Stricter requirements are coming on mass mailings to Microsoft hosted mailboxes including Outlook.com. The new rules also affect anyone with a Microsoft managed Inbox.
Any organization (domain name) sending “over 5,000 emails daily” will have to comply with new rules from 5 May 2025.
At the same time, Microsoft is changing how ‘unverified’ emails are handled for anyone with a Microsoft hosted mailbox including Outlook.com / Hotmail. We explain those changes in a separate article, see Important changes for your Microsoft and Outlook.com email
New mass email sender rules
Mass Email senders will have to comply with these rules from 5 May 2025 onwards, if they want their messages to reach Inboxes.
SPF (Sender Policy Framework)
- Must Pass for the sending domain.
- Your domain’s DNS record should accurately list authorized IP addresses/hosts.
DKIM (DomainKeys Identified Mail)
- Must Pass to validate email integrity and authenticity.
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
- At least p=none and align with either SPF or DKIM (preferably both).
Any sensible mass email sender should have taken these steps many years ago. They are similar to requirements from other large email services like Gmail or Yahoo.
Any non-compliant emails will be sent to the users Junk Email folder, for now. In the future, they might be deleted automatically!
Even though these options have been available for some years, we still get emails from legitimate businesses that have ‘Unverified’ flags added by Microsoft. That’s a sign that the senders mailing system hasn’t been properly maintained and tested.
This change doesn’t just affect large-scale mailings. It affects all emails from any domain that sends thousands of emails. For example, individual emails sent to customers will be treated the same as the bulk emails sent from the same domain.
Unanswered questions
Microsoft is being typically and unnecessarily opaque about this change.
They say that it applies to domains sending ‘over 5,000 emails daily’.
Is that every day or perhaps an average over a week or month? Presumably, the email count is really the number of messages sent to Microsoft servers.
Any custom domain
In practice, anyone with custom domain (company, organization, family or individual) should comply with Microsoft’s email requirements, whether they send large-scale emails or not.
SPF, DKIM and DMARC are used by many mail systems to verify legitimate emails. Domains without those settings are more likely to have emails treated as spam.
How can senders ensure their emails comply with Microsoft’s standards?
There are sites that can test SPF, DKIM and DMARC settings but there seems no way to check against Microsoft’s specific requirements.
In Outlook software, messages appear with an ‘unverified’ tag (since 2023). Do the new high-volume requirements match with what Microsoft’s system considers ‘verified’?
In other words, if an incoming email does NOT have the ‘unverified’ label does that mean ALL mass email requirements are met?
Other suggested practices
At the same time, Microsoft has some suggestions for ‘best practice’ by email senders. Again, none of these are new. Any reputable email newsletter or sender has been doing this for a long time.
- Compliant P2 (Primary) Sender Addresses: Ensure the “From” or “Reply‐To” address is valid, reflects the true sending domain, and can receive replies.
- Functional Unsubscribe Links: Provide an easy, clearly visible way for recipients to opt out of further messages, particularly for marketing or bulk mail.
- List Hygiene & Bounce Management: Remove invalid addresses regularly to reduce spam complaints, bounces, and wasted messages.
- Transparent Mailing Practices: Use accurate subject lines, avoid deceptive headers, and ensure your recipients have consented to receive your messages.
Microsoft says that:
“Outlook reserves the right to take negative action, including filtering or blocking—against non‐compliant senders, especially for critical breaches of authentication or hygiene. “
‘Outlook’ in that sentence is presumably intended to mean Microsoft’s cloud email service, not the various Outlook software variations.
The details (such as they are) are announced on a Microsoft blog.
