Microsoft may opt to take further action to punish non-compliant domains. The tech giant said it may simply filter emails but reserves the right to go as far as outright blocking offending domains from sending messages to @hotmail.com, @live.com, and @outlook.com email users.

Still have more questions about Microsoft’s May 5 changes to the bulk email sender rules? Be sure to check out the FAQs section in the Microsoft announcement.  

Other Ways to Prevent Spoofing & Assure Users Your Emails Are Authentic

So, now that we know what is happening and what you must do before May 5, it’s time to explore other ways that you can improve your email security and authentication measures.

Scammers love to spoof legitimate brands, including Microsoft, which Check Point reports ranked as the most commonly spoofed brand in Q4 2024. The company alone accounted for nearly one-third of all email spoofing attacks analyzed by Check Point researchers in Q4 2024.

So, in a way, it only makes sense for the tech magnate to want to fight back against phony mass email senders. As such, the company included several other suggestions, including:

  • Ensuring the “from”  and “reply-to” email addresses are compliant and can receive replies.
  • Providing functional “unsubscribe links” to enable users to opt out of future messages.
  • Regularly clearing invalid email addresses from your mail lists to reduce your bounce rate and mitigate spam complaints.
  • Practice trusted and transparent email drafting practices (e.g., using accurate subject lines and avoiding deceptive headers).

But what else can you do to assure users and email servers that your messages are authentic?

Implement Brand Indicators for Message Identification (BIMI)

brand-my-mail-chase-bimi-example-gmail-inbox
Image caption: A screenshot example of how an email signed using a Verified Mark Certificate appears in the Gmail app for iPhone users.

But DKIM, DMARC, and SPF aren’t the “end-all, be-all” of email authentication. Rather, they should be among several layers of email security you implement to prevent your domain(s) from being spoofed and to protect users from being scammed in your name.

The BIMI standard is a way to add visual verification of your organization’s digital identity. Adding BIMI to your domain with a Verified Mark Certificate (VMC) enables you to display your organization’s verified logo in the email sender field of many major email providers. In addition to contributing to your brand’s exposure via email, using BIMI with a Mark Certificate helps give users the confidence to open your emails.

Shop Mark Certificates

Want to Learn More About BIMI? Check Out These Related Resources

Be the first to comment

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *

Author

Casey Crane

Casey Crane is a regular contributor to and managing editor of Hashed Out. She has more than 15 years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.

Recent Posts

Follow Us

Free Ebooks

eBook
Email Spoofing Defense 101 (A 5-Step Guide)

Download Now

eBook
Certificate Lifecycle Management Best Practices Guide

Download Now

eBook
10 Code Signing Best Practices

Download Now