To all our email marketers out there, we know you’re juggling more than ever: tight KPIs, shrinking attention spans, evolving email privacy regulations… and now, stricter sender requirements from inbox providers.

In a move to improve security and inbox quality, Microsoft Outlook has introduced new sender requirements that officially went into effect on May 5, 2025. If you're sending bulk emails, even legitimate marketing or transactional messages, this is something you need to comply with, or risk having your emails land in the spam folder or get blocked outright.

These new requirements aren’t just a compliance checkbox, they're a signal that inbox providers expect brands to earn their place in the inbox. If you haven’t prioritized authentication in your email program, now’s the time.

Need a refresher on staying out of the spam folder? This guide covers how to avoid email spam traps.

What are Microsoft’s new email sender requirements?

Microsoft is following in the footsteps of Gmail by enforcing stronger authentication protocols to ensure senders are legitimate and prevent phishing or spoofing attacks. If you send more than 5,000 emails a day to Microsoft addresses (Outlook.com, Hotmail.com, Live.com, etc.), here's what you now need:

1. SPF (Sender Policy Framework)

This DNS record tells mailbox providers which IP addresses are allowed to send emails on behalf of your domain.

↳ Action: Work with your ESP or IT team to ensure your SPF record includes all authorized sending services and isn’t exceeding the 10 DNS lookup limit. Use tools like MXToolbox or Dmarcian to validate it.

2. DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to your emails to verify the sender and ensure the message hasn’t been altered.

↳ Action: Generate DKIM keys through your email platform or domain provider. Publish the public key in your DNS settings. Make sure DKIM alignment is enabled to avoid authentication failures.

3. DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC builds on SPF and DKIM by letting you tell mailbox providers what to do if authentication fails (none, quarantine, or reject). Microsoft requires at least a p=none policy.

↳ Action: Start with p=none so you can monitor without affecting deliverability. Use tools like Postmark, Valimail, or DMARC Analyzer to review DMARC reports and plan for future policy upgrades (like quarantine or reject).

Over time, aim to move toward a stricter DMARC policy to boost domain reputation.

Why this matters for mobile-focused senders

Mobile devices are where most consumers check their email, and phishing threats are harder to spot on a small screen. That’s why Microsoft’s push for authenticated senders is especially critical for mobile-first brands.

If you're running time-sensitive mobile campaigns, like flash sales, app updates, or password resets, even a slight deliverability issue can hurt engagement and revenue.

Make sure to test deliverability across mobile inbox apps (Outlook mobile, iOS Mail, Gmail app). If your messages are going to spam, start troubleshooting your SPF, DKIM, and DMARC settings immediately.

Learn which factors affect email deliverability to ensure your emails are landing in the inbox.

Compliance checklist for email marketers

Here’s a streamlined checklist to help you get compliant, and stay there:

✅ SPF record is published and accurate

✅ DKIM signing is set up and aligned

✅ DMARC policy is configured (p=none minimum)

✅ Clear unsubscribe link is visible in all emails

✅ One-click unsubscribe supported (RFC 8058)

✅ Sending domain is not on any blocklists

✅ Bounce and complaint rates are below industry thresholds

✅ Email content follows brand trust and sender transparency best practices

Want some extra credit? Set up BIMI (Brand Indicators for Message Identification) for visual trust cues in inboxes that support it.

What happens if you don’t comply?

If your messages aren’t properly authenticated and aligned with Microsoft's guidelines, you could face:

  • Increased spam folder placement
  • Outright message rejection
  • Domain reputation damage
  • Reduced engagement across all ESPs (reputation is contagious)

Even transactional messages, like receipts or verification emails, are subject to these rules. So don’t assume you’re safe just because your emails aren’t “marketing.”

New email requirement FAQs: Fast answers to common questions

Q: Does this affect Gmail too?
A: Yes, Gmail announced similar requirements earlier in 2024. If you're compliant with Gmail’s new rules, you’re likely close to meeting Microsoft's standards, but don’t assume full overlap. Always double-check.

Q: What if I send fewer than 5,000 emails per day?
A: The 5,000 threshold applies to Microsoft’s enforcement, but authentication best practices apply to everyone. Even small senders should implement SPF, DKIM, and DMARC.

Q: How do I know if my emails are properly authenticated?
A: Use Google Postmaster Tools, Microsoft SNDS, and DMARC aggregators to review authentication reports. Check headers using tools like mail-tester.com to confirm pass/fail status.

Q: Do I need to make any changes to my email templates or content?
A: Not directly. However, Microsoft does favor emails that are clear, reputable, and offer easy unsubscribe. Review your headers, from address, and footer compliance.

Are there ways to future-proof your email program?

  • Start implementing BIMI: Not required, but helpful for branding and trust.
  • Consolidate sending domains: Multiple sender domains can fragment your reputation.
  • Align your "From" domain and DKIM/SPF domain: Misalignment is a common deliverability killer.
  • Plan to upgrade your DMARC policy over time: Moving to quarantine or reject once you're confident boosts your domain's credibility.
  • Maintain list hygiene: Remove bounces, inactive users, and known spam traps.

Remember: Authentication is a foundational layer, but reputation, engagement, and content still matter. It’s all connected!

OneSignal: Email marketing that actually delivers

Deliverability is no longer a backend technical issue. It’s a strategic marketing concern that directly affects ROI, user experience, and brand trust. Looking for more email deliverability resources?

If you’re looking for a simple, reliable platform that helps you send authenticated, high-converting emails (alongside push notifications, SMS, in-app messaging, and Live Activities) OneSignal has you covered. We make it easy to manage domain authentication, optimize deliverability, and build omnichannel journeys that reach users across every device.

Get Started for Free