Service Update
| Availability | April 29th, 2025 |
| Product(s) | Email Security Cloud Gateway |
| Who's affected | All customers sending mail to Microsoft based Outlook.com & Hotmail.com |
Overview
This article has been updated (04/29/2025) due to further changes announced by Microsoft.
Microsoft has recently announced updated sender requirements that will be in effect at the beginning of April 2025. These new requirements are rooted in long-standing Internet standards and best practices.
All senders will need to follow a basic set of requirements; however, additional requirements may come into play depending on mail volume and type of mail (promotional vs. transactional).
Applicable to All Senders
Email Authentication: SPF or DKIM will be REQUIRED.
- SPF (Sender Policy Framework) is an email authentication technology that allows the domain owner to specify which IP addresses are authorized to send email on behalf of that domain. When an email message is received, the recipient's email server checks the SPF record for the sender domain to ensure the message comes from an authorized IP address. If the SPF check fails, the message may be rejected under Microsoft’s new requirements.
- DKIM (DomainKeys Identified Mail) is an email authentication technology that uses cryptographic signatures to verify the authenticity of email messages. When an email message is sent, DKIM adds a digital signature to the message header, which the recipient's email server can verify to ensure that the message has not been tampered with in transit and originated from the claimed sender domain.
Beginning April 2025, these long-established email authentication best practices will become a requirement. Microsoft has updated its initial launch strategy, and a more progressive plan is anticipated as the company collaborates with customers to guarantee the successful delivery of messages that consumers wish to receive while filtering out unwanted communications.
To ensure email validation within Mimecast, customers are required to authorize all sending domains through our platform. Without this authorization, Mimecast will be unable to validate using SPF. For additional details, please refer to Finding DNS Authentication Code.
Ensure Valid Forward and Reverse DNS Records (PTR Records)
Authentication goes beyond SPF and DKIM; having valid forward and reverse DNS records is critical. These records verify that the sending hostname is associated with the sending IP address. Every IP address must be mapped to a hostname in the PTR record. The hostname specified in the PTR record must also have a forward DNS that refers to the sending IP address.
Maintain Low End-User Complaint (Spam) Rates
Understanding the performance of your mail is a responsibility that should not be overlooked. Regularly monitor your domain’s spam rate in Microsoft’s Postmaster Tools. Aim to keep this spam complaint rate below 0.10%. Complaint rates nearing 0.30% or above, especially for sustained periods, will now lead to deferrals or blocking.
Message Format Compliance (RFC 5322)
Microsoft specifically calls out the need to ensure alignment with the Internet Message Format standards found in RFC 5322. Make sure your company strives to understand and adhere to these standards.
Implement ARC Headers for Forwarded Emails
Addressing the nuances of forwarding emails and implementing ARC (Authenticated Received Chain) headers is essential to ensure the authenticity and integrity of forwarded messages, specifically for mailing lists and inbound gateways.
Additional Requirements for Senders >5,000 Per Day. (Bulk)
While Microsoft sidesteps the use of specific numbers to quantify “bulk” sending, they both provide a rough idea of what they’re trying to address: Bulk sending, according to Microsoft, means a collection of messages, around 5,000 or so per day, all having materially similar subject lines and/or content. It’s also important to note that Bulk messaging can take place over a period of time and with multiple sends.
Additional requirements are provided and outlined below for those who may fall into this category.
DMARC Policy Enforcement
UPDATE 04/29/2025: MICROSOFT WILL BEGIN REJECTING A PERCENTAGE OF NON-COMPLIANT BULK EMAILS WITH ERRORS FROM APRIL, 2025.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication technology that provides policy and reporting mechanisms for DKIM and SPF. DMARC allows the domain owner to specify how email messages that fail DKIM and SPF checks should be handled, and it provides feedback on the results of those checks. DMARC helps to prevent email spoofing and phishing by ensuring that email messages are only accepted if they meet the authentication policies specified by the domain owner.
Mimecast customers sending a larger volume of messages per day to major mailbox providers must have a DMARC policy in their DNS. DMARC Alignment
For direct mail, the domain in a sender’s From: header must be aligned with the SPF and DKIM domains. DMARC passes or fails a message based on how closely the message From: header matches the sending domain specified by SPF and DKIM. This is called alignment.
Mimecast customers must ensure the “from” address specified in the “From: header” matches the domain authenticated with SPF and DKIM. Beyond this, there is strict and relaxed alignment, and you need to consider several scenarios (including subdomains). Thankfully, Microsoft has an entire blog post explaining those scenarios in great detail, but it is worth mentioning that relaxed alignment is allowed.
One-Click Unsubscribe Option in a List-Unsubscribe
UPDATE 04/29/2025: MICROSOFT HAS DELAYED THIS UNTIL JUNE 2025
Enabling a one-click unsubscribe option in a list-unsubscribe header is mandated. This empowers recipients to easily opt-out, enhancing user experience and compliance. Unsubscribe actions must be taken within two days. It is also suggested (but not mandatory) that an unsubscribe link within the body of the email leading to a preference center be added. Failure of bulk senders to include this functionality may result in mail rejections.
Recommended actions
Ensure your DKIM & SPF Policies and Definitions are correctly configured for outbound mail, and align your standards and practices with the requirements outlined in this article for Microsoft's message compliance.
See the following articles for guidance:
- Definition - Configuring DNS Authentication Definition
- Policy - Configuring DNS Authentication Policy
As a result of the upcoming changes made by Microsoft, customers to DKIM are allowed to sign emails that are not in their list of authorized domains. This can be configured as part of the DNS Outbound Definition.
Comments
Please sign in to leave a comment.