Update: Microsoft Outlook now joins the email security bandwagon

 

If you have been around in the cybersecurity or email security circle for a while now, you’d recall that back in 2024, major email service providers like Google and Yahoo brought about big changes in the email security landscape to fight cyber threats like spoofing, phishing, and spam. 

In their latest email sending policies, they asked all senders—especially businesses and bulk emailers—to prove who they are by setting up email security protocols like SPF, DKIM, and DMARC. These tools help check if an email really came from who it says it did. And the best part? It worked (for most businesses) as they started implementing these protocols. But there are still many who didn’t, probably because their email service provider (ESP) never made this a norm. 

So, there was still a long way to go— until now! 

In 2025, Microsoft Outlook is finally stepping up its game, too. Starting May 5, 2025, if your business or organization sends more than 5,000 emails a day, Microsoft will require you to have SPF, DKIM, and DMARC properly set up. If you don’t, your emails might be pushed to people’s junk folders or even blocked completely in the future.

 

 

Let us dig deeper to understand what this new update means for Outlook users and how they can brace themselves for this move.

 

Why new policy updates, though?

The first thought that might cross your mind is, why did Microsoft roll out these changes now?

The answer is pretty simple: There is a need to double down on their efforts to stop harmful and fake emails from reaching their users. Since cyberattackers and their attacking techniques are getting more sophisticated with each passing day, email providers need stronger tools and stricter rules to stay ahead.

For Microsoft, this move isn’t just about protecting its users but also about cultivating a safe and more trustworthy email ecosystem. When stronger authentication protocols become mandatory, email senders are pushed to take responsibility for the messages they send. It ensures that only verified and authorized emails reach recipients, reducing the chances of impersonation, phishing, and spam.

 

 

What is Microsoft’s email sending policy about?

Just like Google and Yahoo, Microsoft, too, realized that email authentication protocols such as SPF, DKIM, and DMARC are absolutely essential to ensure a secure and safe email environment, which also extends to critical post-purchase emails like order confirmations and shipping updates.

But if they don’t deploy them, then their outgoing emails might land in the recipient’s spam folder.

 

 

Here’s how each of these protocols prevents this and more:

 

SPF (Sender Policy Framework)

SPF is like the first layer of defense that lets you decide which servers are allowed to send emails on your behalf. Whether it is the primary domain you use, a subdomain, or even a third-party service that you use, you must clearly list them all out. 

So, if you send an email from an address that’s not on the list, Microsoft Outlook will consider it suspicious and not let it through the recipient’s mailbox.

 

DKIM (DomainKeys Identified Mail)

After SPF, there is DKIM, which verifies the authenticity of the email’s content. 

 

 

When your email is being transferred from one server to another (from sending server to receiving server), its journey is not exactly secure. There is always a risk of cybercriminals intercepting the email along its way and tampering with it—either by modifying the content or inserting malicious links. 

DKIM prevents this by adding a digital signature to every email that you send. This signature is generated with a private key on your end, and when the email reaches the recipient’s mail server, it verifies the signature with a public key listed in your DNS records. If the signature is verified, the message is considered safe to let in. If not, the email can be considered untrustworthy. 

 

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC ties everything together. It checks whether the email passes both SPF and DKIM and then follows the instructions you’ve set.

 

 

With DMARC, you can tell receiving servers what to do if an email fails the checks—such as deliver it anyway, send it to spam, or reject it completely. It also gives you reports showing how your domain is being used, including any unauthorized attempts to send emails pretending to be from you.

 

What are the additional requirements of Outlook’s new policy update?

Apart from implementing SPF, DKIM, and DMARC, Microsoft Outlook is asking its users to meet other requirements as well.

• First, make sure you’re using valid and clear email addresses in both the “From” and “Reply-To” fields. Your readers should instantly recognize who the email is from. If your address looks suspicious or confusing, it might get flagged.
• If you send bulk marketing emails, make sure to include an easy-to-spot unsubscribe option in your emails. In case someone no longer wants to hear from you, they should be able to opt out with just one click. If you think skipping this step will increase your engagement rate, you’re wrong! It will only hurt your sender reputation and deliverability. 
• Lastly, it’s important to keep your email list clean. Make sure that you remove any old, inactive, or invalid email addresses from your list. This helps you reach people who actually want your messages and improves your overall email deliverability. 

 

 

Moving forward

May 5, 2025, is not too far away! So, if you haven’t already, now is the time to start taking authentication seriously, or else Outlook might start flagging your emails as spam! The first step is to implement SPF, DKIM, and DMARC, and once they’re in place, it’s equally important to monitor them regularly. 

If you’re not sure how to go about it all, our team is here to help you! Get in touch with us or book a demo to get started!