New to DMARC? Start with the fundamentals →
If you send marketing, billing, or notification email at any volume, the bar to reach an inbox just rose again. Microsoft now enforces authentication requirements for high-volume senders to its consumer mailboxes — Outlook.com, Hotmail, Live, and MSN — closing the gap with the rules Google and Yahoo put in place in 2024. Mail that doesn't meet them no longer lands; it goes to Junk, and eventually it won't be accepted at all.
The good news: if you did the work for Google and Yahoo, you're most of the way there. The catch is that "I have SPF and DKIM" isn't the same as compliant. Here's exactly what Microsoft expects, who it applies to, and how to confirm you pass.
What Microsoft now requires
For high-volume senders to consumer mailboxes, three things are non-negotiable:
- SPF — your sending IPs must be authorized in your domain's SPF record, and SPF must pass.
- DKIM — messages must carry a valid DKIM signature that verifies against your domain.
- DMARC — your domain must publish a DMARC record at a minimum of
p=none, and it must align with the visibleFrom:address.
Alongside authentication, Microsoft expects the basics of a legitimate sender: valid reverse DNS (PTR) on your sending IPs, honest From and HELO values that don't impersonate, functional list-unsubscribe for bulk mail, and low spam-complaint rates. None of that is new as best practice — what changed is that it's now enforced for senders at scale.
Who's affected
The requirements target high-volume senders: roughly 5,000 or more messages per day to Microsoft consumer domains, measured per sending domain. If you're under that threshold, treat these as strong best practice — you still benefit from authentication, and crossing the line later is common. At or above it, they're the price of admission.
One clarification worth making: this is about mail you send to Outlook.com and Hotmail recipients. It's not a setting inside your own Microsoft 365 tenant — it's how Microsoft's consumer mail systems judge inbound mail from any sender, including you.
How it compares to the Google and Yahoo rules
If the requirements sound familiar, they should — they mirror what we covered in the Google and Yahoo sender requirements. The shape is the same across all three:
| Requirement | Google / Yahoo (2024) | Microsoft (now) |
|---|---|---|
| SPF | Required | Required |
| DKIM | Required | Required |
DMARC (min p=none, aligned) |
Required for bulk | Required for bulk |
| One-click unsubscribe | Required | Expected |
| Spam-rate ceiling | Under 0.3% | Low complaint rate expected |
The convergence is the real story: the major mailbox providers have settled on a shared baseline. Authenticate properly once, and you satisfy all of them. Miss it, and you lose deliverability everywhere at once.
The compliance checklist
Work through these in order:
- SPF passes for every system that sends as your domain — and you're under the 10-lookup limit.
- DKIM signs on your domain (not just your provider's shared domain), and the signature verifies.
- DMARC is published at
_dmarc.yourdomain.com, minimump=none, with arua=address someone monitors. - DMARC aligns — the SPF or DKIM domain matches your visible
From:. This is the step most senders miss; passing SPF on a different domain doesn't count. Our explainer on DMARC alignment covers why. - List-Unsubscribe with one-click is set on bulk mail.
- Reverse DNS (PTR) is valid for your sending IPs, and your complaint rate is low.
If you're new to any of this, start with what DMARC is and build up from there.
How to verify you pass
Don't assume — check. The fastest read is your own DMARC aggregate reports, which show whether your real sending sources authenticate and align as Microsoft and the others now demand. Send a test message to an Outlook.com address and inspect the headers for spf=pass, dkim=pass, and a DMARC result that's aligned, not just passing.
You can also check your domain's records in seconds to confirm SPF, DKIM discovery, and your DMARC policy are all in place before the next campaign goes out — rather than finding out from a drop in open rates.
Frequently asked questions
Who has to meet Microsoft's sender requirements? Any sender delivering roughly 5,000 or more messages a day to Microsoft consumer mailboxes — Outlook.com, Hotmail, Live, and MSN. Below that volume the rules are strong best practice; at or above it they're enforced. The threshold is measured per sending domain, and once you cross it the obligations apply.
What happens if my mail doesn't meet them? Microsoft first routes non-compliant bulk mail from high-volume senders to the Junk folder, and has signaled that persistent non-compliance moves to outright rejection. In practice, SPF, DKIM, and an aligned DMARC record are now the price of reaching Outlook.com inboxes at scale.
The pattern is clear: every major mailbox provider now demands authenticated, aligned mail from anyone sending at volume. The work is the same one you've been putting off — publish SPF, sign DKIM on your domain, enforce DMARC, and watch your reports. Do it once and you're compliant everywhere. See where your domain stands before the requirements decide for you.