Microsoft Cracks Down On Bulk Email With Strict New Outlook Rules

BrianFagioli writes: Microsoft has officially begun rejecting high-volume emails that don't meet its new authentication rules.

Here's the deal. If you send more than 5,000 messages per day to Outlook.com addresses (including hotmail.com and live.com) and you're not properly set up with SPF, DKIM, and DMARC, your emails may never arrive.

Re:Their new policy is the DNS should be correct?

[irreverentdiscourse]

What an incredibly cumbersome and unnecessary solution you've come up with to a problem that doesn't exist.

Re:Their new policy is the DNS should be correct?

[Murdoch5]

Oh, Microsoft has issues with email. For the last 3-weeks they've been sending emails to me that looked so scummy and trashy, that I assumed they were junk, from an attacker. Today, my account manager from Microsoft emailed me asking why I hadn't clicked the link in the email they kept sending. I forwarded him one of the emails, and asked if those scummy looking trash emails were the ones he was referring to, and sure enough, they were from Microsoft.

The bad URL encoding, the bad template, lacking any kind of digital signature, rushed language that I click the link, and wording that sounded like a primary school student wrote it, who would have clicked on that link? Honestly, some of the communication I have with Microsoft, you'd wonder if they ever took a basic skills test. A lot of the communication is so poorly done, that if it's not an attack, you may as well assume it is.

They sent the same email over 30 times, who does that unless they're trying to get you to click the link, to steal your information? They had other means to get me the information, they had other contact methods, including my account manager, but intentionally picked the scummy, trashy, spamming email approach. Oh, and they fail DNS validation occasionally because of Microsoft quality.

Re:

[Waccoon]

Sounds like my experiences with Bank of America. They outsource everything to 3rd parties, so all their official e-mails look like phishing attacks. Idiots.

Re:

[Murdoch5]

Oh ya, they look terrible, and my policy is: "If the email looks even slightly suspicious, delete it, and move on, It's the senders job to make the email look professional, acceptable, and or legitimate enough to instill trust." That line is in my companies Cybersecurity Training, which out of fairness, I wrote.

Re:

[irreverentdiscourse]

Your inability to identify a real email from a real address is not actually Microsoft's problem.

"lacking any kind of digital signature"

All MS emails are digitally signed. The idea that you think PGP is an answer shows the cluelessness.

Re:

[Murdoch5]

No, they're not, what are they digitally signed with to prove identity? What are they signed with to prove the chain of trust? You NEVER trust an email because it exists, you're literally giving advice that would run afoul of every sensible cybersecurity 101 for phishing.

I don't care if they use PGP, they can use S/MIME X.509, or, any other acceptable validation / signing mechanism, but they don't, won't, can't, and are a slimy, sleazy, unprofessional joke of a company. They could have had my account m

Re:

[irreverentdiscourse]

Pretty sure you just aren't aware of all of the features of Exchange / O365.

You don't learn that in a home lab shaking your fist at Microsoft.

Re:

[Murdoch5]

O365 is a closed ecosystem that tries, and fails, to implement proper open security standards. O365 is arguably the worst office ecosystem in popular use, I can forgive the uneducated idiot, whose work bought them an Office-365 license because they might not know that better software exists, like LibreOffice, but if you're a tech professional, and you use Office-365, why? It's like masturbating with sandpaper, where the sandpaper has trackers to monitor the masturbation. Where do you want to start with t

Re:

[irreverentdiscourse]

Nothing you wrote here makes me actually think you know what you're talking about. Lying about the governments you don't actually work for isn't selling it.

Re:

[Murdoch5]

Believe that if you like, have a lovely weekend.

Re:

[mysidia]

Oh the problem DEFINITELY exists. However.. You can't just name PGP as the solution.

Even Microsoft has no power to unilaterally rewrite the rules of Email - you can't just adopt a PGP signing and web-of-trust requirement. Their own customers would tear them a new one the moment they start rejecting all their legitimate emails.

