Microsoft to Enforce DMARC: What to Do Before 5 May 2025

Microsoft has announced new email security rules that could prevent your business emails from being delivered. Or worse, leave your domain wide open to impersonation.

From 5 May 2025, Microsoft will begin enforcing DMARC, along with SPF and DKIM, for any organisation that sends more than 5,000 emails per day to Microsoft's consumer email services - including Outlook.com, Hotmail and Live.com.

These changes mirror similar actions already taken by Google and Yahoo. And like those providers, Microsoft is expected to roll this out to smaller senders next.

What Happens If You Do Nothing?

If your domain doesn't comply with the new requirements, emails may:
1. Go straight to junk folders (initially)
2. Be blocked completely (eventually)

This doesn't just affect your marketing campaigns.

It can impact:

• Sales outreach
• CRM or billing platform emails
• Password reset links
• Internal communications and calendar invites
• Invoices, quotes and client documents

Even a single outreach campaign or system integration could cross the 5,000 emails/day threshold and trigger enforcement.

If you rely on tools like Mailchimp, ActiveCampaign, HubSpot, or even a just contact form on your website and those emails fail DMARC checks, Microsoft will stop delivering them.

What Is DMARC And Why Is It Important?

DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It stops scammers and cybercriminals from sending emails that look like they're from your organisation.

It works alongside two other security tools:

• SPF verifies who is allowed to send emails from your domain
• DKIM ensures that the content of the message hasn’t been altered in transit

Without these protections, anyone can send emails that appear to come from your domain - leading to phishing scams, fraud and reputational damage.

Want to learn more about the benefits of DMARC?

Read: Protect Your Brand: Why DMARC is Essential for Modern Organisations

Real-World Risk: The €42m Email Scam

In one of the most high-profile cases of email fraud, an employee at aerospace manufacturer FACC received an email appearing to come from the CEO, asking them to transfer funds for a business deal.

They complied. The email was fake.

• €42 million was lost.
• Only €10 million was recovered.
• The CEO and CFO were dismissed.
• The hacker was never found.

DMARC is designed to prevent exactly these kinds of situations from happening.

It’s Not Just for Big Companies

You don't have to be a large organisation to be at risk.
And you don't have to send thousands of emails every day.

If you send newsletters, use a CRM or run any kind of automated outreach, you could already be close to - or over - Microsoft's 5,000-email threshold. Sometimes one campaign is all it takes.

Even if you're not affected yet, the rules are expanding.
Google, Yahoo and now Microsoft are all enforcing DMARC and smaller senders are likely to follow.

What You Need To Do Before 5 May 2025

To comply with Microsoft's new policy and stay ahead of Google/Yahoo enforcement:

• Set up SPF and DKIM records correctly
• Publish a DMARC record (start in "monitor" mode)
• Identify all services that send emails on your behalf (CRMs, billing systems, email marketing tools)
• Monitor reports to see which emails pass or fail
• Transition to a “quarantine” or “reject” policy when ready
  

How Grant McGregor Can Help

We make DMARC simple. Our team takes care of everything for you - from setup and testing to validation, reporting and ongoing support.

Time Is Running Out

The 5 May deadline is fast approaching.

• Enforcement starts at 5,000+ daily emails
• Smaller senders will likely be next
• Microsoft isn’t alone, Google and Yahoo are already enforcing DMARC
  

Don’t wait until your emails stop delivering or your domain is spoofed. Get protected now.

Start a Conversation

Call us: 0808 164 4142

Message us: https://www.grantmcgregor.co.uk/contact-us