Microsoft's New Email Rules for Bulk Senders: SPF, DKIM, DMARC • William OGOU Cybersecurity Blog

In an era where email remains one of the most widely used tools for personal and business communications, ensuring the security and authenticity of these communications is paramount. Recently, Microsoft announced new email rules for bulk senders, joining Google and Yahoo in their efforts to combat spam and enhance email security.

These changes, which take effect on May 5, 2025, will significantly impact how high-volume email senders operate.

Who Do the New Rules Apply To?

The new rules apply to bulk senders who send over 5,000 emails per day to Microsoft consumer email addresses, such as @outlook.com, @hotmail.com, and @live.com. Even if you’re sending outreach from multiple addresses, you are still considered a bulk sender if they are from the same primary domain. Agencies are particularly at risk for this, as they often send emails from various addresses under the same domain.

What Microsoft Means by “Same Primary Domain”

It’s easy to qualify as a bulk sender without even realizing it. For example, if you work at a big agency with a domain like @agency.com, and multiple team members send emails within a 24-hour period, you could quickly exceed the 5,000-email threshold.

[email protected] sends 1,500 emails.
[email protected] sends 2,000 emails.
[email protected] sends 500 emails.
[email protected] sends 1,100 emails.

In this scenario, you’ve sent 5,100 emails from the same domain, @agency.com, so Microsoft sees this as one sender.

What Microsoft Means by “Free Consumer Services”

To clarify, when Microsoft says “free consumer services,” they are referring to:

Outlook.com
Hotmail.com
Live.com addresses

These rules do not apply to business emails, even if they use Microsoft 365/Outlook. However, business emails may be the next in line for these requirements.

When Do the Rules Go Into Effect?

Microsoft has outlined the following timeline for the enforcement of these new rules:

May 5, 2025: Microsoft will route any non-compliant emails directly to Junk folders.
Future Date (TBA): Microsoft will reject non-compliant emails.

Although the exact date for when Microsoft will begin to reject emails that fail to comply is not yet known, Google took about two months to start rejecting non-compliant emails after announcing their new requirements.

What Are the New Requirements and How to Comply?

Before diving into the requirements, it’s essential to use a free tool to check if you already meet the requirements. Tools like Redsift can help you assess your current email health and compliance status.

1. Authenticate with SPF

Sender Policy Framework (SPF) helps authenticate email addresses and prevent spam. To pass, you must ensure your domain’s SPF record lists the IP address you are sending from.

How to Set Up SPF:

If you use a “Microsoft Online Email Routing Address” (MOERA) domain for email (like @agency.onmicrosoft.com), you already have SPF records set up.
If you use a custom domain, like @agency.com, you must set up SPF records. Microsoft further recommends setting up a subdomain when using bulk email services with your custom domain.

2. Authenticate with DKIM

DomainKeys Identified Mail (DKIM) helps match up information (like the from: address) to ensure the message wasn’t altered. The requirement is that your messages are authenticated with DKIM.

How to Set Up DKIM:

If you use a MOERA domain for email (like @agency.onmicrosoft.com), you already have DKIM set up.
If you use a custom domain, like @agency.com, you must set up DKIM records. Microsoft also recommends setting up a subdomain if you use bulk email services with your custom domain.

3. Publish a DMARC Record

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is yet another email validation and authentication method. Microsoft requires a basic DMARC record (p=none), but for stronger protection, it’s recommended to use p=quarantine or p=reject.

How to Set Up DMARC:

If using MOERA for email, you must create the DMARC TXT record.
If using custom domains, you must set up a DMARC TXT record.

4. Align “From” Domain with SPF/DKIM

Email providers want to ensure that the person sending the email is allowed to send it on behalf of the sender address.

If sending from a subdomain, the SPF/DKIM/DMARC must include the subdomain.
If you use a custom mail server, ask your dev team to validate that headers are RFC 5322 compliant.

5. Include an Unsubscribe Link

Microsoft also wants users to include unsubscribe links within the email message. They recommend header-level unsubscribe support via the “List-Unsubscribe” and “List-Unsubscribe-Post” to enable the Unsubscribe button in the UI.

6. Clean Your Email List

Invalid email addresses and high bounce rates will hurt your deliverability. Use a tool like NeverBounce to clean your email lists before sending.

FAQ About Microsoft Email Requirements

Who Do These Rules Apply To? Just Free Outlook Addresses? These rules only apply when sending to personal, consumer emails ([email protected], [email protected], [email protected]). These rules don’t apply to emails sent to Microsoft 365 business accounts ([email protected]) or corporate domains hosted on Exchange Online.
Do Subdomains Count Toward the 5,000 Bulk Sender Limit? Yes, all messages from subdomains count as sent from the primary domain. For example, it counts as 5,000 emails you’re sending:
- 2,500 emails from @promo.agency.com
- 2,500 emails from @agency.com
Do “No-Reply” or Unmonitored Addresses Hurt Deliverability? Microsoft requires the From or Reply-To address to be able to receive replies. So, using [email protected] is discouraged.
Do I Need Both SPF and DKIM to Pass? Yes, both SPF and DKIM must pass authentication checks. For DMARC to work correctly, only one of SPF or DKIM needs to align.
Can I Just Tell Recipients to Add Me to the Safe Sender List? Unfortunately, it’s not as easy as asking recipients to add your bulk emails to a safe sender list. As Microsoft said, it can “be counterproductive… it increases the risk of spoofing.”

What Does This All Mean for PRs and Link Builders?

Although Google and Yahoo are slightly more strict, the writing is on the wall: email senders need to stop spamming or they risk getting filtered, flagged, or blocked. Their requirements and recommendations, like SPF/DKIM/DMARC, go beyond the technical side. Notice how they also recommend sending to real emails from confirmed addresses. All of the major providers are pushing for transparency.

They recommend personalizing emails and keeping your lists up to date. Gone are the days of spray and pray. To succeed today in link building and PR, you need highly targeted, highly relevant outreach.

Conclusion

The new email rules from Microsoft, Google, and Yahoo represent a significant shift in how high-volume email senders must operate. By ensuring compliance with SPF, DKIM, and DMARC, and adopting best practices for email hygiene, senders can improve their email deliverability and maintain the trust of their recipients. As the digital landscape continues to evolve, staying ahead of these changes is crucial for success in email marketing and outreach.

To further enhance your cloud security and implement Zero Trust, contact me on LinkedIn Profile or [email protected].

FAQ

What are the new email rules for bulk senders? The new email rules for bulk senders require compliance with SPF, DKIM, and DMARC authentication protocols. These rules apply to senders who send over 5,000 emails per day to Microsoft consumer email addresses.
Why are these new email rules being implemented? These new email rules are being implemented to combat spam and enhance email security. By enforcing stricter authentication standards, Microsoft aims to reduce spoofing and improve the overall trustworthiness of email communications.
How can I ensure compliance with the new email rules? To ensure compliance, you need to authenticate your emails with SPF and DKIM, publish a DMARC record, align your “From” domain with SPF/DKIM, include an unsubscribe link, and clean your email list regularly.
When do the new email rules go into effect? The new email rules go into effect on May 5, 2025. Microsoft will route non-compliant emails to Junk folders starting on this date and will reject non-compliant emails in the future.
Who do the new email rules apply to? The new email rules apply to bulk senders who send over 5,000 emails per day to Microsoft consumer email addresses, such as @outlook.com, @hotmail.com, and @live.com.

Resources

Redsift
NeverBounce
Microsoft SPF Configuration
Microsoft DKIM Configuration
Microsoft DMARC Configuration