Authenticate Outbound Email to Improve Deliverability
Published Oct 06 2023 09:45 AM 75.7K Views

Email authentication is crucial for sending email. It helps protect recipients from malicious messages, such as spoofing and phishing. By setting up email authentication for your domain, you can ensure that your messages are less likely to be rejected or marked as spam by email providers like Gmail, Yahoo, AOL, Outlook.com. This is especially important when sending bulk email (large volume email), as it helps maintain the deliverability and reputation of your email campaigns. Please note that using Microsoft 365 to send bulk (mass) email is not a supported use of the service (more details below).

What changed?

Microsoft 365 email senders may meet new difficulties in delivering emails to popular email service providers. For example, Google has implemented stricter security requirements to authenticate incoming email messages, particularly those sent in large volumes, as announced on the Google blog, Gmail introduces new requirements to fight spam. They are configured to reject messages that don't meet email authentication standards. Yahoo also started enforcing similar sending standards and requirements as mentioned in Sender Best Practices | Sender Hub (yahooinc.com). These issues usually manifest in the form of Non-Delivery Reports (NDR) such as:

Authentication:
550-5.7.26 This mail is unauthenticated, which poses a security risk to the sender and Gmail users and has been blocked. The sender must authenticate with at least one of SPF or DKIM. For this message, DKIM checks did not pass and SPF check for [contoso.com] did not pass with ip: [IPAddress].

 

Deferral from Yahoo:
Remote server returned '550 5.4.300 Message expired -> 451 [RL01] Message temporarily deferred'

 

Spam:
421-4.7.28 Our system has detected an unusual rate of unsolicited mail originating from your IP address. To protect our users from spam, mail sent from your IP address has been temporarily rate limited.


IPv6 Spam:
550 5.7.350 Remote server returned message detected as spam -> 550 5.7.1 [IPv6Address]

Why is email authentication important?

Email authentication verifies that email messages from a sender (for example, laura@contoso.com) are legitimate and come from expected sources for that email domain.  You can improve your email deliverability by authenticating email you send with SPF, DKIM and DMARC. These Domain Name Service (DNS) email authentication records verify that you are the legitimate sender of your email and prevent spoofing and phishing attacks.

Email authentication is important for sending email because it:

  • Protects recipients from malicious messages
  • Reduces the chances of your emails being rejected or marked as spam
  • Establishes trust with email providers and recipients
  • Improves the deliverability and reputation of your email campaigns

We strongly recommend all our customers use these mechanisms to increase the chance of email being accepted by external recipients.

Recipient email service providers requirements

If an email that your organization sends does not meet email authentication standards for your recipient email service provider, or if it is seen as unsolicited bulk email, it may be rejected or marked as spam. The non-delivery reports (NDRs) from each provider include details and best practices on how to deliver email to them. Microsoft 365 is not to be used for bulk email relay, but in case the receiving email providers perceive your email as such, refer to their respective documentation.

Microsoft, including Customer Service and Support (CSS), cannot fix deliverability issues where a third-party provider rejects your message. Tenant administrators need to make changes to improve their tenant sender reputation. For our recommendations on how to improve your sender reputation, read on.

Microsoft 365 considerations for sending email

EOP has strict outbound spam controls that can block or segregate your email to a special high-risk delivery pool if it exceeds sending limits. Using Microsoft 365 to send bulk (mass) email is not a supported use of the service.

Use the following resources outside of EOP to send bulk email:

  • Use Azure Communication Services (ACS) Email: It facilitates high volume transactional, bulk and marketing emails.
  • Send bulk email through on-premises email servers: Customers maintain their own email infrastructure for mass mailings.
  • Use a third-party bulk email provider: There are several third-party bulk email solution providers that you can use to send mass mailings. These companies have a vested interest in working with customers to ensure good email sending practices.

The Messaging, Mobile, Malware Anti-Abuse Working Group (MAAWG) publishes its membership roster at https://www.maawg.org/about/roster. Several bulk email providers are on the list and are known to be responsible internet citizens.

For customers who choose to send bulk email using EOP*, follow these Outbound spam protection recommendations:

  • Don't send a large rate or volume of email that causes you to run afoul of the sending limits in the service. This recommendation also includes not sending email to a large list of Bcc recipients.
  • Avoid using addresses in your primary email domain (for example, contoso.com) as senders for bulk email. Doing so can affect the delivery of regular email from senders in the domain. Consider using a custom subdomain exclusively for bulk email. For example, use m.contoso.com for marketing email and t.contoso.com for transactional email.
  • Configure any custom subdomains with email authentication records in DNS (SPFDKIM, and DMARC).

Following these recommendations does not guarantee delivery. If your email is rejected as bulk, send it through on-premises or a third-party provider instead.

Microsoft DMARC validation for receiving email

As a reminder, our enterprise customers can now choose how to handle inbound emails that fail DMARC validation and choose different actions based on the policy set by the domain owner, such as p=reject or p=quarantine.

For our consumer service (Outlook.com), we have changed our DMARC policy handling to honor the sender’s DMARC policy. If an email fails DMARC validation and the sender’s policy is set to p=reject or p=quarantine, we will reject the email.

Learn more:

Microsoft Defender for Office 365 team

9 Comments
Co-Authors
Version history
Last update:
‎Jan 12 2024 01:45 PM
Updated by: