Strengthening Email Ecosystem: Outlook’s New Requirements for High‐Volume Senders
April 29th Update - Changes have been made to the action take on messages that do not meet requirements, please see details below. Introduction In an era where email remains one of the most widely used tools for personal and business communications, Outlook is stepping up its commitment to protect inboxes and preserve trust in the digital ecosystem. Today, we’re announcing new requirements and best practices designed to strengthen email authentication for domains sending more than 5,000 emails per day. These new requirements will enforce stricter standards by including mandatory SPF, DKIM, DMARC settings. Outlook is pushing the broader industry toward best practices and safeguarding the millions of individuals and small businesses that rely on us every day. These measures will help reduce spoofing, phishing, and spam activity, empowering legitimate senders with stronger brand protection and better deliverability. Outlook has always prioritized user safety and reliability; we’re proud to further invest in this solution that will keep our customers safe and reinforce the best practices across the industry. We believe that by raising the bar for large senders, we can inspire lasting change that benefits everyone. What's Changing? For domains sending over 5,000 emails per day, Outlook will soon require compliance with SPF, DKIM, DMARC. Non‐compliant messages will first be routed to Junk. If issues remain unresolved, they may eventually be rejected. Senders will soon start requiring compliance with the following requirements: SPF (Sender Policy Framework) Must Pass for the sending domain. Your domain's DNS record should accurately list authorized IP addresses/hosts. DKIM (DomainKeys Identified Mail) Must Pass to validate email integrity and authenticity. DMARC (Domain-based Message Authentication, Reporting, and Conformance) At least p=none and align with either SPF or DKIM (preferably both). Learn more about email authentication here. Additional Email Hygiene Recommendations Large senders should also adopt these practices to maintain quality and trust: Compliant P2 (Primary) Sender Addresses: Ensure the “From” or “Reply‐To” address is valid, reflects the true sending domain, and can receive replies. Functional Unsubscribe Links: Provide an easy, clearly visible way for recipients to opt out of further messages, particularly for marketing or bulk mail. List Hygiene & Bounce Management: Remove invalid addresses regularly to reduce spam complaints, bounces, and wasted messages. Transparent Mailing Practices: Use accurate subject lines, avoid deceptive headers, and ensure your recipients have consented to receive your messages. Outlook reserves the right to take negative action, including filtering or blocking—against non‐compliant senders, especially for critical breaches of authentication or hygiene. Enforcement Timeline Starting today, we encourage all senders and particularly those that send at high volume to review and update their SPF, DKIM, and DMARC records, in preparation for when the enforcement begins, starting in May. After careful consideration and to ensure the protection of users and remove any confusion on why a message was in the junk folder for both the recipient and sender, we have made a decision to reject messages that don't pass the required authentication requirements detailed above. The rejected messages will be designated as "550; 5.7.515 Access denied, sending domain [SendingDomain] does not meet the required authentication level." This change will state taking effect on May 5th as originally stated. After May 5th, 2025, Outlook will begin routing messages from high volume non‐compliant domains to the Junk folder, giving senders an opportunity to address any outstanding issues. NOTE: that in the future (date to be announced), non-compliant messages will be rejected to further protect users. Next Steps Prepare Now: Audit your DNS records (SPF, DKIM, DMARC) and verify you meet all the requirements. To view the authentication header, visit this. To learn how to read authentication headers, click here. Stay Informed: We’ll provide updates on official rollout schedules, and dates for when rejection actions will begin through a blog post. Join Our Mission: Embracing better authentication and hygiene not only benefits your deliverability but also helps protect the entire email ecosystem. For additional resources or support, visit sender support. Thank you for partnering with us to make email a more secure, transparent, and trusted channel for everyone. Frequently Asked Questions (FAQ) Why is Outlook requiring these changes specifically for high‐volume senders? Large senders have a broader impact on inbox safety. By focusing on senders of 5,000+ messages a day, we significantly reduce the likelihood of spam and spoofing campaigns reaching our user base. How do SPF, DKIM, and DMARC help me as a sender? These authentication protocols verify your emails for recipients. Compliant senders often see improved deliverability, fewer bounce‐backs, and stronger brand