The requirement to SPF+DKIM Authenticate your emails is nothing - that's an existing industry standard. I believe Google is already enforcing this. Just about all legitimate

Re:

[BusDriver]

DKIM is a form of message signing. Also I love you call PGP simple. Why do you think secure messaging apps have taken off so well, yet PGP is still the realm of, well these days, almost no one? Only a few die hard nerds use it. PGP is terrible, clunky and a giant joke. Sure it was great 30 years when it was invented, but it's been long surpassed.

Suggesting it as a solution to anything in 2025 shows how out of touch you are with reality. The world has _long_ since moved on.

Re:

[Murdoch5]

PGP is a gold standard for identity validation, look at Proton, their entire ecosystem depends on it. The reason Microsoft won't build it into a product, they can't exploit it, driving up licensing costs, and digitally molest their user base with it, and since Microsoft is basically just Epstein as a company, they're not interested. PGP is not difficult to use, it's tooling is excellent, the documentation is good, Its platform support is spectacular, so really the only reason to not use it, is some type

What surpassed PGP?

[Sloppy]

I can understand people bitching about PGP, and I don't even object to people calling it "terrible" and "clunky." But I'm surprised that you'd say it has been "surpassed." Surpassed by what? I've never heard of any serious attempts to replace it, except .. maybe .. oh no, you don't mean X.509, do you?

Re:

[BusDriver]

Surpassed by encryption that "just works", such as that used in Signal. I can add my friend and text them and I _know_ that only they and I can read it.
It's frictionless, the install of Signal aside. No pissing about with keys, passphrases etc.

GPG is you send me your public key, I send you mine, I mark it as trusted blah blah blah, I copy the secret key around where I need it each time.

I agree, there's no perfect replacement for it in email. But DKIM achieves pretty much the same thing. It doesn't prove

Re: Their new policy is the DNS should be correct?

[Unpopular Opinions]

No free email provider will ever encrypt messages. Like headers with a SNI style of communication, or the message body, be it with PGP, S/MIME or the likes. You cannot scan your users mailbox for advertisement when you know nothing about the message, and if you think Google was just being generous when they gave the world free multi-Gb GMail mailboxes before anyone was able to afford 250Mb in their paid email services, think again.

Now, for corporate customers, yes, proper email security is still an incentiv

Re:

[Murdoch5]

100%, but that's also the point, the entire "free" ecosystem is just about digital molestation, and abusing the customer, who in most cases isn't smart enough to know they're being abused. Basically, we've grown in up in a cult, where it was normal to enter the Microsoft or Google Van, and accept whatever they do to you, unquestionably. Now Microsoft is acting like they care, by doing something pointless, meaningless, and stupid, when better protocols and systems exist that could reasonably solve most of

Re:

[supremebob]

The self-service bulk mailing services like Mailgun will tell you how to configure your SPF, DKIM, and DMARC correctly, but it's still the senders responsibility to configure it properly. I've seen some really dumb setups in the past, where the client configures DomainA.com as their sending domain but forgets to change the From address on their e-mails to match.

Re:

[MachineShedFred]

More than that, if someone is sending that kind of volume without SPF, DKIM, and DMARC being set properly, they are likely already being blocked.

I read the summary and was like "wait, they aren't already doing that? Google has been doing that for years..."

It should be a much lower max limit.

[Anonymous Coward]

The fact that they're allowing 5000 emails to slip through before problems is the biggest concern I have with this as that just seems to be too high.

Most bad people will simply create multiple accounts and spread them out amongst the different accounts to not be detected.

They should make the limit like 100 a day or something that is reasonable and in line with the average person's daily email outside of work. Where most people get email but don't send them or most people just respond to the ones they get.

Re:

[Voyager529]

The numbers for a casual email user that's legitimate are much lower than 5000 emails per day to a collection of 5000 different people.

It's simply not reasonable for Microsoft to allow 5000 emails from a single email address If they haven't considered the other operational considerations that are required here.

