18-04-2025
You Have 17 Days To Comply — New Rules Impact 500 Million Outlook Users
Email has been both a blessing and a curse for billions of users. Unfortunately, it's definitely been a blessing for hackers and a curse for consumers who receive their phishing attacks, malware attachments and more. Although highly-targeted 'spear' phishing attacks are increasingly seen as the way to go by sophisticated threat actors, there's no doubting the broad impact that spray-and-pray scammers, sending large volumes of email on a daily basis, have on the email ecosystem. It's these malicious spam floods that can cause the most significant security issues, and it's these that Microsoft is focusing on as it introduces new email security rules impacting the 500 million users of including and addresses. Here's what you need to know and do before May 5.
Google has already taken action against the problem of malicious bulk senders impacting the security of users of the Gmail service by introducing new sender authentication requirements on April 1. The point of these news rules is to mitigate the risk of criminals using unauthenticated or compromised domains to deliver dangerous payloads. Now, at last, Microsoft is following suit and introducing similar rules to 'reduce the likelihood of spam and spoofing campaigns reaching our user base,' according to an April 2 Microsoft announcement on the Windows Defender security blog.
Applying to domains sending more than 5,000 emails in a single day, and to the consumer service that supports and consumer domain addresses, the May 5 rules will require mandatory Sender Policy Framework, DomainKeys Identified Mail and Domain-based Message Authentication, Reporting, and Conformance compliance. 'Non‐compliant messages will first be routed to Junk,' Microsoft said, and eventually rejected if issues remain you are sending marketing materials, or maybe just run a large hobby mailing list, you need to take note.
The full email authentication process has been explained in some detail by Microsoft, but the bullet point compliance requirements are as follows:
'These measures will help reduce spoofing, phishing, and spam activity,' Microsoft said, 'empowering legitimate senders with stronger brand protection and better deliverability.' This mirrors the statements made by Google regarding the introduction of mandatory strong email sender authentication to protect users of the Gmail service.
To meet the May 5 deadline, however, organizations must first set up email addresses to receive DMARC reports. 'If you are set up for DMARC,' Faisal Misle, the technical lead at Red Sift, said, 'receiving the reports is part of the DMARC protocol to protect you against spoofing and improve overall email deliverability.' Misle warned that the market is filled with DMARC providers and choosing the right one is paramount. 'My best advice is to pick the DMARC provider that, yes, gets you quick results,' Misle concluded, 'but also helps you visualize the problem by prioritizing the results.'
If you are a bulk sender of email using the platform, take heed and act now — time is fast running out.