credibility. Do I still need to do this if I send fewer than 5,000 emails/day? While enforcement first targets large senders, all senders benefit from these best practices. Strong authentication protects your reputation. What exactly is a “functional” unsubscribe link? It’s a link placed in your email that allows recipients to quickly opt out of future mail. It should be easy to find and reliable when clicked. Will these changes stop all spam? No system eliminates spam entirely, but these measures make it much harder for malicious actors to succeed and give legitimate senders higher trust. What does “alignment” mean for DMARC? Alignment ensures the “From” domain matches (or sub domain) the domain used by SPF and/or DKIM. This prevents bad actors from exploiting your domain name. My SPF record has multiple include statements—could that cause issues? If you exceed 10 DNS lookups, your SPF check might fail. Tools exist to “flatten” your record or reduce the number of includes. Why does Outlook recommend ARC for forwarding/mailing lists? Forwarding can break DMARC alignment. ARC preserves the original authentication checks, preventing legitimate forwarded mail from being wrongfully flagged. How often should I clean my mailing lists? Aim to remove inactive or invalid addresses regularly—monthly or quarterly. This lowers bounce rates, cuts costs, and reduces spam complaints. If I use a 3rd‐party email vendor, do I still need SPF, DKIM, DMARC records in my domain DNS? Yes. Even if you outsource sending, authentication is tied to your domain. Coordinate with your provider to ensure correct DNS settings. How does Outlook handle DMARC aggregate (rua) and forensic (ruf) reports? We send RUA to the addresses specified in your DMARC record. You can analyze these to see who is sending on behalf of your domain, spot domain abuse, and confirm alignment. We don’t have plans to send RUF. Can separate mail systems have unique DKIM selectors? Yes. Managing multiple selectors (e.g., selector1, selector2) helps maintain clarity and isolate reputation concerns across various business units or campaigns. Learn more about how to configure DKIM here. Does publishing a strict DMARC policy (p=reject) offer better security? Absolutely, once your legitimate sources are aligned, p=reject is the most effective at thwarting domain spoofing. We advise moving gradually (none → quarantine → reject) to avoid unintended mail loss. If someone regularly reports my emails as spam despite authentication, what can I do? Authentication ensures emails are from you, but user perception still matters. Review your content, frequency, and opt‐out process to ensure recipients remain engaged and not overwhelmed. Will adding to safe senders list bypass the new enforcement? No. Safe Sender list won’t be honored.
SOC can see Microsoft analysis for Third-party add-in user report
We are pleased to announce that if you are using third-party report message solutions in Microsoft Outlook, such as Knowbe4, Hoxhunt, and Cofense, you can now configure Defender for Office 365 to automatically forward these suspicious messages to Microsoft for analysis. A prerequisite for using this is to already have set up the third-party user report tool on Outlook for your end users and that tool is forwarding the user report to an exchange online mailbox within the organization. We do not recommend using the exchange transport rule for it. To enable this setting, you must do the following: Go to User reported settings in the Microsoft Defender portal, select Monitor reported messages in Outlook, and then select Use a non-Microsoft add-in button. In the Reported message destination section, select Microsoft and my reporting mailbox, and then provide the email address of the internal Exchange Online mailbox where user-reported messages by the third-party add-ins are being routed to. If the third-party vendor follows the guidance for message submissions format, Defender for Office 365 will submit these messages automatically to Microsoft for analysis. The analysis results from Microsoft are displayed on the User reported page in the Defender portal. Alerts are automatically generated for user-reported messages in Defender for Office 365. If you have Defender for Office 365 Plan 2, Automated investigation and response (AIR) is also automatically triggered for user-reported phishing messages. These alerts and their investigations are automatically linked to Defender Incidents, assisting security teams with automation for triage, investigation, and response. Submitting these messages to Microsoft for analysis provides a response of this analysis to security analysts and helps improve Defender for Office 365 filters. To learn more, check out these articles: Report suspicious email messages to Microsoft Automatic user notifications for user reported phishing results in AIR Share Your Feedback! We are eager for you to experience the capabilities of Microsoft feedback, triage, investigation, and analysis for user reports while utilizing the advantages of third-party report add-ins. Share your thoughts with us by commenting below.
Create targeted attack simulation training campaigns with dynamic groups
When it comes to email security, even the most reliable employees can sometimes be unpredictable. Our days are filled with clicks, taps, likes, swipes, pings, texts, and more, leaving us open to acting fast without always being thorough and cautious. That’s why simulation training should be a key component in every organization’s email security strategy. It plays a critical role in educating and empowering employees to recognize common phishing and social engineering tactics, adopt a security first culture, and protect their organizations from associated security risks. Attack simulation training is an intelligent phish risk reduction tool that measures behavior change and automates deployment of an integrated security awareness training program across an organization. We’re excited to announce dynamic targeting for Attack simulation training in Defender for Office 365. You can now use the Microsoft 365 group – dynamic membership type created in Microsoft Entra admin center to define the recipients of your simulations and training campaigns. It provides a more efficient and effective way to manage target users for simulations and trainings, allowing you to assign foundational security training to new hires, send simulation campaigns to users in departments or locations with high turnover, and more such use cases—without having to manually manage groups. With this, the list of supported group types in Attack simulation training are as follows: Microsoft 365 group (both static and dynamic) Distribution group (static only) Mail-enabled security group (static only) What are dynamic groups? Dynamic group membership is defined by one or more rules that check for certain attributes in user accounts. These groups are automatically updated as user attributes change, ensuring that the group membership is always up to date. This is particularly useful for large organizations where manually managing group memberships can be time-consuming and error prone. Use the Microsoft 365 group dynamic membership type in Microsoft Entra ID to tailor your simulation and training campaigns to specific user groups, making the training more relevant and effective. Some use cases of dynamic groups in Attack simulation training: Target users more effectively based on specific criteria such as department, role, or location. Example: For sending a simulation email to users in Sales or Marketing departments, the dynamic membership rule can be written as: (user.department -eq "Sales") -or (user.department -eq "Marketing") Target users based on different hiring timeframes using the attribute "employee hire date". A few examples are shared below: To send a simulation email or a training campaign to those hired after a particular date, such as June 30, 2024, the dynamic membership rule can be written as: (user.employeeHireDate -ge 2024-06-30) To automate simulation emails for users who will be hired within the next 30 days, the dynamic membership rule can be written as: (user.employeeHireDate -le system.now -plus P30D) -and (user.employeeHireDate -ge system.now) How to create and use dynamic groups in simulations: To create and use dynamic groups, follow these steps: Sign in to Azure Portal as at least a Groups Administrator and select Microsoft Entra ID, followed by Groups. Create a new group and choose Microsoft 365 as the group type. Enter a name, email address, and description for the group. Select Dynamic user as the membership type and select Add dynamic query. Define the rules for the dynamic query based on the user properties that you want to use. You can add multiple rules and combine them with AND/OR operators. Validate the rule. Select Save and then select Create. Go to the Defender portal and select Attack simulation training. Select the Simulations tab and create a new simulation or edit/copy an existing one. On the Target users page, select Add users and search and select the dynamic group that you created and select Add user(s). Complete rest of the simulation settings and Create or Save the simulation. How to use dynamic groups in training campaigns: Repeat steps 1-5 shared above. Select the Training campaign tab and create a new campaign. On the Target users page, select Add users and search and select the dynamic group that you created and select Add user(s). Complete the rest of the campaign settings and Create or Save the campaign. How to use dynamic groups in simulation automations: Repeat steps 1-5 shared above. Select the Simulation Automations tab and create a new automation. On the Target users page, select Add users and search and select the dynamic group that you created and select Add user(s). Complete the rest of the automation settings and Create or Save the automation. Note for automated simulations: If a user is removed from a dynamic group after taking part in a simulation, this user will still appear in simulation reports and continue with assigned trainings. If a user is added to a dynamic group after the last simulation in an automation has run, the user won’t be simulated because this automation is considered complete. At the start of an automation, users are divided across different simulations. If new users are added after some simulations have run, these users will be distributed across the remaining simulations. More information: Learn more about the different types of Microsoft 365 groups Create or edit a dynamic group Manage rules for dynamic groups Learn about nested group properties in dynamic groups Modify groups based on your requirements.
Attack Simulation Training: Using machine learning to drive more effective simulations
Attack Simulation Training (AST) is an advanced tool that helps security teams improve their performance. It allows teams to run intelligent simulations and consume actionable insights, which can then be used to remediate risks and change behavior. With the addition of intelligent features like predicted compromise rate, and payload recommendations, we look to improve the payload efficacy, and increase the overall quality of simulations within an organization.