This is more likely to be impacting people running their own solutions like a self-hosted Listmonk instance, someone who didn't set up Mailchimp correctly, or a shell script that sends out unauthenticated e-mails as straight SMTP traffic...and it's targeting anyone who sends e-mails to 5,000 outlook.com users in total, not to a single recipient.

Are they going to block their own emails?

[whoever57]

I get the RUA reports for my company's Microsoft-hosted email. Frequently, email sent from one Microsoft "tenant" to another Microsoft "tenant" fails SPF checks.

Re:

[kwalker]

I receive similar reports from them, and the exact same e-mails sent to @gmail.com, @comcast.net, and others do validate correctly, but O365 properties can't. So I'd say this is more of a Microsoft filter problem then anything else.

Re:

[Holi]

Are you using oultlook.com for your company's hosted email? If not then YOU have to setup your DNS correctly.

Re:Are they going to block their own emails?

[whoever57]

Are you using oultlook.com for your company's hosted email? If not then YOU have to setup your DNS correctly.

Yes, and yes it is set up correctly. The problem is that Microsoft uses servers not listed in its SPF record (include:spf.protection.outlook.com ) to send to itself.

As the post above notes: emails sent to other destinations do not fail SPF checks.

Re:

[wonky_admin]

>The problem is that Microsoft uses servers not listed in its SPF record (include:spf.protection.outlook.com ) to send to itself. If they're DKIM signed, DMARC doesn't require SPF to pass though.

Unexplained Requirements

[kwalker]

That's funny. I run a small family mailing list and I can tell you that O365 doesn't check SPF/DKIM correctly anyhow. I routinely receive DMARC reports from them where they can't validate the exact same code that Google, Comcast, et al can.

Plus if you don't have SPF/DKIM/DMARC setup, nothing ever makes it to an O365 box anywhere, it just evaporates in their filters somewhere. That was a hoot to troubleshoot.

Re:

[TheBAFH]

In my case, the DMARC reports from MS mail services are always marked as spam by Spamassassin because:

BASE64_LENGTH_79_INF BODY: base64 encoded email part uses line length greater than 79 characters
MIME_BASE64_TEXT RAW: Message text disguised using base64 encoding
FORGED_SPF_HELO

This doesn't happen with any other provider (Gmail's reports are fine).

Re:

[SemperOSS]

Same for me.

I have a family/friend mail server setup with proper SPF, DKIM and DMARC where I get reports back, reports I actually look at.

The strange thing is that the only fail-reports I get are either from servers that have been spammed, i.e. the messages they received did not pass SPF (nor DKIM), or from Microsoft-run servers (outlook.com, hotmail.com and other systems that use Exchange server). Never from Google or Yahoo or any other, non-MS server.

So, Microsoft get your house in order! Do a proper chec

Microsoft joins Google, Yahoo!, Comcast ... but...

[gavron]

Google and Yahoo! have had the same polilcy for years. I was running a mailing list for an HOA and even at 150 emails spread out over Google, Yahoo!, and Comcast they were being rejected if SPF/DKIM/DMARC wasn't perfect.

HOWEVER even though I have a business paid Google-served email address I KEEP GETTING SPAM and ALL OF IT comes from Google. So while they're not helpful for others to send mail to their clients, they're more than happy to let their own customers spam their other (including paying customers

Re:

[Improv]

This isn't an insult contest.

You mean to tell me that...

[zurkeyon]

the 500 million Phishing reports I sent in FINALLY got read? ;-D

Here's *MY* deal, Microsoft

[Sebby]

Here's the deal. If you send more than 5,000 messages per day to Outlook.com addresses and you're not properly set up with SPF, DKIM, and DMARC, your emails may never arrive.

Being properly "setup" on SPF, DKIM and DMARC isn't the only requirement by MS to drop emails. Another primary requirement is for Microsoft to actually care about their customers' emails and actually deliver them, instead of simply pretending to be an email service.

