{"id":18528,"date":"2025-04-24T09:52:52","date_gmt":"2025-04-24T13:52:52","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=18528"},"modified":"2025-05-28T11:29:58","modified_gmt":"2025-05-28T15:29:58","slug":"microsoft-bulk-sender-authentication-requirements","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/microsoft-bulk-sender-authentication-requirements\/","title":{"rendered":"Microsoft to Enforce Bulk Sender Authentication Requirements Starting May 5"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Microsoft joins <a href=\"https:\/\/www.thesslstore.com\/blog\/google-yahoo-to-roll-out-new-email-authentication-spam-prevention-requirements-in-february-2024\/\">Gmail and Yahoo<\/a> in expanding their efforts to control the spam and malicious emails that make it into users\u2019 inboxes by enforcing stringent bulk email sender requirements<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">On April 2, <a href=\"https:\/\/techcommunity.microsoft.com\/blog\/microsoftdefenderforoffice365blog\/strengthening-email-ecosystem-outlook%E2%80%99s-new-requirements-for-high%E2%80%90volume-senders\/4399730\">Microsoft announced<\/a> its plans to step up its commitment to hardening consumer email inboxes against spammers and scammers through stricter email security settings. The company\u2019s plans, which will take effect on May 5, aim to protect Outlook.com accounts (i.e., Microsoft Outlook\u2019s web-based email service) by:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>targeting domains sending 5,000+ emails per day<\/li>\n\n\n\n<li>mandating specific DNS-based email security configurations, and<\/li>\n\n\n\n<li>reducing malicious email activities (e.g., spam and phishing-related issues) by enforcing industry email security best practices<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">So, what precisely do these changes mean for organizations that send out at least that many messages daily? And what additional steps can you take to further strengthen your email security and authentication initiatives?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s hash it out.<span id=\"newline\"><\/span><\/p>\n\n\n<span style=\"--tl-form-height-m:140.667px;--tl-form-height-t:118.1042px;--tl-form-height-d:118.1042px;\" class=\"tl-placeholder-f-type-shortcode_12779 tl-preload-form\"><span><\/span><\/span>\n\n\n<h2 class=\"wp-block-heading\">An Overview of What\u2019s Happening Starting May 5<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft is mandating new email authentication-related measures to reduce the volume of phishing, spoofing, and spam messages received by users of their <strong>@hotmail.com<\/strong>, <strong>@live.com<\/strong>, and <strong>@outlook.com<\/strong> domains. The measure, which is part of the company\u2019s overarching effort to improve consumer email security, aims to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>force sender organizations to move email security toward the top of their list of priorities,<\/li>\n\n\n\n<li>push email senders to implement and adhere to industry <a href=\"https:\/\/www.thesslstore.com\/blog\/6-email-security-best-practices-to-keep-your-business-safe-in-2019\/\">email security best practices<\/a>, and<\/li>\n\n\n\n<li>reduce the amount of spam that reaches users&#8217; inboxes.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">So, who will these changes affect, and what do the specific changes entail?<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Who Will Be Impacted by These Changes<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft\u2019s announcement states the new measures are directed toward \u201cdomains sending more than 5,000 emails per day\u201d to users with consumer email addresses ending in @hotmail.com, @live.com, and @outlook.com. However, there\u2019s an important caveat: <strong>these new bulk sender limits and authentication requirements also affect organizations that send a <em>total<\/em> of 5,000 or more messages that come from subdomains as well (not just the primary domains).<\/strong> &nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But what about business domains? The author of the Microsoft announcement <a href=\"https:\/\/techcommunity.microsoft.com\/blog\/MicrosoftDefenderforOffice365Blog\/strengthening-email-ecosystem-outlook%E2%80%99s-new-requirements-for-high%E2%80%90volume-senders\/4399730#:~:text=We%20don%27t%20plan%20to%20expand%20this%20to%20Enterprise%20yet.%20Enterprise%20environments%20have%20complex%20mail%20flows%20that%20can%20break%20DMARC.%20We%E2%80%99ll%20get%20there%20eventually%2C%20but%20not%20with%20this%20release.%20This%20is%20focused%20only%20on%20Microsoft%27s%20consumer%20services.\">shared the following response<\/a> to a reader&#8217;s question: <\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">&#8220;We don&#8217;t plan to expand this to Enterprise yet. Enterprise environments have complex mail flows that can break DMARC. We\u2019ll get there eventually, but not with this release. This is focused only on Microsoft&#8217;s consumer services.&#8221;<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">Bulk Senders Must Implement These New DNS-Based Security Measures<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">As someone who sends at least 5,000 emails, you must implement the following email security standards to be compliant with the new rule:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.thesslstore.com\/blog\/email-security-spf\/\"><strong>Sender Policy Framework (SPF)<\/strong><\/a><strong>:<\/strong> Your SPF record must be properly configured and contain a list of all authorized hostnames (domains) and IP addresses. As such, only send emails from one of those specified authorized hostnames or IP addresses to ensure a successful SPF check (i.e., return message \u201cpass\u201d instead of \u201cneutral,\u201d \u201cfail,\u201d \u201csoftfail,\u201d or \u201cnone\u201d). <strong>NOTE:<\/strong> Ensure your SPF isn\u2019t set to exceed 10 DNS lookups; otherwise, the SPF may fail.