Email authentication is crucial for sending email. It helps protect recipients from malicious messages, such as spoofing and phishing. By setting up email authentication for your domain, you can ensure that your messages are less likely to be rejected or marked as spam by email providers like Gmail, Yahoo, AOL, Outlook.com. This is especially important when sending bulk email (large volume email), as it helps maintain the deliverability and reputation of your email campaigns. Please note that using Microsoft 365 to send bulk (mass) email is not a supported use of the service (more details below).
What changed?
Microsoft 365 email senders may meet new difficulties in delivering emails to popular email service providers. For example, Google has implemented stricter security requirements to authenticate incoming email messages, particularly those sent in large volumes, as announced on the Google blog, Gmail introduces new requirements to fight spam. They are configured to reject messages that don't meet email authentication standards. These issues usually manifest in the form of Non-Delivery Reports (NDR) such as:
Authentication:
550-5.7.26 This mail is unauthenticated, which poses a security risk to the sender and Gmail users and has been blocked. The sender must authenticate with at least one of SPF or DKIM. For this message, DKIM checks did not pass and SPF check for [contoso.com] did not pass with ip: [IPAddress].
Spam:
421-4.7.28 Our system has detected an unusual rate of unsolicited mail originating from your IP address. To protect our users from spam, mail sent from your IP address has been temporarily rate limited.
IPv6 Spam:
550 5.7.350 Remote server returned message detected as spam -> 550 5.7.1 [IPv6Address]
Why is email authentication important?
Email authentication verifies that email messages from a sender (for example, laura@contoso.com) are legitimate and come from expected sources for that email domain. You can improve your email deliverability by authenticating email you send with SPF, DKIM and DMARC. These Domain Name Service (DNS) email authentication records verify that you are the legitimate sender of your email and prevent spoofing and phishing attacks.
Email authentication is important for sending email because it:
We strongly recommend all our customers use these mechanisms to increase the chance of email being accepted by external recipients.
Recipient email service providers requirements
If an email that your organization sends does not meet email authentication standards for your recipient email service provider, or if it is seen as unsolicited bulk email, it may be rejected or marked as spam. The non-delivery reports (NDRs) from each provider include details and best practices on how to deliver email to them. Microsoft 365 is not to be used for bulk email relay, but in case the receiving email providers perceive your email as such, refer to their respective documentation.
Microsoft, including Customer Service and Support (CSS), cannot fix deliverability issues where a third-party provider rejects your message. Tenant administrators need to make changes to improve their tenant sender reputation. For our recommendations on how to improve your sender reputation, read on.
Microsoft 365 considerations for sending email
EOP has strict outbound spam controls that can block or segregate your email to a special high-risk delivery pool if it exceeds sending limits. Using Microsoft 365 to send bulk (mass) email is not a supported use of the service.
Use the following resources outside of EOP to send bulk email:
The Messaging, Mobile, Malware Anti-Abuse Working Group (MAAWG) publishes its membership roster at https://www.maawg.org/about/roster. Several bulk email providers are on the list and are known to be responsible internet citizens.
For customers who choose to send bulk email using EOP*, follow these Outbound spam protection recommendations:
Following these recommendations does not guarantee delivery. If your email is rejected as bulk, send it through on-premises or a third-party provider instead.
Microsoft DMARC validation for receiving email
As a reminder, our enterprise customers can now choose how to handle inbound emails that fail DMARC validation and choose different actions based on the policy set by the domain owner, such as p=reject or p=quarantine.
For our consumer service (Outlook.com), we have changed our DMARC policy handling to honor the sender’s DMARC policy. If an email fails DMARC validation and the sender’s policy is set to p=reject or p=quarantine, we will reject the email.
Learn more:
Microsoft Defender for Office 365 team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.