So here's my deal to you, Microsoft: you stop dropping valid emails into the void without any warnings/valid reasons, and I won't bring about a class-action lawsuit against you. Deal?

Re:

[Ol Olsoc]

Being properly "setup" on SPF, DKIM and DMARC isn't the only requirement by MS to drop emails. Another primary requirement is for Microsoft to actually care about their customers' emails and actually deliver them, instead of simply pretending to be an email service.

So here's my deal to you, Microsoft: you stop dropping valid emails into the void without any warnings/valid reasons, and I won't bring about a class-action lawsuit against you. Deal?

My experience has been identical. After being forced onto Outlook for one of my projects I ended up capturing everything before they decide arbitrarily it doesn't even need to go to a spam folder and evaporates them - and send it to a gmail account. But that doesn't help the people I send email to. Spent a weekend setting up the alphabet soup, still MS dumped them.

I finally set up a groups.io group, which still has some issues, for people suffering from the psychotic message killing.

Next

[Ol Olsoc]

What is Microsoft going to do about the low volume - like one off - emails that end up in the big bit bucket in the sky?

After moving me onto Web based outlook, and having stuff mysteriously not appear, I capture all the emails and forward them to gmail before Outlook messes with them.

I even get people wondering where emails I was sending them went to, my first question is "Outlook your reader?" Most of the time, the answer is yes.

This was all known long ago with the magic 8 ball toy which keeps telling us "Outlook Not So Good"

Re:

[kwalker]

Literally the same thing they've done about it for the last decade: not a goddamn thing.

What you're describing is exactly what I've gotten out of Microsoft, Comcast, Google, and to a lesser extent other large webmail providers. They do not care about deliverability if you're not signed up with some of their BS partner programs, which are not documented anywhere. If you try, you'll get stuck in bot-hell of generated KB articles that are all fucking wrong.

Re:

[Ol Olsoc]

Literally the same thing they've done about it for the last decade: not a goddamn thing.

What you're describing is exactly what I've gotten out of Microsoft, Comcast, Google, and to a lesser extent other large webmail providers. They do not care about deliverability if you're not signed up with some of their BS partner programs, which are not documented anywhere. If you try, you'll get stuck in bot-hell of generated KB articles that are all fucking wrong.

My favorite is when their articles do a "how to" and the info is outdated. Referring you to things that don't exist any more because Microsoft moves things around arbitrarily and not always logically. Recently had that with a W11 copy for Parallels on MacOS that Windows refused to authenticate even though I had the receipts. Finally had to go scorched earth and reinstall Parallels and the W11 .iso. Microsoft support was worse than useless. An annoying way to spend a day.

Forget outlook.com

[allo]

Even when doing SPF and DKIM right and sending a few mails per month, they still want you to manually apply for whitelisting if you run an own mail server. Good that not too many people I communicate with use it, because they really do not want your mail if you aren't one of the big players.

Re:

[Baron_Yam]

Really? I've never had an issue. I did have to get my ISP to set up a PTR record for me, but that's the only issue I've had that was outside my direct control.

Re:

[allo]

They have IP ranges they dislike. If you're unlucky your hoster got the IPv4 addresses only recently and then Microsoft does not like your mails. I once had a server with an IP from a block that was reserved for a long time and they blocked everything. Other than some people I never had a problem with Google, though. I think you should have SPF/DKIM/DMARC and then Google is happy. I'd wish it would be that easy for Hotmail/Outlook.

Re:

[dskoll]

Also never had an issue. I have SPF, DKIM, FCrDNS and DMARC set up and for bonus points, I also set up DNSSEC.

The only provider I have deliverability problems with is Apple ("foo@me.com" addresses.) No issues with Google, MSFT or Yahoo.

Re:

[kwalker]

Are you absolutely sure about that? Because my experience is vastly different. Even jumping through hoops, setting up crypto verification (SPF, DKIM, DMARC), I routinely get comments from family members that my mail doesn't go through. Sometimes they can find it in their Spam folder, but usually it's just gone, shuffled off to the big /dev/null in the sky. No error, no rejection on my end, just "mail accepted for delivery" from their SMTP gateways, then poof.

