You Have 16 Days To Comply — New Rules Impact 500 Million Outlook Users
New security rules come into place for outlook.com on May 5.
Update, April 19, 2025: This story, originally published April 18, has been updated with further advice from Red Sift's Faisal Misle on gaining compliance with the new Microsoft Outlook email authentication rules, which will take effect on May 5.
Email has been both a blessing and a curse for billions of users. Unfortunately, it's definitely been a blessing for hackers and a curse for consumers who receive their phishing attacks, malware attachments and more. Although highly-targeted 'spear' phishing attacks are increasingly seen as the way to go by sophisticated threat actors, there's no doubting the broad impact that spray-and-pray scammers, sending large volumes of email on a daily basis, have on the email ecosystem. It's these malicious spam floods that can cause the most significant security issues, and it's these that Microsoft is focusing on as it introduces new email security rules impacting the 500 million users of outlook.com, including hotmail.com and live.com addresses. Here's what you need to know and do before May 5.
Google has already taken action against the problem of malicious bulk senders impacting the security of users of the Gmail service by introducing new sender authentication requirements on April 1. The point of these news rules is to mitigate the risk of criminals using unauthenticated or compromised domains to deliver dangerous payloads. Now, at last, Microsoft is following suit and introducing similar rules to 'reduce the likelihood of spam and spoofing campaigns reaching our user base,' according to an April 2 Microsoft announcement on the Windows Defender security blog.
Applying to domains sending more than 5,000 emails in a single day, and to the Outlook.com consumer service that supports hotmail.com, live.com, and outlook.com consumer domain addresses, the May 5 rules will require mandatory Sender Policy Framework, DomainKeys Identified Mail and Domain-based Message Authentication, Reporting, and Conformance compliance. 'Non‐compliant messages will first be routed to Junk,' Microsoft said, and eventually rejected if issues remain unresolved.If you are sending marketing materials, or maybe just run a large hobby mailing list, you need to take note.
The full email authentication process has been explained in some detail by Microsoft, but the bullet point compliance requirements are as follows:
'These measures will help reduce spoofing, phishing, and spam activity,' Microsoft said, 'empowering legitimate senders with stronger brand protection and better deliverability.' This mirrors the statements made by Google regarding the introduction of mandatory strong email sender authentication to protect users of the Gmail service.
To meet the May 5 deadline, however, organizations must first set up email addresses to receive DMARC reports. 'If you are set up for DMARC,' Faisal Misle, the technical lead at Red Sift, said, 'receiving the reports is part of the DMARC protocol to protect you against spoofing and improve overall email deliverability.' Misle warned that the market is filled with DMARC providers and choosing the right one is paramount. 'My best advice is to pick the DMARC provider that, yes, gets you quick results,' Misle concluded, 'but also helps you visualize the problem by prioritizing the results.'
Misle said the decision to enforce strict email authentication for anyone sending more than 5,000 emails per day will soon make Microsoft's email ecosystem safer. I would have to say that is the likely result, no hyperbole required, based upon the impact that Google doing the same for Gmail has proven to have had. Neil Kumaran, the group product manager of Gmail security and trust, told me that within 12 months there had been an 'unprecedented improvement in the fundamental security of email.' That can be broken down into the following numbers: a 65% reduction in unauthenticated messages sent to Gmail users, 50% more bulk senders following secure practices, and, wait for it, 265 billion fewer unauthenticated messages sent.
'Whether you are at a large organization or a small firm where the same person who sets up email might also be head of HR,' Misle told me, 'the urgency of the situation cannot be overstated.' That May 5 deadline will all too soon be upon us, so the time to act is very much right now. At a time when more than 90% of cyberattacks originate with email, Misle continued, 'Microsoft has made it clear that DMARC, SPF, and DKIM —all three authentication methods—must be implemented.'
Misle advised that the following technical steps must be taken to ensure May 5 compliance:
Misle warned that 'you are never too small to have these problems,' and urged all organizations must think of DMARC protection not as something you farm out and forget about, but 'as real-time intelligence to protect the health of your business.'
