Microsoft DMARC requirements – What it means and how it impacts Outlook.com users

On 5 May 2025 , Microsoft will be joining Yahoo and Google in mandating compliance with DMARC standards for large volume email senders (domains sending more than 5000 emails per day). This will apply to outlook.com, hotmail.com and live.com.

These senders will need to have the correct authentication protocols in order or risk having their emails going straight to junk folders or even being rejected outright if non-compliance continues.

To avoid having your emails rejected, you as a sender would need to implement and comply with the following:
 

SPF (Sender Policy Framework)

SPF specifies which IP addresses can send emails on behalf of your organisation’s domain.
 

DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to your emails, verifying that the email was not tampered with during the send and that it was authorised by the organisation’s domain.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC is built upon SPF and DKIM and allows domain owners to dictate how unauthenticated emails are dealt with. It also provides very useful reports that help your organisation to improve your email security safeguards.
Your organisation must have a published DMARC record and must conform to the minimum policy of p=none. 
 

Although this is the requirement, it is highly advisable to still proceed with full "p=reject" protection to avoid cybercriminals using your domain for malicious gain.

What happens after the 5 May deadline?

Organisations with large email send volumes sending to Outlook, Live or Hotmail addresses that remain non-compliant after the deadline will experience significant negative impacts on their email deliverability, open rates and even customer response rates.

Non-compliant senders will initially start seeing their emails landing in junk mail folders, and eventually outright rejection of email sends. 

Marketing communications, mass email newsletters and other large volume email activities will see a big impact.
This obviously has revenue implications for businesses that rely on email and customer responses such as hotel chains, travel agencies, insurance brokers etc.

Should low volume email senders be concerned?

Although this might not directly impact low volume users, it’s still recommended that you comply with DMARC standards and policies. This can only be beneficial as it can boost your email delivery rates and keep you out of spam filters. 

These additional guidelines, shared by Microsoft, are email best practices that will positively impact your delivery rates. 
-    Send from valid ‘From’ addresses that customers can reply to
-    Ensure that you have visible and easy-to-click unsubscribe options in your emails
-    Keep your mailing lists clean by removing duplicates, bouncing recipients, and those who’ve opted out
-    Do not use spammy or misleading email headers or subject lines

What next?

DMARC records alone are insufficient as they only provide the reporting element. It is highly recommended that your organisation is fully protected from email impersonation and interception by working with a company that can implement the strongest authentication policy of p=reject. 

This will maximise email deliverability, secure against spoofing and cybercrime and ensure compliance with governance standards.
 

Logicalis has partnered with Sendmarc to help you test, implement and control your compliance with DMARC, as well as SPF and DKIM

For more information on our DMARC protection solution, please click here