Re:

[Baron_Yam]

But you have a valid PTR, right? If the reverse lookup fails, your mail doesn't even get far enough for SPF and DKIM to matter.

Re:

[kwalker]

Yes of course. No one allows you to send without a valid and matching PTR record anymore.

Re:

[dskoll]

Obviously, I'm not 100% sure that every single one of my emails has made it through, but I can't think of a case where I sent an email that required a response and I didn't receive a response, except to a correspondent who uses Apple's email services.

Pretty rich, coming from Microsoft

[Arrogant-Bastard]

I've been running email systems for a long, LONG time. I'm currently running about three dozen of them, handling email for different operations on different networks using different MTAs on different operating systems. (All open-source of course)

The anti-spam defenses in place at all of these are extensive and very well-planned, as they should be. They include rules in routers, rules in firewalls, rules in MTAs, and more. All of them are custom-tuned, all of them are monitored on a daily basis, and quite frequently adjusted to deal with emerging threats. As a result of all this effort, almost no spam gets through AND the false positive rate is running at about 4 messages/year.

And yet...of that "almost no spam [that] gets through", almost all of it is from Microsoft or Google. All of it passes SPF, DKIM, etc. checks: it really is from them. Together these two operations have accounted for roughly 85% of all false negative (e.g., received) spam over the last three years.

So it's pretty damn arrogant (note my handle, I'm familiar with the concept) of them to make any claims or impose any requirements on anyone, given how miserably they've both failed. What I'd like to see -- but won't -- is both of them turning them attention inwards and reducing their spam output to zero. Then, and only then, will they have any credibility with me. (Don't tell me it can't be done. I've done it, and at some large operations. And I did it without the enormous financial and personnel resources that they enjoy.)

Re:

[volcan0]

Due to the nature of the service, I give them a bit of leeway and instead judge on how fast they respond to abuse reporting.

Re:

[Arrogant-Bastard]

First, let's note that "controlling outbound spam from Microsoft et.al." is not and should not be our problem. It's theirs. They are 100% responsible for that, and it's disingenuous to insist that those of us who don't have billions of dollars and armies and employees do their jobs for them.

Second, have you checked on their responsiveness to spam/abuse/other complaints sent to their RFC 2142 mandatory role addresses lately? IF you get a response at all, and that's a big if, it's likely to be automate

Re: Pretty rich, coming from Microsoft

[Tschaine]

If you haven't worked on antispam for a consumer domain like outlook, Gmail, Yahoo, etc, then you likely underestimate just for hard it is.

  It's nothing like antispam for companies that only give email addresses to their employees. The attack volume is magnitudes greater, for both inbound and outbound. There is also a much smaller difference between desired bulk mail (like newsletters) and abusive bulk mail.

The amount of email that gets blocked at the IP level is staggering, even though connection based filtering has a high bar because it's so hard to troubleshoot.

It's another world entirely.

Re:

[MeNeXT]

This. The only SPAM I get is from MS and Google. The only phishing attempts are from MS and Google. They all have SPF/DKIM.

If I had MOD points it would be +1 informative.

How will they correlate?

[dskoll]

So, if you don't have DKIM, SPF, etc. set up, and you send spam from different IP addresses using different sender domains... how will MSFT know who to attribute the 5000 emails to?

Seems silly to me. You either demand correct SPF, DKIM and DMARC from all senders, or you don't. Either way, it won't make much difference to the volume of spam.

Slashdot emails also fail DMARC

[Tony Isaac]

For months now, slashdot notification emails have been failing DMARC tests, causing all the emails to go to spam. Pretty annoying!

That's a laugh and a half.

[Squeedle]

BWAHAHAHA, try just setting it to stop filtering out your OWN EMAILS to me as spam, Microsoft.