If you are a bulk sender of email using the Outlook.com platform, take heed and act now — time is fast running out.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
WIRED
38 minutes ago
- WIRED
Samsung Teases Z Fold Ultra, Bing Gets AI Video, and Nothing Sets A Date—Your Gear News of the Week
Plus: Ruark has new speakers, Photoshop comes to Android and summer's finest music player gets updated. All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links. Bing has added a new AI-powered video generation tool to its mobile app, that's built on OpenAI's Sora text-to-video model. That's a feature that, even now, is exclusive to ChatGPT subscribers—but Bing users will get it for free. The vertical video creations are 5 seconds long but aren't generated instantly—once you type in a prompt, you'll get a notification when the video is ready. The Standard generation speed is free, but you'll also be able to access the 'Fast' option 10 times before you'll need to cough up 100 Microsoft Reward points to keep using it at that speed. You can share these videos anywhere, and they'll be stored in the Bing app for 90 days. The video generation wars have been heating up over the last year. Google debuted its Veo 3 model at Google I/O in May, with significant upgrades to quality. Chinese phone brand Honor also recently partnered with Google to add a feature that converted still images in the Gallery app into 5-second video clips through Google's Veo 2 model. With the ability to now generate videos at our fingertips, it'll make it easier than ever to share exactly what you're envisioning to a friend or loved one, but it'll be even harder to distinguish what's real and what's not. Nothing Sets a Date for Phone (3) and Headphone (1) London-based Nothing took a year-long break from its top-end smartphone line after it debuted the Phone (2) in 2023. In that time, it created the Phone (2a) in 2024, which went on to be one of the company's best-selling handsets. There's already a successor for those budget phones—the Phone (3a) series—but now it's time for a new flagship from the brand. The company announced this week that it will unveil the Phone (3) at an event in London on July 1 at 1 pm ET. This content can also be viewed on the site it originates from. We have a few details so far. The phone may not have the Glyph light interface on the back anymore, though it seems like Nothing has cooked up a new dot matrix light pattern instead. The company says it'll be its first true flagship phone with premium materials, and it'll have a high price to boot: somewhere around £800. But the spotlight won't just be on a new phone. This week, Nothing also shared that it will be entering 'a new product category" at the event with its first-ever pair of headphones. Creatively dubbed Headphone (1), it'll be Nothing's first over-ears, but follows a long line of wireless earbuds. Not too long ago, Nothing announced a partnership with iconic audio brand KEF. Perhaps these headphones will be the pair's first collab. Samsung Teases a Galaxy Z Fold Ultra Samsung's Galaxy Unpacked event is also expected to take place in July, and rumors abound that we'll see the Galaxy Z Fold7, Galaxy Z Flip7, and even a Flip 7 FE—a cheaper version of the company's flip folding phone. But Samsung took time to tease something else: an Ultra variant of its folding phone. Or so we think. In a blog post on Samsung Newsroom, the company vaguely talks about a folding device that can match the capabilities of its existing Ultra phones, like the Galaxy S25 Ultra. What remains unclear is if the upcoming Galaxy Z Fold7 will offer an Ultra-like experience with no compromises, or if there will indeed be a dedicated Ultra version of that phone. Until now, there have been trade-offs between the Fold phones and Samsung's Galaxy Ultra phones, with the latter offering a nicer camera experience, better battery life, and other perks like the stylus. Perhaps Samsung has found a way to replicate the true Ultra experience on its next generation of the Fold. The company has a teaser video showing the silhouette of the Fold opening and closing. There have been rumors that Samsung is working on a tri-fold phone, like Huawei's version that nets you an even bigger screen when unfolded; you'd think if anything got the Ultra moniker, it'd be that device. We'll have to wait and see. Ruark's MR1 Mk3 Get Some Serious Upgrades The Ruark MR1 have been some of the best sounding, most stylish desktop stereo speakers you can buy at their price for over a decade. Now in their third generation, they have been rebuilt from the ground up, with the aim of improving sound quality, refining the hand-crafted design and adding in some great new features to make them even more versatile than before. This includes adding aptX HD playback for higher quality Bluetooth sound, a USB audio connection for easy high-resolution playback and a moving magnet phono stage for powering a turntable. The petite package is available now, and costs $579/£399. — Verity Burns — Verity Burns Photoshop for Android Is Here Adobe has finally released Photoshop for Android. No, this isn't Photoshop Express or Photoshop Touch—previous, largely failed attempts at bringing Photoshop to mobile. Photoshop for Android mirrors the version of Photoshop for iPhone released earlier this year. You can download the public beta for Android today. The mobile app has nearly everything you'll find in Adobe's desktop version, including layer-based editing and tools like masks, clone stamp, intelligent selection options, and all the tone and curve adjustment tools. The user interface is radically different, but Photoshop veterans will likely get the hang of the mobile version quickly. I've been testing the Android app for a couple of days now, and it's fairly impressive, but a few things are missing. The biggest for me is the ability to crop by pixels rather than