Microsoft OLC will soon respect DMARC policy

Microsoft OLC, aka "Microsoft Outlook Consumer," aka what used to be called Hotmail, now called (which includes the domains,,,, and all the other Microsoft domains I've listed here), will soon respect DMARC policy on inbound mail, declining to accept unauthenticated mail from domains with a DMARC policy of "reject." Yahoo and Gmail already reject this type of failed mail today.

Current state: If an email message sent to Microsoft OLC domains failed DMARC and the DMARC domain had a policy of "reject," Microsoft would not actually reject that email message. It would end up in the junk mail folder instead. (Even though the specification strongly suggests that this mail should be rejected.)

Why this is sub-optimal: It overrode a domain owner's publicly stated desire (via that DMARC record in DNS) to reject mail that failed DMARC checks. This meant that more bad mail was likely to get into view of subscribers, who could fall prey to phishing, malware, spam, etc.

What's changing: Very soon, Microsoft will start rejecting mail, if it fails DMARC, and if the DMARC domain has a "reject" policy set. Thus, this mail will no longer get through to any folder in the recipient's Microsoft-hosted mailbox.

The announcement: Posted to the Mailop mailing list by a representative of Microsoft. They wrote: "Microsoft is proud to announce our Consumer email service (Outlook/Hotmail/MSN/Live) will now honor the DMARC record of  “p=reject” by rejecting the message if the domain fails DMARC. Previously, messages that failed DMARC were sent to the junk folder (Quarantine). Over the next 30 days these DMARC-failing messages will be rejected."

How does this affect Microsoft Office 365, the corporate email hosting service run by Microsoft? No changes have been announced there. I believe this means that whether or not DMARC failing mail is rejected is an admin setting in a domain's corporate email configuration.

How does this affect a sender's deliverability? If you have DMARC configured, and all of your mail authenticates properly with DKIM and SPF, this should have effectively no negative impact on your deliverability. However, if you've implemented a restrictive DMARC policy of reject, and you're sending mail does not fully authenticate properly, you'll start to see emails bounce when sending to Microsoft domains, when that mail was not being rejected previously. That actually could be a good alert to warn you of an authentication misconfiguration. Also, this change brings a potentially positive, though modest, indirect impact on deliverability in that bad guys will now lose the ability to spoof your domain when sending mail to Microsoft recipients.

[ H/T: EmailKarma & Mailop ]

Post a Comment