Home
Mailgun Blog
Deliverability category
Microsoft Outlook sender requirements 2025: What senders should know
Deliverability
Microsoft Outlooks new sender requirements: What you need to do by May 5
Microsoft is rolling out new authentication requirements for high-volume senders starting May 5, 2025—mirroring Gmail and Yahoo’s recent crackdown on bulk email. If your messages aren’t aligned with SPF, DKIM, and DMARC, they’re headed for the spam folder—or worse.
PUBLISHED ON
If you thought you were finally getting a break from the sender requirement conversation after the industry shift brought by Google and Yahoo last year, not quite. Microsoft is stepping up to the plate. In its April 2, blog, Microsoft announced new requirements for high-volume senders reaching Outlook.com, Hotmail.com, and Live.com addresses.
If you’re sending more than 5,000 messages a day to Microsoft consumer domains, keep reading. These changes are about protecting recipients, cracking down on spoofing, and setting a higher bar for sender authentication.
Let’s break down what’s changing and what actions you need to take.
Table of contents
What are the Microsoft sender requirements?
Beginning May 5, 2025, Microsoft will start filtering—or even rejecting—messages that don’t meet their authentication standards. The good news, if you’re already compliant with the Gmail/Yahoo standards you’re set. Here's what you need to have in place:
SPF (Sender Policy Framework): Your domain must pass SPF checks. That means your DNS records need to clearly define who’s allowed to send mail on your behalf.
DKIM (DomainKeys Identified Mail): DKIM is required to verify message integrity. Microsoft will expect signed messages that confirm the sender is who they say they are.
DMARC (Domain-based Message Authentication, Reporting, and Conformance): A valid DMARC policy is now a must. At minimum, you need a policy of p=none, and it must align with SPF or DKIM—ideally both.
Messages that don’t meet these requirements? They’ll be routed to the Junk folder at first, and if left unaddressed, will eventually be blocked outright.
Sinch Mailgun has introduced free DMARC reporting for all Mailgun senders on a paid plan through a new collaboration with Red Sift. This enhancement gives Mailgun users greater visibility into email authentication results.
What else should senders be doing?
Microsoft is also calling on senders to follow a few critical best practices for “quality and trust.” These guidelines support deliverability and help protect recipients.
Use real, reply-capable “From” or “Reply-To” addresses.
Include a visible, functional unsubscribe link—especially in bulk or marketing emails.
Keep your list clean. Regularly remove invalid contacts and monitor bounce rates.
Be upfront in your subject lines and headers. Deceptive content won’t help anyone.
Microsoft has made it clear: if you don’t follow these practices (Microsoft specifically called out authentication and list hygiene) and deliverability issues persist, your messages could be filtered or blocked—no formal requirement needed.
What about one-click unsubscribe (RFC 8058)?
Unlike Gmail and Yahoo, Microsoft hasn’t explicitly required support for RFC 8058 or one-click unsubscribe. That said, providing a simple opt-out experience is required with “functional unsubscribe links” that are clear and visible.
Timeline and enforcement
Here’s how things will roll out:
Now: Audit your SPF, DKIM, and DMARC records. Make sure they’re aligned and functioning properly.
May 5, 2025: Microsoft begins filtering non-compliant emails to the Junk folder.
Later (date TBD): Expect full rejections for senders who remain non-compliant.
Why do these industry requirements matter?
Gmail and Yahoo kicked it off, but we knew then that inbox standards were going to become more universally strict. And that actually benefits senders as well. If your authentication setup isn’t dialed in, your emails may never reach the inbox—even if your content is great and your audience wants to hear from you.
“You can get very philosophical about why now. I remember talking about these changes 10 years ago with a group and we said ‘no auth, no entry’, that is what we should be working towards because it makes a ton of sense being able to identify who is sending an email. It helps us assign your reputation to your identity. Email volume keeps increasing and there is a lot of noise and a lot of bad actors piggybacking on sender’s good reputations. At some point on the mailbox provider side, we just had to say okay, that’s enough.”
Marcel Becker, Sr. Director of Product Management at Yahoo
What are the differences between sender requirements across providers?
Requirement | Gmail | Microsoft (Outlook.com) |
|---|---|---|
Requirement | ||
Authentication Volume Threshold | 5,000+ messages/day to Gmail, Yahoo doesn’t hold to a strict number but it is in the ballpark of 5000. | 5,000+ messages/day to Outlook.com, Hotmail.com, Live.com |
Gmail | ||
SPF (Sender Policy Framework) | Required | Required |
Microsoft (Outlook.com) | ||
DKIM (DomainKeys Identified Mail) | Required | Required |
DMARC Policy | Required. Minimum policy: p=none. Must align with SPF or DKIM. | Required. Minimum policy: p=none. Must align with SPF or DKIM. |
One-Click Unsubscribe (RFC 8058) | Required. Bulk senders must include RFC 8058-compliant unsubscribe. | Unsubscribe link required. RFC 8058 not required |
List Unsubscribe Header | Required. Must support List-Unsubscribe header with both mailto: and URL. | Not explicitly required. |
Spam Rate Threshold | Required. Must stay below Gmail/Yahoo's spam complaint thresholds of 0.3% | No threshold defined, required to have clean lists and enforce best practices. Non compliant senders may experience negative action. |
TLS (Transport Layer Security) | Required. Emails must be sent over TLS. | Not mentioned in Microsoft’s latest policy updates. |
Valid HELO/EHLO | Required. Must not use a dynamic IP or malformed hostname. | Not explicitly required. |
Forward/Proxy Detection | Gmail penalizes misaligned forwarding or proxy behavior. | No explicit guidance provided. |
From: Header Alignment | Must align with DKIM/DMARC domain. | Recommended |
Inactive/Invalid User Management | Indirectly enforced through spam rate and complaint thresholds. | Recommended |
Functional Reply-To Address | Recommended | Recommended |
Transparency (Subject lines, headers) | Recommended to avoid misleading info. | Recommended to avoid misleading info. |
Timeline for Enforcement | Full enforcement began February 2024. | Enforcement begins May 5, 2025 with rejections at a later TBD. |
What to do next
Start with a deliverability audit: Confirm that your SPF, DKIM, and DMARC records are correctly implemented and aligned.
Clean your list: Make sure your email lists are validated so you’re not contributing to your spam complaint rate.
View Microsoft’s authentication header here.
At Mailgun, we’re here to help you navigate changes like these and keep your messages in the inbox where they belong.