<\/li>\n\n\n\n<li><a href=\"https:\/\/www.thesslstore.com\/blog\/dkim-domainkeys-identified-mail\/\"><strong>DomainKeys Identified Mail (DKIM)<\/strong><\/a><strong>: <\/strong>Ensure your DKIM record is properly configured (i.e., your key pairs are properly set up and the public key is published on the DNS), and ensure all authorized emails are signed using the domain\u2019s private key. (Verify the email server signs all outgoing messages.) These steps, along with ensuring you\u2019ve got TLS enabled on your email server, will help ensure that the DKIM check will return a \u201cpass\u201d result.<\/li>\n\n\n\n<li><a href=\"https:\/\/www.thesslstore.com\/blog\/dmarc-reporting-and-email\/\"><strong>Domain-based Message Authentication, Reporting, and Conformance<\/strong><\/a><strong>:<\/strong> This means you must set a minimum policy of <em>p=none<\/em> (as a minimum) and align with one of the other two methods. (<strong>NOTE:<\/strong> Using the \u201cnone\u201d policy [i.e., <em>p=none<\/em>] means you\u2019re telling it not to use any special handling, so we\u2019d instead recommend using the stricter policy <em>p=reject<\/em>.)<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Here\u2019s what it looks like in Outlook webmail when you receive a message that\u2019s sent from a domain that passes both the SPF and DKIM checks:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1600\" height=\"929\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2025\/04\/spf-pass-dkim-pass-example-v3.jpg\" alt=\"An example of what SPF and DKIM records check results look like in Outlook.com web mail services\" class=\"wp-image-18530\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2025\/04\/spf-pass-dkim-pass-example-v3.jpg 1600w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2025\/04\/spf-pass-dkim-pass-example-v3-300x174.jpg 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2025\/04\/spf-pass-dkim-pass-example-v3-1024x595.jpg 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2025\/04\/spf-pass-dkim-pass-example-v3-768x446.jpg 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2025\/04\/spf-pass-dkim-pass-example-v3-1536x892.jpg 1536w\" sizes=\"auto, (max-width: 1600px) 100vw, 1600px\" \/><figcaption class=\"wp-element-caption\"><em>Image caption: An example of the SPF and DKIM records that can be seen currently in Outlook Webmail when you right-click on a message, select <strong>View<\/strong>, and select <strong>View Message Details<\/strong>.<\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">How These Changes May Affect Your Organization<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">If You&#8217;re Not an Affected Sender<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">If you\u2019re an organization that hasn\u2019t sent 5,000+ emails in a single day at least once, then you\u2019ll be happy to know that the changes won\u2019t directly impact you. However, that doesn\u2019t mean that your organization couldn\u2019t benefit from implementing the security measures discussed a few moments ago (SPF, DKIM, and DMARC), so it&#8217;s best to implement them anyway.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">If You Are an Affected Sender<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">If you\u2019re part of an organization that <em>does<\/em> send a minimum of 5,000 emails daily, then these new security rules will definitely apply to you, and you&#8217;ll need to implement them before May 5. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Not adhering to these new requirements will impact your organization in several key ways:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Non-compliant emails will initially be routed to recipients\u2019 junk folders.<\/strong> This automatic junking of messages means that you\u2019ll never get your messages in front of the eyes of recipients who don\u2019t bother checking that folder for legitimate messages that get flagged by spam filters.<\/li>\n\n\n\n<li><strong>At a later (undisclosed) date, non-compliant messages will be rejected outright.<\/strong> Whenever Microsoft sets this more stringent measure in motion, it means that any non-compliant messages won\u2019t make it to users\u2019 mailboxes at all.<\/li>\n\n\n\n<li><strong>Microsoft may opt to take further action to punish non-compliant domains.<\/strong> The tech giant said it may simply filter emails but reserves the right to go as far as outright blocking offending domains from sending messages to @hotmail.com, @live.com, and @outlook.com email users.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Still have more questions about Microsoft\u2019s May 5 changes to the bulk email sender rules? Be sure to check out the <a href=\"https:\/\/techcommunity.microsoft.com\/blog\/microsoftdefenderforoffice365blog\/strengthening-email-ecosystem-outlook%E2%80%99s-new-requirements-for-high%E2%80%90volume-senders\/4399730#:~:text=Frequently%20Asked%20Questions%20(FAQ)\">FAQs section in the Microsoft announcement<\/a>. &nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Other Ways to Prevent Spoofing &amp; Assure Users Your Emails Are Authentic<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">So, now that we know what is happening and what you must do before May 5, it\u2019s time to explore other ways that you can improve your email security and authentication measures.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Scammers love to spoof legitimate brands, including Microsoft, which <a href=\"https:\/\/blog.checkpoint.com\/research\/exploring-q4-2024-brand-phishing-trends-microsoft-remains-the-top-target-as-linkedin-makes-a-comeback\/\">Check Point reports ranked as the most commonly spoofed brand in Q4 2024<\/a>. The company alone accounted for nearly one-third of all email spoofing attacks analyzed by Check Point researchers in Q4 2024.