Microsoft Sets New Email Authentication Standards for High-Volume Senders Starting May 2025

Microsoft is introducing stricter security measures for high-volume email senders—those sending over 5,000 emails daily—with enforcement beginning in May 2025.

To combat spam and spoofing threats, Microsoft will require senders to implement three key authentication protocols: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC). Although these protocols have existed for over a decade, Microsoft’s new enforcement aims to enhance the verification of sender domains and strengthen email security for users.

The requirements will officially be enforced starting May 5, 2025. Initially, non-compliant messages from high-volume domains will be diverted to the Junk folder on Outlook.com (which includes hotmail.com, live.com, and outlook.com addresses). Later, Microsoft plans to move toward outright rejecting non-compliant emails, though a specific date for this phase has not yet been announced.

To support senders in meeting these new standards, Microsoft is recommending additional email best practices, including:

• Valid sender addresses: Ensure "From" and "Reply-To" fields accurately reflect the legitimate sending domain and can accept replies.

• Clear unsubscribe options: Offer visible and functional unsubscribe links, especially for marketing or bulk communications.

• Maintaining list hygiene: Regularly remove invalid email addresses to minimize bounces, spam complaints, and message waste.

• Transparent communication practices: Use honest subject lines, avoid misleading headers, and make sure recipients have explicitly consented to receive messages.

Microsoft is currently notifying customers of these upcoming changes, with plans to release a broader rollout timeline for additional sender groups at a later stage.