Email authentication is crucial for sending email. It helps protect recipients from malicious messages, such as spoofing and phishing. By setting up email authentication for your domain, you can ensure that your messages are less likely to be rejected or marked as spam by email providers like Gmail, Yahoo, AOL, Outlook.com. This is especially important when sending bulk email (large volume email), as it helps maintain the deliverability and reputation of your email campaigns. Please note that using Microsoft 365 to send bulk (mass) email is not a supported use of the service (more details below).
What changed?
Microsoft 365 email senders may meet new difficulties in delivering emails to popular email service providers. For example, Google has implemented stricter security requirements to authenticate incoming email messages, particularly those sent in large volumes, as announced on the Google blog, Gmail introduces new requirements to fight spam. They are configured to reject messages that don't meet email authentication standards. Yahoo also started enforcing similar sending standards and requirements as mentioned in Sender Best Practices | Sender Hub (yahooinc.com). These issues usually manifest in the form of Non-Delivery Reports (NDR) such as:
Authentication:
550-5.7.26 This mail is unauthenticated, which poses a security risk to the sender and Gmail users and has been blocked. The sender must authenticate with at least one of SPF or DKIM. For this message, DKIM checks did not pass and SPF check for [contoso.com] did not pass with ip: [IPAddress].
Deferral from Yahoo:
Remote server returned '550 5.4.300 Message expired -> 451 [RL01] Message temporarily deferred'
Spam:
421-4.7.28 Our system has detected an unusual rate of unsolicited mail originating from your IP address. To protect our users from spam, mail sent from your IP address has been temporarily rate limited.
IPv6 Spam:
550 5.7.350 Remote server returned message detected as spam -> 550 5.7.1 [IPv6Address]
Why is email authentication important?
Email authentication verifies that email messages from a sender (for example, laura@contoso.com) are legitimate and come from expected sources for that email domain. You can improve your email deliverability by authenticating email you send with SPF, DKIM and DMARC. These Domain Name Service (DNS) email authentication records verify that you are the legitimate sender of your email and prevent spoofing and phishing attacks.
Email authentication is important for sending email because it:
- Protects recipients from malicious messages
- Reduces the chances of your emails being rejected or marked as spam
- Establishes trust with email providers and recipients
- Improves the deliverability and reputation of your email campaigns
We strongly recommend all our customers use these mechanisms to increase the chance of email being accepted by external recipients.
- Learn more about SPF and how to set it up to authenticate email you send from Microsoft 365 (Microsoft Learn)
- Learn more about DKIM and how to set it up to sign email you send from Microsoft 365 (Microsoft Learn)
- Learn more about DMARC and how to set it up to validate email you send from Microsoft 365 (Microsoft Learn)
Recipient email service providers requirements
If an email that your organization sends does not meet email authentication standards for your recipient email service provider, or if it is seen as unsolicited bulk email, it may be rejected or marked as spam. The non-delivery reports (NDRs) from each provider include details and best practices on how to deliver email to them. Microsoft 365 is not to be used for bulk email relay, but in case the receiving email providers perceive your email as such, refer to their respective documentation.
- For Outlook.com, Sender Support in Outlook.com - Microsoft Support
- For Gmail, Prevent mail to Gmail users from being blocked or sent to spam; customers can also set up their domains with Google postmaster tools (Get started with Postmaster Tools - Gmail Help (google.com) to improve or learn more about deliverability.
Microsoft, including Customer Service and Support (CSS), cannot fix deliverability issues where a third-party provider rejects your message. Tenant administrators need to make changes to improve their tenant sender reputation. For our recommendations on how to improve your sender reputation, read on.
Microsoft 365 considerations for sending email
EOP has strict outbound spam controls that can block or segregate your email to a special high-risk delivery pool if it exceeds sending limits. Using Microsoft 365 to send bulk (mass) email is not a supported use of the service.
Use the following resources outside of EOP to send bulk email:
- Use Azure Communication Services (ACS) Email: It facilitates high volume transactional, bulk and marketing emails.
- Send bulk email through on-premises email servers: Customers maintain their own email infrastructure for mass mailings.
- Use a third-party bulk email provider: There are several third-party bulk email solution providers that you can use to send mass mailings. These companies have a vested interest in working with customers to ensure good email sending practices.
The Messaging, Mobile, Malware Anti-Abuse Working Group (MAAWG) publishes its membership roster at https://www.maawg.org/about/roster. Several bulk email providers are on the list and are known to be responsible internet citizens.
For customers who choose to send bulk email using EOP*, follow these Outbound spam protection recommendations:
- Don't send a large rate or volume of email that causes you to run afoul of the sending limits in the service. This recommendation also includes not sending email to a large list of Bcc recipients.
- Avoid using addresses in your primary email domain (for example, contoso.com) as senders for bulk email. Doing so can affect the delivery of regular email from senders in the domain. Consider using a custom subdomain exclusively for bulk email. For example, use m.contoso.com for marketing email and t.contoso.com for transactional email.
- Configure any custom subdomains with email authentication records in DNS (SPF, DKIM, and DMARC).
Following these recommendations does not guarantee delivery. If your email is rejected as bulk, send it through on-premises or a third-party provider instead.
Microsoft DMARC validation for receiving email
As a reminder, our enterprise customers can now choose how to handle inbound emails that fail DMARC validation and choose different actions based on the policy set by the domain owner, such as p=reject or p=quarantine.
For our consumer service (Outlook.com), we have changed our DMARC policy handling to honor the sender’s DMARC policy. If an email fails DMARC validation and the sender’s policy is set to p=reject or p=quarantine, we will reject the email.
Learn more:
- Announcing New DMARC Policy Handling Defaults for Enhanced Email Security (blog)
- Outbound spam protection (Microsoft Learn)
- Email authentication in Microsoft 365 (Microsoft Learn)
- MAAWG Sending Domains Best Common Practices (pdf)
- MAAWG Sender Best Common Practices (pdf)
- Learn more about SPF and how to set it up to authenticate email you send from Microsoft 365 (Microsoft Learn)
- Learn more about DKIM and how to set it up to sign email you send from Microsoft 365 (Microsoft Learn)
- Learn more about DMARC and how to set it up to validate email you send from Microsoft 365 (Microsoft Learn)
- Email sender guidelines (Gmail help)
- Gmail introduces new requirements to fight spam (Google blog)
- Sender Requirements & Recommendations (Yahooinc.com)
- An Update on Enforcing Email Standards (Yahooinc.com)
Microsoft Defender for Office 365 team
Updated Jan 12, 2024
Version 3.0
The_Exchange_Team
Microsoft
Microsoft
