Outlook, Hotmail, and Live.com will block emails without proper authentication to reduce spam and phishing
Microsoft joins global efforts to combat spam and phishing by implementing new authentication requirements for high-volume email senders. Starting on May 5, 2025, all senders who send more than 5,000 emails daily to services like Outlook.com, Hotmail.com, or Live.com must have the SPF, DKIM, and DMARC protocols properly configured. Otherwise, their messages could be diverted to the spam folder or even rejected.
This measure follows the lead of Google and Yahoo, which already tightened their own policies in 2024. The common goal: to increase inbox security and prevent fraud through spoofing or faked senders.
What do Microsoft’s new requirements entail?
Email authentication consists of three complementary technologies:
- SPF (Sender Policy Framework): Verifies that the server sending the email is authorized by the domain.
- DKIM (DomainKeys Identified Mail): Adds a digital signature to the message to ensure it has not been modified.
- DMARC (Domain-based Message Authentication, Reporting, and Conformance): Coordinates SPF and DKIM to prevent spoofed emails, requiring that at least one of them aligns with the sender’s domain.
Starting in May, Microsoft will require at a minimum a DMARC policy with a value of “p=none”, which allows for monitoring without yet applying rejection policies. However, it is expected that in later phases, stricter policies such as “quarantine” or “reject” will be implemented, which would directly block unverified messages.
Implementation timeline
| Date | Action | Implementation |
|---|---|---|
| April 2 | Recommended preparation | Check SPF, DKIM, and publish DMARC |
| May 5 | Implementation for spam | Unauthenticated emails will go to spam |
| Coming soon | Total rejection | Emails not in compliance will be blocked |
Who does it affect?
This new standard directly affects businesses, institutions, and bulk senders, such as email marketing platforms, CRMs, newsletters, or electronic invoicing that send more than 5,000 emails daily to Microsoft accounts.
However, Microsoft recommends that all senders, even those with lower volumes, implement these measures to improve deliverability and protect their domain reputation.
Additional recommended best practices
In addition to complying with SPF, DKIM, and DMARC, Microsoft advises:
- Use valid and active sender addresses.
- Include clear and functional unsubscribe links.
- Maintain a clean database, removing bounced or inactive emails.
- Write honest and concise subject lines, avoiding misleading language.
Tools to facilitate implementation
Configuring these protocols can be technical, but there are accessible and free tools for verification:
It is also recommended to consult the official document from the CCN-CERT on DMARC, which offers a detailed guide for public and private environments in Spain.
A trend that will not stop
With these new rules, Microsoft aligns with an industry-wide trend to strengthen email security, one of the main entry points for cyberattacks. The proper implementation of these technologies not only improves deliverability but also protects the sender’s brand and user privacy.
Businesses, media, universities, and any organization that relies on email as a communication channel should adapt as soon as possible to avoid disruptions in their messaging and maintain the trust of their recipients.
Do you have questions about how to adapt your domain to these new standards? Does your email provider offer DMARC support? These will be some of the key questions that every organization must address before May 5, 2025.
Source: Best security practices for email and PowerDmarc