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So, in a way, it only makes sense for the tech magnate to want to fight back against phony mass email senders.&nbsp;As such, the company included several other suggestions, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ensuring the \u201cfrom\u201d &nbsp;and \u201creply-to\u201d email addresses are compliant and can receive replies.<\/li>\n\n\n\n<li>Providing functional \u201cunsubscribe links\u201d to enable users to opt out of future messages.<\/li>\n\n\n\n<li>Regularly clearing invalid email addresses from your mail lists to reduce your bounce rate and mitigate spam complaints.<\/li>\n\n\n\n<li>Practice trusted and transparent email drafting practices (e.g., using accurate subject lines and avoiding deceptive headers).<\/li>\n<\/ul>\n\n\n<span style=\"--tl-form-height-m:966.781px;--tl-form-height-t:989px;--tl-form-height-d:989px;\" class=\"tl-placeholder-f-type-shortcode_12768 tl-preload-form\"><span><\/span><\/span>\n\n\n<p class=\"wp-block-paragraph\">But what else can you do to assure users and email servers that your messages are authentic?<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Implement Brand Indicators for Message Identification (BIMI)<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"890\" height=\"1024\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/02\/brand-my-mail-bimi-logo-example-chase-890x1024.png\" alt=\"brand-my-mail-chase-bimi-example-gmail-inbox\" class=\"wp-image-15345\" style=\"width:291px;height:auto\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/02\/brand-my-mail-bimi-logo-example-chase-890x1024.png 890w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/02\/brand-my-mail-bimi-logo-example-chase-261x300.png 261w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/02\/brand-my-mail-bimi-logo-example-chase-768x883.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/02\/brand-my-mail-bimi-logo-example-chase.png 1252w\" sizes=\"auto, (max-width: 890px) 100vw, 890px\" \/><figcaption class=\"wp-element-caption\">Image caption: A screenshot example of how an email signed using a Verified Mark Certificate appears in the Gmail app for iPhone users.<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">But DKIM, DMARC, and SPF aren\u2019t the \u201cend-all, be-all\u201d of email authentication. Rather, they should be among several layers of email security you implement to prevent your domain(s) from being spoofed and to protect users from being scammed in your name.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The BIMI standard is a way to add visual verification of your organization\u2019s digital identity. Adding BIMI to your domain with a <a href=\"https:\/\/www.thesslstore.com\/digicert\/bimi-verified-mark-certificate.aspx\">Verified Mark Certificate (VMC)<\/a> enables you to display your organization\u2019s verified logo in the email sender field of many major email providers. In addition to contributing to your brand\u2019s exposure via email, using BIMI with a Mark Certificate helps give users the confidence to open your emails.<\/p>\n\n\n\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link has-central-palette-2-background-color has-text-color has-background wp-element-button\" href=\"https:\/\/www.thesslstore.com\/products\/mark-certificates.aspx\" style=\"border-radius:3px;color:#ffffff\">Shop Mark Certificates<\/a><\/div>\n\n\n\n<h4 class=\"wp-block-heading\">Want to Learn More About BIMI? Check Out These Related Resources<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.thesslstore.com\/blog\/verified-mark-certificates-the-bimi-standard-show-your-company-logo-in-your-customers-inbox\/\">Verified Mark Certificates &amp; the BIMI Standard: Show Your Company Logo in Your Customer\u2019s Inbox<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.thesslstore.com\/blog\/how-can-i-brand-my-mail-use-a-vmc-and-bimi\/\">How Can I Brand My Mail? Use a VMC and BIMI<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.thesslstore.com\/blog\/mark-certificates-and-bimi-updates\/\">6 Updates to Know About Mark Certificates and BIMI<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.thesslstore.com\/resources\/how-to-set-up-bimi-for-your-domain-5-steps\/\">How to Set Up BIMI for Your Domain (5 Steps)<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.thesslstore.com\/blog\/how-to-set-up-bimi-and-a-mark-certificate-to-display-your-email-logo\/\">How to Set Up BIMI and a Mark Certificate to Display Your Email Logo<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.thesslstore.com\/blog\/common-mark-certificates-make-it-easier-to-display-your-logo-in-gmail\/\">Common Mark Certificates Make It Easier to Display Your Logo in Gmail<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft joins Gmail and Yahoo in expanding their efforts to control the spam and malicious emails that make it into users\u2019 inboxes by enforcing stringent bulk email sender requirements On&#8230;<\/p>\n","protected":false},"author":17,"featured_media":18531,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[13107,16,10200],"tags":[330,13319,253],"class_list":["post-18528","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-beyond-hashed-out","category-hashing-out-cyber-security","category-monthly-digest","tag-authentication","tag-email-sender-authentication","tag-microsoft","post-with-tags"],"views":7935,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2025\/04\/microsoft-bulk-sender-email-feature.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/18528","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=18528"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/18528\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/18531"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=18528"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=18528"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=18528"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}