- Microsoft requires all senders sending 5,000+ emails per day to Outlook.com, Hotmail.com, and Live.com to pass SPF, DKIM, and DMARC authentication.
- Non-compliant messages are now rejected with SMTP error "550; 5.7.515 Access denied, sending domain does not meet the required authentication level."
- Beyond authentication, Microsoft recommends functional unsubscribe links, valid From/Reply-To addresses, list hygiene, bounce management, and transparent mailing practices.
- These requirements mirror what Google and Yahoo enacted in 2024, creating a unified authentication baseline across all three major consumer mailbox providers.
- If you are already compliant with Google and Yahoo's bulk sender rules, you are likely compliant with Microsoft's requirements. If not, fix authentication first, then address hygiene and engagement.
Microsoft stepped into the bulk sender enforcement arena in 2025, joining Google and Yahoo in requiring strict email authentication for high-volume senders. Starting May 5, 2025, senders who deliver 5,000 or more emails per day to Microsoft's consumer email domains must have valid SPF, DKIM, and DMARC records in place. Messages that fail these checks are now rejected outright.
This guide covers exactly what Microsoft requires, how enforcement works, what you need to configure, and how to verify your compliance.
Who Is Affected?
The requirements apply to any sending domain that transmits 5,000 or more emails per day to addresses on Microsoft's consumer email services. The affected domains include:
- outlook.com
- hotmail.com
- live.com
- msn.com
These requirements do not currently apply to email sent to Microsoft 365 business or enterprise accounts (Exchange Online). However, Microsoft has signaled that similar standards may extend to business domains in the future, and enterprise Microsoft 365 administrators already have the ability to enforce strict authentication policies on their tenants independently.
Tip: Even if you send fewer than 5,000 emails per day, Microsoft strongly recommends implementing SPF, DKIM, and DMARC for all senders. These protocols protect your domain from spoofing and improve deliverability regardless of volume. The 5,000 threshold is where enforcement begins, not where best practice starts.
Authentication Requirements
Microsoft's three mandatory authentication requirements are the same protocols that Google and Yahoo began enforcing in early 2024. Here is what each requires for compliance:
SPF (Sender Policy Framework)
Your sending domain must have a valid SPF record published in DNS that accurately lists all IP addresses and hosts authorized to send email on your behalf. The SPF check must pass for your sending domain, meaning the mail server's IP must be included in the SPF record for the domain used in the envelope sender (Return-Path).
Use our SPF checker to verify your record. Common issues that cause SPF failures include missing third-party sender IPs (your ESP, CRM, marketing automation platform), exceeding the 10 DNS lookup limit, and stale records that reference decommissioned infrastructure.
DKIM (DomainKeys Identified Mail)
DKIM must be configured and passing for your sending domain. This means your outbound emails must carry a valid DKIM signature that can be verified by the recipient's mail server using the public key published in your DNS.
Most ESPs handle DKIM signing automatically once you complete their domain authentication setup, which typically involves adding one or more CNAME or TXT records to your DNS. Verify your configuration with our DKIM checker.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
A valid DMARC record must be published for your sending domain with a minimum policy of p=none. The DMARC record must align with either SPF or DKIM (preferably both), meaning the domain used in the visible "From" header must match the domain that passes SPF or DKIM checks.
A minimal compliant DMARC record looks like this:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.comWhile p=none is the minimum for compliance, Microsoft and all major mailbox providers recommend moving toward p=quarantine or p=reject for stronger protection. Our DMARC checker and DMARC generator can help you verify your existing record or create a new one.
If you have not implemented DMARC yet, start with p=none and a reporting address to collect aggregate reports. Analyze those reports for 2-4 weeks to identify all legitimate sending sources before advancing to p=quarantine or p=reject. Our guide on reading DMARC reports walks through the analysis process.
