Microsoft Outlooks new sender requirements: What you need to do by May 5

If you thought you were finally getting a break from the sender requirement conversation after the industry shift brought by Google and Yahoo last year, not quite. Microsoft is stepping up to the plate. In its April 2, blog, Microsoft announced new requirements for high-volume senders reaching Outlook.com, Hotmail.com, and Live.com addresses.

If you’re sending more than 5,000 messages a day to Microsoft consumer domains, keep reading. These changes are about protecting recipients, cracking down on spoofing, and setting a higher bar for sender authentication.

Let’s break down what’s changing and what actions you need to take.

Beginning May 5, 2025, Microsoft will start filtering—or even rejecting—messages that don’t meet their authentication standards. The good news, if you’re already compliant with the Gmail/Yahoo standards you’re set. Here’s what you need to have in place:

• SPF (Sender Policy Framework): Your domain must pass SPF checks. That means your DNS records need to clearly define who’s allowed to send mail on your behalf.
• DKIM (DomainKeys Identified Mail): DKIM is required to verify message integrity. Microsoft will expect signed messages that confirm the sender is who they say they are.
• DMARC (Domain-based Message Authentication, Reporting, and Conformance): A valid DMARC policy is now a must. At minimum, you need a policy of p=none, and it must align with SPF or DKIM—ideally both.

Messages that don’t meet these requirements? They’ll be routed to the Junk folder at first, and if left unaddressed, will eventually be blocked outright.

Microsoft is also calling on senders to follow a few critical best practices for “quality and trust.” These guidelines support deliverability and help protect recipients.

• Use real, reply-capable “From” or “Reply-To” addresses.
• Include a visible, functional unsubscribe link—especially in bulk or marketing emails.
• Keep your list clean. Regularly remove invalid contacts and monitor bounce rates.
• Be upfront in your subject lines and headers. Deceptive content won’t help anyone.

Microsoft has made it clear: if you don’t follow these practices (Microsoft specifically called out authentication and list hygiene) and deliverability issues persist, your messages could be filtered or blocked—no formal requirement needed.

Unlike Gmail and Yahoo, Microsoft hasn’t explicitly required support for RFC 8058 or one-click unsubscribe. That said, providing a simple opt-out experience is required with “functional unsubscribe links” that are clear and visible.

Here’s how things will roll out:

• Now: Audit your SPF, DKIM, and DMARC records. Make sure they’re aligned and functioning properly.
• May 5, 2025  Messages will be rejected that don’t pass the required authentication requirements detailed above (SPF, DKIM, DMARC). The rejected messages will be designated as “550; 5.7.515 Access denied, sending domain [SendingDomain] does not meet the required authentication level.” (Updated May 1, 2025) 
• Later (date TBD): Expect full rejections for senders who remain non-compliant.

Gmail and Yahoo kicked it off, but we knew then that inbox standards were going to become more universally strict. And that actually benefits senders as well. If your authentication setup isn’t dialed in, your emails may never reach the inbox—even if your content is great and your audience wants to hear from you.

“You can get very philosophical about why now. I remember talking about these changes 10 years ago with a group and we said ‘no auth, no entry’, that is what we should be working towards because it makes a ton of sense being able to identify who is sending an email. It helps us assign your reputation to your identity. Email volume keeps increasing and there is a lot of noise and a lot of bad actors piggybacking on sender’s good reputations. At some point on the mailbox provider side, we just had to say okay, that’s enough.”

Marcel Becker Sr. Director of Product Management at Yahoo

• Start with a deliverability audit: Confirm that your SPF, DKIM, and DMARC records are correctly implemented and aligned.
• Clean your list: Make sure your email lists are validated so you’re not contributing to your spam complaint rate.

At Mailgun, we’re here to help you navigate changes like these and keep your messages in the inbox where they belong.

Author: Em Blitstein Em Blitstein is a Sr. Content Marketing Manager at Sinch Mailgun. She manages the Mailgun Blog, curates top-notch content, and falls down SEO rabbit holes. She writes about all things email and loves a good dev deep dive.