Back to main menu

Deliverability

Microsoft Outlooks new sender requirements: What you need to do by May 5

Microsoft is rolling out new authentication requirements for high-volume senders starting May 5, 2025—mirroring Gmail and Yahoo’s recent crackdown on bulk email. If your messages aren’t aligned with SPF, DKIM, and DMARC, they’re headed for the spam folder—or worse.

PUBLISHED ON

PUBLISHED ON

If you thought you were finally getting a break from the sender requirement conversation after the industry shift brought by Google and Yahoo last year, not quite. Microsoft is stepping up to the plate. In its April 2, blog, Microsoft announced new requirements for high-volume senders reaching Outlook.com, Hotmail.com, and Live.com addresses.

If you’re sending more than 5,000 messages a day to Microsoft consumer domains, keep reading. These changes are about protecting recipients, cracking down on spoofing, and setting a higher bar for sender authentication.

Let’s break down what’s changing and what actions you need to take.

What are the Microsoft sender requirements?

Beginning May 5, 2025, Microsoft will start filtering—or even rejecting—messages that don’t meet their authentication standards. The good news, if you’re already compliant with the Gmail/Yahoo standards you’re set. Here's what you need to have in place:

Messages that don’t meet these requirements? They’ll be routed to the Junk folder at first, and if left unaddressed, will eventually be blocked outright.

Sinch Mailgun has introduced free DMARC reporting for all Mailgun senders on a paid plan through a new collaboration with Red Sift. This enhancement gives Mailgun users greater visibility into email authentication results.

What else should senders be doing?

Microsoft is also calling on senders to follow a few critical best practices for “quality and trust.” These guidelines support deliverability and help protect recipients.

  • Use real, reply-capable “From” or “Reply-To” addresses.

  • Include a visible, functional unsubscribe link—especially in bulk or marketing emails.

  • Keep your list clean. Regularly remove invalid contacts and monitor bounce rates.

  • Be upfront in your subject lines and headers. Deceptive content won’t help anyone.

Microsoft has made it clear: if you don’t follow these practices (Microsoft specifically called out authentication and list hygiene) and deliverability issues persist, your messages could be filtered or blocked—no formal requirement needed.

What about one-click unsubscribe (RFC 8058)?

Unlike Gmail and Yahoo, Microsoft hasn’t explicitly required support for RFC 8058 or one-click unsubscribe. That said, providing a simple opt-out experience is required with “functional unsubscribe links” that are clear and visible.

Timeline and enforcement

Here’s how things will roll out:

  • Now: Audit your SPF, DKIM, and DMARC records. Make sure they’re aligned and functioning properly.

  • May 5, 2025: Microsoft begins filtering non-compliant emails to the Junk folder.

  • Later (date TBD): Expect full rejections for senders who remain non-compliant.

Why do these industry requirements matter?

Gmail and Yahoo kicked it off, but we knew then that inbox standards were going to become more universally strict. And that actually benefits senders as well. If your authentication setup isn’t dialed in, your emails may never reach the inbox—even if your content is great and your audience wants to hear from you.

“You can get very philosophical about why now. I remember talking about these changes 10 years ago with a group and we said ‘no auth, no entry’, that is what we should be working towards because it makes a ton of sense being able to identify who is sending an email. It helps us assign your reputation to your identity. Email volume keeps increasing and there is a lot of noise and a lot of bad actors piggybacking on sender’s good reputations. At some point on the mailbox provider side, we just had to say okay, that’s enough.”

Marcel Becker, Sr. Director of Product Management at Yahoo

What are the differences between sender requirements across providers?

Requ­ire­ment

Gmai­l

Micr­osoft (Out­look.com)

Requ­ire­ment

Auth­entication Volu­me Thre­shold

5,00­0+ mess­ages/day to Gmai­l, Yaho­o does­n’t hold­ to a stri­ct numb­er but it is in the ball­park of 5000­.

5,00­0+ mess­ages/day to Outl­ook.com, Hotm­ail.com, Live­.com

Gmai­l

SPF (Sen­der Poli­cy Fram­ework)

Req­ui­red

Req­ui­red

Micr­osoft (Out­look.com)

DKIM­ (Dom­ainKeys Iden­tified Mail­)

Req­ui­red

Req­ui­red

DMAR­C Poli­cy

Requ­ired. Mini­mum poli­cy: p=none. Must­ alig­n with­ SPF or DKIM­.