Enforcement Timeline
Microsoft rolled out enforcement in phases:
| Date | Action |
|---|---|
| April 2, 2025 | Requirements announced via the Microsoft Defender for Office 365 blog |
| May 5, 2025 | Enforcement begins. Non-compliant messages from high-volume senders are rejected with SMTP 550 errors |
| Future (date TBD) | Microsoft has indicated that enforcement may extend to lower-volume senders and additional requirements may be added |
The rejection message for non-compliant senders is:
550; 5.7.515 Access denied, sending domain [SendingDomain] does not meet the required authentication level.This is a permanent failure (hard bounce), meaning the recipient's server will not retry delivery. If you are seeing this error in your bounce logs, your domain is failing one or more of the authentication requirements above.
Additional Best Practices Microsoft Recommends
Beyond the three mandatory authentication protocols, Microsoft's announcement includes several strongly recommended practices. While these are not yet enforced through automated rejection, Microsoft explicitly states that it reserves the right to filter or block senders who do not follow them, especially for "critical breaches of authentication or hygiene."
Valid, Compliant Sender Addresses
Your "From" and "Reply-To" addresses must be valid, reflect the true sending domain, and be capable of receiving replies. While using a "noreply@" address is technically permitted, Microsoft recommends that the domain behind it is fully authenticated and that the address resolves to a real mailbox. Senders that use unresolvable or deceptive From addresses risk additional filtering.
Functional Unsubscribe Links
Marketing and bulk email must include a clearly visible, easy-to-use unsubscribe mechanism. This aligns with the one-click unsubscribe requirement that Google and Yahoo enforced in 2024 via the List-Unsubscribe header.
Microsoft specifically calls out that unsubscribe links must be functional, not buried in small text, and that opt-out requests must be honored promptly. For implementation details, see our guide on List-Unsubscribe and one-click unsubscribe.
List Hygiene and Bounce Management
Senders must remove invalid addresses regularly to reduce spam complaints, bounces, and wasted messages. Microsoft monitors bounce rates and complaint rates as signals of list quality. High bounce rates suggest that a sender is emailing stale or unverified addresses, which correlates strongly with spam trap hits and poor deliverability outcomes.
Best practices include removing hard bounces immediately after they occur, monitoring soft bounces and removing addresses that persistently fail, running periodic email verification on your list, and implementing a sunset policy for unengaged subscribers.
Transparent Mailing Practices
Use accurate subject lines that reflect the content of your email. Do not use deceptive headers. Ensure that all recipients have provided consent to receive your messages. These requirements echo the principles of CAN-SPAM and GDPR compliance, and Microsoft expects senders to follow them regardless of geographic jurisdiction.
How to Verify Your Compliance
Before assuming you are compliant, actively verify each requirement. Here is a checklist:
- Check SPF: Use our SPF checker to verify your record is valid, includes all authorized senders, and stays within the 10-lookup limit.
- Check DKIM: Use our DKIM checker to confirm that your DKIM signatures are being applied correctly and that the public key in DNS is accessible.
- Check DMARC: Use our DMARC checker to verify that your DMARC record exists, has at least
p=none, and shows proper alignment with SPF or DKIM. - Review bounce logs: Search your bounce logs for the error string "5.7.515" to identify any messages that have already been rejected by Microsoft due to non-compliance.
- Send test emails: Send test messages to Outlook.com and Hotmail.com addresses and inspect the full headers to confirm that SPF, DKIM, and DMARC are all passing with alignment.
- Monitor DMARC reports: If you have a
ruaaddress configured, review your DMARC aggregate reports for any sources failing authentication. These reports reveal third-party senders using your domain without proper setup.
Common Mistake: Assuming compliance because SPF and DKIM pass individually. DMARC requires alignment, meaning the domain in your visible "From" header must match the domain that passes SPF (envelope sender) or DKIM (d= domain). If your ESP signs with their own domain rather than yours, DMARC alignment will fail even though DKIM technically passes. Verify alignment specifically.
What About Third-Party Senders and ESPs?
If you use one or more third-party services to send email on your behalf (marketing automation platforms, CRM systems, transactional email providers), each one must be properly authenticated under your domain. This means:
- Each ESP's sending IPs or include mechanism must be listed in your SPF record.
