There was a lot of buzz in security and messaging circles at the end of 2023 when Google, Yahoo and Apple jointly announced that they were going to start enforcing strict email authentication requirements for bulk email senders. Although the implementation that started in the first quarter of 2024 has been slow to fully ramp up, momentum is building. And the overall trend towards mandatory email authentication is quite clear.
With their April 2, 2025 announcement, Microsoft added to the momentum by outlining similar email authentication requirements and outbound email limits for their Outlook consumer domains. This includes hotmail.com, live.com and outlook.com.
Per Microsoft’s announcement, Outlook will soon require SPF, DKIM and DMARC compliance for domains sending over 5,000 emails per day to “preserve trust in the digital ecosystem.”
Starting May 5, 2025, messages failing authentication will be routed to the Junk folder and may eventually be rejected altogether if compliance remains unmet.
To be compliant, senders will need to meet the following minimum requirements:
SPF (sender policy framework)
- Must Pass for the sending domain.
- Domain's SPF DNS record should accurately list authorized IP addresses/hosts sending email on behalf of that domain.
DKIM (DomainKeys Identified Mail)
- Must Pass to validate email integrity and authenticity.
DMARC (domain-based message authentication, reporting and conformance)
- At least p=none and align with either SPF or DKIM (preferably both).
Other Microsoft requirements include:
- Functional sender addresses. Valid email addresses within “From” and/or “Reply‐To”, that include the sending domain and can receive replies.
- Functional unsubscribe mechanisms. Senders must provide an easy and clearly visible way for recipients to opt out of further messages. This particularly applies to marketing or bulk mail.
- List hygiene and bounce management. Senders must remove invalid addresses regularly to reduce spam complaints, bounces and wasted messages.
- Transparent mailing practices. Senders must use accurate subject lines, avoid deceptive headers and ensure their recipients have consented to receive messages.
Authentication requirements timeline.
While these requirements only apply to high-volume senders, Microsoft did recommend SPF, DKIM and DMARC authentication as a best practice for all senders.
Concerned that you will be impacted? Proofpoint can help
When it comes to email authentication, Proofpoint is an industry leader. Although we work with companies of all sizes, we are proud of the fact that more Fortune 1000 companies rely on Proofpoint for DMARC than our next five closest competitors combined. We have the tools, resources and experience to assess your status. And we can help you close the gap more effectively and efficiently than you would if you tackled this issue on your own.
And it’s not just limited to authentication. In fact, our human-centric cybersecurity platform is the only modern security architecture that takes a comprehensive, adaptive and effective approach to protect your organization’s greatest assets and biggest risks: your people.
Learn more about our Email Fraud Defense solution for email authentication or our human-centric security platform. Or contact us today.
