Outlook’s new DMARC requirements

A little over a year ago, in February 2024, Yahoo and Google unveiled new rules for bulk senders, designed to protect consumers from spam. Now Microsoft have announced an update that covers a lot of the same ground.

What does the update look like?

Read the full announcement here.

For domains sending over 5,000 emails per day, Outlook will soon require compliance with SPF, DKIM, DMARC. Non‐compliant messages will first be routed to Junk. If issues remain unresolved, they may eventually be rejected. Senders will soon start requiring compliance with the following requirements: 

1. SPF (Sender Policy Framework)

• Must Pass for the sending domain.
• Your domain’s DNS record should accurately list authorized IP addresses/hosts.

2. DKIM (DomainKeys Identified Mail)

• Must Pass to validate email integrity and authenticity.

3. DMARC (Domain-based Message Authentication, Reporting, and Conformance)

• At least p=none and align with either SPF or DKIM (preferably both).

Additional Email Hygiene Recommendations

Large senders should also adopt these practices to maintain quality and trust:

• Compliant P2 (Primary) Sender Addresses: Ensure the “From” or “Reply‐To” address is valid, reflects the true sending domain, and can receive replies. 
• Functional Unsubscribe Links: Provide an easy, clearly visible way for recipients to opt out of further messages, particularly for marketing or bulk mail. 
• List Hygiene & Bounce Management: Remove invalid addresses regularly to reduce spam complaints, bounces, and wasted messages. 
• Transparent Mailing Practices: Use accurate subject lines, avoid deceptive headers, and ensure your recipients have consented to receive your messages. 

How does it affect me?

If you’re doing email marketing properly, there’s not a whole lot to worry about here. Both of SPF and DKIM have been a requirement for Spotler customers for a long time.

SPF (Sender Policy Framework)

SPF makes sure that your email server is allowed to send emails from the domain you’re using (the bit after the @ in the email address).

DKIM (DomainKeys Identified Mail)

DKIM operates at the recipient’s end, acting like a signature to prove that your email comes from who it looks like it comes from.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

The newest of the 3, but it’s still been around for over a decade.

DMARC acts as an umbrella, checking that SPF and DKIM match the From Address, providing a policy for what email clients should do with any messages that fail the test (Reject, Quarantine, or Nothing), and delivering reports on what it’s seeing.

We’ve recommended having DMARC in place to all our customers for a number of years now.

Compliant P2 (Primary) Sender Addresses

There’s no better time than now to get rid of “noreply” addresses, or worse non-existing From addresses. Receiving email from “NOREPLY@[sender]” has never been great; it feels like you’re being shouted at, rather than being engaged in an open conversation.

The non-technical bits

Removing invalid addresses on a regular basis has been a good idea since the very first mass email was sent. Bounced recipients won’t be opening or clicking, so getting rid of them will make your overall results healthier immediately!

“Make sure your recipients have consented to receive your messages”; GDPR/PECR ringing any bells?!

“Use accurate subject lines, avoid deceptive headers”; Sneaky tricks like this might make your open rate look healthy, but you bait your audience into opening or clicking on content that’s not what they’re expecting, expect to lose a whole lot of trust!

I don’t know if my audience even uses Outlook…

The good news is it’s easy to check!

Under the “Opens” tab in a Spotler Mail+ Mailing Report, you will see “Top 10 Opens per email client”. One of our recent campaigns looked like this:

For this particular audience, Outlook accounts for 49.5% of the Opens across all versions. Microsoft have been clear that Outlook.com is included in this update, so Hotmail.com and live.com are also affected.

Please note that your audience will be different, so it’s important to understand the nuance for how much this update will affect you.

I found no Outlook users in my audience, can I just ignore this?

Even if there are no Outlook users in your audience, Outlook is now the third email client to implement these rules (after Yahoo & Google), so we can expect the rest of the email world to take a very similar approach, probably sooner than later.

Conclusion

Follow our 3-step plan to keep on top of this update:

1. Don’t Panic!
2. Look at how much of your audience open your emails in Outlook
3. Get your DMARC set up

If you take a sensible look at these guidelines, they represent an upgraded set of protections for legitimate senders against bad actors who might try to hijack domains to cause trouble.

If you’re looking for an email platform that has these guidelines built in and makes it easy for you to follow best practices around good subject lines and content, Spotler Mail+ is just what you need.