Requ­ired. Mini­mum poli­cy: p=none. Must­ alig­n with­ SPF or DKIM­.

One-­Click Unsu­bscribe (RFC­ 8058­)

Requ­ired. Bulk­ send­ers must­ incl­ude RFC 8058­-compliant unsu­bscribe.

Unsu­bscribe link­ requ­ired. RFC 8058­ not requ­ired

List­ Unsu­bscribe Head­er

Requ­ired. Must­ supp­ort List-Unsubscribe head­er with­ both­ mail­to: and URL.­

Not expl­icitly requ­ired.

Spam­ Rate­ Thre­shold

Requ­ired. Must­ stay­ belo­w Gmai­l/Yahoo's spam­ comp­laint thre­sholds of 0.3%­

No thre­shold defi­ned, requ­ired to have­ clea­n list­s and enfo­rce best­ prac­tices. Non comp­liant send­ers may expe­rience nega­tive acti­on.

TLS (Tra­nsport Laye­r Secu­rity)

Requ­ired. Emai­ls must­ be sent­ over­ TLS.­

Not ment­ioned in Micr­osoft’s late­st poli­cy upda­tes.

Vali­d HELO­/EHLO

Requ­ired. Must­ not use a dyna­mic IP or malf­ormed host­name.

Not expl­icitly requ­ired.

Forw­ard/Proxy Dete­ction

Gmai­l pena­lizes misa­ligned forw­arding or prox­y beha­vior.

No expl­icit guid­ance prov­ided.

From­: Head­er Alig­nment

Must­ alig­n with­ DKIM­/DMARC doma­in.

Rec­om­me­nded

Inac­tive/Invalid User­ Mana­gement

Indi­rectly enfo­rced thro­ugh spam­ rate­ and comp­laint thre­sholds.

Rec­om­me­nded

Func­tional Repl­y-To Addr­ess

Rec­om­me­nded

Rec­om­me­nded

Tran­sparency (Sub­ject line­s, head­ers)

Reco­mmended to avoi­d misl­eading info­.

Reco­mmended to avoi­d misl­eading info­.

Time­line for Enfo­rcement

Full­ enfo­rcement bega­n Febr­uary 2024­.

Enfo­rcement begi­ns May 5, 2025­ with­ reje­ctions at a late­r TBD.­

What to do next

  • Start with a deliverability audit: Confirm that your SPF, DKIM, and DMARC records are correctly implemented and aligned.

  • Clean your list: Make sure your email lists are validated so you’re not contributing to your spam complaint rate.

View Microsoft’s authentication header here.

At Mailgun, we’re here to help you navigate changes like these and keep your messages in the inbox where they belong.

Sign Up

It's easy to get started. And it's free.

See what you can accomplish with the world’s best email delivery platform.

Related readings

How to implement DMARC – A step-by-step guide

Email spoofing is rampant across the internet. Fraudulent emails come in the form of scams, ransomware, and even stock-market manipulation. We see companies lose...

Read More

Deliverability Academy episode 1 recap: Master the basics

Deliverability is all about getting your messages to

actually reach the inbox

(and not the spam folder). It takes more than just hitting “send.” In Mailgun’s inaugural Deliverability Academy webinar Mastering the Basics, our email experts pulled back the curtain on what it takes to achieve great email deliverability...

Read More

Why DMARC matters more than ever: Email’s Not Dead season 6 ep. 1 recap

Email authentication has been a foundational part of email deliverability for years. But 2024 marked a turning point, as mailbox providers like Gmail and Yahoo began enforcing stricter requirements for bulk senders. The latest episode of

Emails Not Dead

explores what’s next for senders...

Read More

Popular posts

Email inbox.

Email

5 min

Build Laravel 11 email authentication with Mailgun and Digital Ocean

Read More

Mailgun statistics.

Product

4 min

Sending email using the Mailgun PHP API

Read More

Statistics on deliverability.

Deliverability

5 min

Here’s everything you need to know about DNS blocklists

Read More

See what you can accomplish with the world's best email delivery platform. It's easy to get started.Let's get sending
CTA icon