Microsoft Joins the Club: Top four B2C MBPs now require email auth


Deliverability is ever-evolving.

Another day, another major mailbox provider raising the bar for bulk email senders. This time it's Microsoft tightening things up for their Outlook.com consumer mailboxes (outlook.com, hotmail.com, and live.com), effectively aligning their policies closely with what Gmail and Yahoo Mail already previously rolled out. And even Apple's iCloud Mail is in on the action now, too.

Here's what you need to know.

Microsoft's New Requirements for High-Volume Senders

Starting May 5, 2025, Microsoft will begin enforcing new sender requirements for domains sending more than 5,000 messages per day to Outlook.com recipients. The goal? Make inboxes safer, reduce spoofing and phishing, and make it clear to senders when email is non-compliant.

The main bullet points from Microsoft's announcement are as follows:
  • SPF: Your messages must pass SPF email authentication checks.
  • DKIM: Sign your messages with DomainKeys Identified Mail (DKIM) authentication.
  • DMARC: Publish a DMARC record (with a policy minimum of p=none)
  • Messages must have alignment (meaning that one or both of the SPF or DKIM authentication domains must match the from domain).
  • Messages that don't meet these standards will start landing in the junk folder—and Microsoft hints that outright rejection could be next. April 29 Update: Microsoft has updated their guidance to say that they'll start rejecting non-compliant bulk mail on May 5!
And there's more! In addition to email authentication-related requirements, Microsoft is also mandating:
  • Compliant Sender Addresses: From and/or reply-to addresses must be "valid."
  • Functional Unsubscribe Links: They don't call out one-click unsub, but they do say that unsubscribing must be easy and clearly visible.
  • Transparent Mailing Practices, List Hygiene and Bounce Management: Consent is mandated, deception is prohibited. Subject lines should be accurate and senders should process (and suppress) bouncing addresses.
Read Microsoft's full announcement here.


Mailbox Providers Making it a Party

Google and Yahoo already made similar moves, announced in 2023 and enforced starting in 2024. If you're following best practices, you should already be compliant with their new standards. To recap:

Gmail bulk sender requirements (announcement here, more details here):
  • Email authentication: Must implement SPF, DKIM, and DMARC.
  • Required one-click unsubscribe.
  • Low spam complaint rates required.
Yahoo Mail sender requirements and recommendations (announcement here, more details here):
  • Email authentication: Must implement SPF, DKIM, and DMARC, with alignment and reporting.
  • Easy unsubscribes, and list-unsub support strongly recommended.
  • Good list hygiene.

Apple iCloud Mail, too!

Let's not forget our friends in Cupertino. They also publish sender guidelines that mirror the trend. If you're sending to iCloud users (at the domains icloud.com, me.com and mac.com – and if you're in B2C, you definitely are), here's what Apple expects from bulk senders:
  • Only send to explicit opt-in subscribers—no purchased lists allowed. (No surprise there.)
  • Include an immediate unsubscribe link in every email.
  • Implement SPF, DKIM, and DMARC. Email authentication for the win!
  • Use consistent "From" headers to represent your brand.
  • Have fully working forward/reverse DNS records.
  • Keep your list clean and remove inactive subscribers regularly.
  • Monitor and respond to SMTP errors.
Find Apple's official iCloud Mail guidelines here.

Bulk, B2C versus B2B, other FAQs

Both Microsoft and Google indicate that these requirements apply to "bulk senders," as defined as sending 5,000 or more email messages to their servers daily. I would suggest that all senders should comply; as you don't always know how much email you send en toto (remember that this includes 1:1 mail, too, not just bulk or list mail) and if your company or brand is enjoying success, email volume is going to grow. You don't want to hit a ceiling unexpectedly and see a negative impact caused by not implementing these best practice requirements ahead of time.

Both Microsoft and Google host many millions of mailboxes for business and enterprise customers. (They're the top two hosts of mailboxes measured by number of domains in my top ten million data), so it makes sense to ask: Do these requirements apply to non-consumer mailboxes as well?

Today, Microsoft is making it clear that these requirements apply explicitly to consumer mailboxes, not corporate and enterprise mailboxes. Google has said the same thing; their requirements apply to sends to Gmail, not to business domains hosted by Google Workspace.

BUT, what good senders should be doing is complying across the board here, for two important reasons. First, because these practices help to minimize looking like a spammer. (Meaning this helps deliverability implicitly, even if these aren't called out as requirements in B2B-land.) And I rather suspect that these mailbox providers are taking a careful and graduated approach with regard to expanding requirements. Meaning they're starting with consumer mailboxes now, but I think there is a good chance that they are eyeing business and corporate mailboxes at some point for future inclusion.

Got more questions? Microsoft included a FAQ section in their announcement, and Google's got a FAQ here.

TL;DR: The Big Four Are United

Microsoft, Google, Yahoo, and Apple are now all just about on the same page, with very similar requirements, including:
  • Authenticate your mail with SPF, DKIM, and DMARC,
  • Make it easy to unsubscribe,
  • Keep spam complaint rates low,
  • Don't send to people who didn't ask for it,
  • And monitor your sending practices like a pro.
If you're sending high volumes of email, now is the time to audit your authentication setup and make sure you're following these best practices—because these requirements are no longer optional.

Post a Comment

Comments