ratio, which seems like a very odd limitation. Content-aware fill is also still "coming soon." Adobe has been heavily touting the AI features, which make it possible to do smart selections that would be difficult otherwise. I've found this feature works like on desktop (it relies on the same cloud backend), but I still don't have much use for it. — Scott Gilbertson Poolsuite V3 Has Your Summer Playlist Sorted "Throw your laptop out the damn window and drag that 1994 Kawasaki 750SX stand-up jet ski out of Uncle Pete's garage, because summer is officially here." This is how Poolsuite, possibly the finest curated music app for outdoor frivolity, announces the arrival this week not only of a throughly revamped and upgraded version of its already superb iOS media player, but also that it's finally available on Android as well. This perfectly judged throwback tone pervades throughout the app, which now adds hundreds of new tracks across seven channels, as well as mobile mixtapes to go with the aesthetic overhaul. Sun-drenched playlists lovingly curated to lift spirits and deliver virtual vitamin D for free. If you haven't downloaded it already, do so right now—and never worry about what tunes to play at a BBQ ever again. — Jeremy White The New Hublot Big Bang Unico Summer 2025 Continuing the summer theme in style is this new limited edition beach-ready Big Bang from Hublot. 'As light as a sea breeze with its featherlight ceramic,' says the brand, with a micro blasted 'orange case that glows like the golden hour.' Well, I tried it on at Watches & Wonders in April, and unlike some other darker hued versions of this watch, it's playful and thoroughly approachable, yet with 100 meters of water resistance is equally at home either at a pool party or in deep waters. A one-click system also allows the included three interchangeable white rubber-lined straps in sky blue, dark blue or orange to be swapped in a jiffy, and the 72-hour power reserve keeps things going when off the wrist. The price? $31,300 (£26,900) but only 100 will be released. — Jeremy White
Yahoo
an hour ago
- Yahoo
Digital ad budgets slowing in 2025, UBS finds
-- Growth in digital advertising budgets is set to slow in 2025, according to a UBS, signalling caution amid economic uncertainty and potential tariff impacts. Buyers expect a 5.5% increase in digital ad spending over the 12 months, a slowdown of nearly one percentage point from the prior year, UBS said. Facebook (NASDAQ:META) is the only major digital platform expected to see an acceleration in ad budget growth, with buyers planning to increase spending by 1.7% year-over-year. Instagram growth is set to slow, though it remains a top choice for social commerce and potential TikTok budget shifts. Amazon (NASDAQ:AMZN) is forecast to see a relatively modest slowdown in ad growth to 2.8%, while Google (NASDAQ:GOOGL) faces steeper deceleration across both its Search and YouTube platforms. YouTube's ad budget growth is expected to fall to 4.1% from higher levels last year. Among other platforms, Pinterest (NYSE:PINS) and Snap are both expected to see slight declines in ad spending, while The Trade Desk (NASDAQ:TTD) is projected to maintain relatively stable growth in connected TV budgets. On the traditional media side, nearly 60% of buyers expect to cut TV spending over the next two years, though sports programming remains a bright spot. Disney's cable networks showed the strongest ad spend intentions, while FOX showed the most year-over-year improvement. CTV continues to gain traction, with Netflix (NASDAQ:NFLX), YouTube, and Amazon Prime leading in advertiser interest, even as overall enthusiasm dipped slightly from last year. Related articles Digital ad budgets slowing in 2025, UBS finds Barclays sees rising regulatory risk for Google as antitrust case nears ruling stocks of the week
Android Authority
an hour ago
- Android Authority
I use email aliases to hide my Gmail address, and it's the best privacy move I can recommend
Edgar Cervantes / Android Authority Have you ever shopped at an online store once, and then found yourself dealing with a constant influx of marketing spam emails for weeks and even months? Virtually every online service wants me to create an account just to read what's below the fold or browse through a few listings. The result is that on any given day, I'm dealing with at least one newsletter, discount code, 'we miss you' flyer, or privacy policy update email that I don't care about. Sure, most marketing emails have an unsubscribe button, but those never seem to work reliably. I've found that plenty of services refuse to honor my opt-out request and even the honest ones will accidentally leak my personal data from time to time. My frustration might sound like a convenient rant to sell you on a solution, but I've found an entirely free solution to this problem: email aliases. They're a shockingly easy workaround that allows me to hide my real Gmail address from unscrupulous websites and keep my inbox free from spam. Here's how. Email aliases: My favorite privacy trick Calvin Wankhede / Android Authority At its core, an email alias is just an alternate email address that forwards messages to your actual inbox. Creating a new alias takes just a couple of clicks and you can create as many as you want. In fact, each online service you sign up for can get its own unique email alias. These aliases don't have anything in common with your true email address or real world identity, so a website cannot profile or track you against other accounts. When you use an alias, the emails you receive don't go straight to your Gmail or personal inbox. Instead, they first land with the alias provider — a privacy-focused service that acts as a middleman. This provider receives the email on your behalf, strips out any tracking elements if necessary, and then forwards it to your actual inbox. To the sender, it