It finally happened. Microsoft has announced that SPF, DKIM and DMARC will be required to deliver email successfully to Outlook, Hotmail and Live.com addresses.
This is big news that will affect email deliverability for thousands of businesses. MSPs must remain on top of it to ensure email deliverability and security for their clients. So, what follows is a quick summary of what’s changing and what you need to do about it.
I’ll be assuming some knowledge of what SPF, DKIM and DMARC are here. For a quick outline, see here.
What has Microsoft announced?
As of 5th May 2025, Microsoft will require correct configuration of SPF, DKIM and DMARC for bulk senders to Outlook domains. Bulk senders are defined as any domains sending 5,000 emails in a day.
At first, messages that don’t comply will go into junk folders. In the future, they’ll be rejected at the mail server level. Microsoft doesn’t specify a date for this (you can read the full announcement here).
You may recall similar announcements by Gmail and Yahoo. This turned DMARC from an obscure piece of best practice into an unavoidable need. Now that Microsoft has followed suit, that need is even greater.
What do I need to do?
In the immediate term, these changes affect deliverability. Outlook domains, like Gmail and Yahoo before them, will stop accepting mail from domains that don’t have a DMARC policy.
So, the short answer is that every business needs a DMARC policy, as well as correctly configured SPF and DKIM for every platform that sends mail from the business domain. That’s not just the main email client, but marketing platforms, CRMs and so on.
However, it’s vital to recall why DMARC exists: to protect domain security. If you don’t have correctly configured SPF, DKIM and DMARC, attackers can easily impersonate your domain. Therefore, it’s not enough to set a lenient policy and forget it. The goal must be to work towards a policy of p=reject, which instructs mail servers to reject all illegitimate emails presenting your domain.
How do I get a secure DMARC policy?
The tricky part of this is the balance between deliverability and security. You don’t want bad actors to impersonate your domain, but you also don’t want legitimate emails to fail.
That’s why you don’t start with a strict enforcement policy. Instead, you work towards it through a period of monitoring. It’s a technical, labour-intensive process that I wouldn’t advise anyone to do manually, even on a single domain. So, what about MSPs responsible for deliverability and security on multiple domains?
I’m proud to say that we were ahead of this change at Brigantia. Before Gmail and Yahoo’s changes came into effect, we partnered with Sendmarc, who have developed a brilliant platform to manage DMARC quickly, correctly and securely at scale.
Sendmarc guarantees that it can take a domain to the most secure DMARC policy possible (p=reject) within 90 days maximum. For MSPs, this enables you to guarantee domain security for your entire client base in a scalable way.
I’m not a bulk sender – can I ignore this?
The short answer is no. It would be a very bad idea to do nothing. Granted, the 5,000-email threshold is fairly high. Many businesses never send that volume in a day, even if you add up email marketing, newsletters, bill runs and all other email activities.
However, there are three key points here:
- To qualify as a bulk sender, you simply need to send 5,000 emails in a day once, not often. A single marketing campaign could push you over the threshold permanently.
- It’s highly likely (in fact, practically guaranteed) that these are the early stages of making DMARC a minimum standard for all senders, regardless of volume.
- In response to this general shift, many email platforms are making DMARC a standard part of domain authentication and setup. For instance, Mailchimp won’t send from your domain unless you have a DMARC policy and add DKIM records. That’s one example among countless others. So, you may already use a service that won’t work as you intend without DMARC.
- Most important of all, the best reason to have a DMARC policy is security. Without DMARC, attackers can send emails that appear to be from your domain – they don’t need to hack your account to do this.
Final thoughts
We’ve been saying for some time that DMARC cannot be ignored. Microsoft’s announcement only strengthens this message. Every business needs DMARC for security and deliverability. Meanwhile, every MSP needs to be supporting the effort to standardise best practices. Not only is this a revenue stream – it’s an opportunity to improve email hygiene and security for us all.
Together with Sendmarc, Brigantia can make that possible. I’ll give the final word from Kieran Frost, Sendmarc’s COO, who sent me this quote:
“After just over a year, we're so excited that Microsoft has joined the fight against impersonation with this huge news! The beauty of this announcement is how closely the requirements mirror those of Google and Yahoo - meaning a deepening entrenchment of DMARC as a bedrock of good global cybersecurity practice.
Fortunately, we at Sendmarc have been preparing for this announcement and are geared up to ensure that our clients are ready come 5th May to ensure that their mail continues to land safely in the inbox. For those that are not yet ready, we are here to help.”
If you’re not already making the most of this opportunity, get in touch for a demo.
To find out more on the important Microsoft changes, register for our webinar here: https://www.brigantia.com/webinars-events/microsoft-have-finally-joined-the-dmarc-brigade