- Each ESP must sign emails with DKIM using your domain (not theirs).
- Your DMARC record must be published and receiving reports so you can identify any source that is sending on your behalf without proper alignment.
Most major ESPs provide documentation on how to set up custom domain authentication. If you are using multiple sending services, SPF can become complex quickly. Review our guide on fixing SPF lookup limits if you are approaching or exceeding the 10-lookup ceiling.
How Outlook Requirements Compare to Gmail and Yahoo
Microsoft's requirements closely mirror what Google and Yahoo began enforcing in February 2024. Here is a comparison:
| Requirement | Google (Gmail) | Yahoo | Microsoft (Outlook) |
|---|---|---|---|
| SPF required | Yes | Yes | Yes |
| DKIM required | Yes | Yes | Yes |
| DMARC required | Yes (p=none minimum) | Yes (p=none minimum) | Yes (p=none minimum) |
| Volume threshold | 5,000 emails/day to Gmail | Not publicly specified | 5,000 emails/day to Outlook domains |
| Complaint rate threshold | Below 0.3% | Below 0.3% | Not specified, but monitored |
| One-click unsubscribe | Required (RFC 8058) | Required | Recommended (not yet mandatory) |
| Valid From address | Required | Required | Required |
| PTR record (rDNS) | Required | Recommended | Recommended |
| Enforcement action | Temp failures, then rejection | Filtering, then rejection | Direct rejection (550 5.7.515) |
If your email program is already compliant with Google and Yahoo's 2024 bulk sender requirements, you are almost certainly compliant with Microsoft's 2025 requirements. The core authentication mandates (SPF, DKIM, DMARC) are identical. The main differences are in enforcement style (Microsoft rejects immediately rather than gradually filtering) and in the additional recommendations around sender addresses and list hygiene.
What to Do If You Are Not Yet Compliant
If you are currently seeing "5.7.515" bounce codes from Microsoft, or if you have not yet implemented all three authentication protocols, follow this priority order:
- Publish a DMARC record immediately. Even a minimal
v=DMARC1; p=none; rua=mailto:reports@yourdomain.comrecord satisfies the requirement and starts generating reports. - Verify SPF is passing. Check that your SPF record includes all legitimate sending sources and is syntactically valid. Fix any lookup limit issues.
- Verify DKIM is passing and aligned. Ensure your ESP is signing with your domain and that the DNS public key records are correct.
- Test with real messages. Send to Outlook.com addresses and verify authentication results in the headers. Look for
spf=pass,dkim=pass, anddmarc=pass. - Address list hygiene. Remove addresses that have bounced, suppress complaints, and verify any segments you have not mailed recently before resuming sends to Microsoft domains.
For a complete walkthrough of the authentication setup process, see our email authentication guide.
Frequently Asked Questions
No. The current requirements apply only to Microsoft's consumer email domains: Outlook.com, Hotmail.com, Live.com, and MSN.com. Enterprise and business accounts on Microsoft 365 or Exchange Online are not yet subject to these rules, though similar enforcement is expected in the future.
This error means your sending domain does not meet Microsoft's required authentication level. It is a permanent rejection indicating that SPF, DKIM, or DMARC is failing or not configured for your domain. Check your DNS records and authentication setup to resolve the issue.
Yes, p=none meets the minimum requirement. However, Microsoft and all major mailbox providers strongly recommend advancing to p=quarantine or p=reject for meaningful protection against spoofing. A p=none policy only monitors; it does not instruct receiving servers to take action on failed authentication.
The automated enforcement (rejection) currently targets senders above the 5,000/day threshold. However, Microsoft recommends that all senders implement SPF, DKIM, and DMARC regardless of volume. Doing so protects your domain from spoofing and improves deliverability across all mailbox providers, not just Microsoft.
Very likely yes. The core requirements (SPF, DKIM, DMARC with at least p=none) are identical across all three providers. If you set up authentication for the Google/Yahoo changes in 2024, the same configuration satisfies Microsoft's 2025 requirements. Verify by sending a test to an Outlook.com address and checking the authentication results in the headers.