looks like any ordinary email address. But the best part? If you ever find that one of these aliases is responsible for spam, you can simply deactivate that particular alias — and the mail will stop making its way to your inbox. The service can continue sending emails but they will simply bounce back or remain undelivered. It's a far more effective way to unsubscribe from a mailing list. Aliases allow me to stop receiving emails from spammy senders and keep my real address safe. Now, you may have heard about Gmail's limited alias support that allows you to append a + to your email address — for example, yourname+amazon@ While this trick can help you identify which site leaked your address, you can't do much else. Your actual Gmail address is still plainly visible before the + symbol. Most advertisers know about this plus addressing trick and will simply drop it along with any text after the symbol. At best, you can only use the plus addressing trick to filter incoming mail or create multiple accounts using the same email address. Using an alias that only adds a slight transformation to your real email address (like a + symbol) means that any site that scrapes or sells data will still get access to your inbox. Worse still, they can spam your real email and there's nothing you can do to stop them. A privacy-focused alias service allows you to deactivate each email address individually — a big advantage over just plus-addressing your real Gmail address. Have you ever used email aliases? 0 votes Yes, I already use email aliases NaN % Not yet, but I will soon NaN % No, I have no use for aliases NaN % How do email aliases work? Calvin Wankhede / Android Authority The above screenshot shows an email sent to one of my aliases instead of my true email address. See where it says 'rise-unburned-ajar@ That's the alias I generated specifically while signing up for this Best Buy account. Another service would get a completely different address, like 'cavalry-pants-hut@ Even though all these emails eventually reach the same inbox, they can be independently tracked and managed. It's worth noting that any good alias provider only relays your emails from the source to the intended destination. In other words, it does not store a copy of your email, meaning your data cannot be leaked in the event of a data breach. This is why it's important to pick a company with a great privacy and security track record. Trustworthy alias providers don't store a copy of your emails once forwarded. But first, you may think it takes effort to grab a new alias for every sign up form I encounter online, but I have the process largely automated. Most respected password managers, including Bitwarden and Proton Pass, have a built-in email alias generator. It's the same process as generating a unique and randomized password, but for email instead. However, a password manager is not responsible for creating, managing, and routing aliases — you need a trusted service for that. Which email alias provider should you use? Edgar Cervantes / Android Authority If you've ever used an iPhone, some of this might already sound familiar. Apple offers a built-in aliasing feature through its Sign in with Apple option, which offers to hide your email address. Behind the scenes, this simply creates a unique email alias ending in '@ Emails sent to that address are quietly forwarded to your Apple ID-linked email address. If you're an iCloud+ user, you can also generate an unlimited number of aliases manually and on demand. However, this is another ecosystem lock-in opportunity, so I wouldn't recommend using Apple for your email aliases. One of the most well-regarded services in the privacy space is SimpleLogin — an open-source email aliasing tool that was acquired by Proton in 2022. It has since been integrated into Proton's ecosystem, including Proton Mail and Proton Pass. I tried Proton Mail as an alternative to Gmail a few weeks ago and, even though I didn't stick with the platform, the usefulness of aliases stuck with me enough to keep using the feature long afterward. SimpleLogin, Firefox, and DuckDuckGo are the most trusted email alias providers. SimpleLogin gives you 10 aliases for free, and a $36/year subscription unlocks unlimited aliases. It's also bundled with Proton Pass' premium tier, which is handy if you need a password manager or just want to consolidate your privacy tools. That said, there are plenty others. AnonDaddy is another trusted name in the privacy space, and it's open source too. Another solid option is Firefox Relay. It gives you 5 aliases for free and unlimited aliases for just $12/year. If you're in a supported region, it can also mask your phone number — a rare feature that comes in handy for sites that require SMS verification. I personally use DuckDuckGo's Email Protection, which is less feature-rich than some of these platforms but offers an unlimited number of aliases for free. The search engine has a proven track record for privacy and as far as I can tell, there's no catch to the service. The only downside is that there's no central dashboard to view or manage all aliases like some of the other alias providers. But every forwarded email includes a 'Deactivate' button, so I can kill off any alias that gets abused. That's been more than enough for my needs. If you're serious about privacy, SimpleLogin is perhaps the way to go as it's the most mature service of the lot. But if you just want to test the waters or use an alias service occasionally, I can recommend DuckDuckGo too. Late last year, we spotted Google testing its own alias service dubbed Shielded Email. I expect this service to require a Google One subscription, similar to Apple's Hide My Email. But unlike the latter, you will likely be able to generate aliases on any device via the Chrome browser. Still, I'm happy with the setup I have now since I don't have to rely on Apple or Google.
