One year of Outlook DMARC enforcement: from junk folder to hard reject
On 5 May 2025 Microsoft pulled the trigger: anyone sending more than 5,000 mails per day to Outlook.com, Hotmail or Live.com addresses without clean SPF, DKIM and DMARC stopped landing in the junk folder and started getting a hard SMTP reject. One year later the verdict is sober: this was not a warning shot. This was the shot.
What actually changed
- 5,000 mails / day / domain is the threshold — measured against Outlook recipients, not total send volume. Newsletters with a large DACH B2C share cross it quickly.
- DMARC at minimum
p=nonewith alignment — the policy may stay soft, but the record must exist and SPF or DKIM must align. - Reject instead of junk: Microsoft answers with
550 5.7.515 Access denieddirectly inside the SMTP dialog. The mail does not arrive, the recipient sees nothing, no log in the Outlook account. - TLS on the transport leg is assumed. Senders without STARTTLS fail before authentication is even checked.
What used to apply
Until May 2025 Microsoft was the lenient receiver compared to Google and Yahoo. Senders without DMARC still got through — maybe to junk, but they got through. Spam filters and reputation decided, not authentication. That is exactly why many DACH mid-size operators ticked off the Microsoft world as “running somehow”, while they had set up SPF/DKIM/DMARC cleanly for Gmail since February 2024.
What applies now
1. Reject is not “it’ll arrive later”. Unlike with the spam folder there is no second attempt and no follow-up. A 550 response means: mail rejected, sending system has to log it as a bounce, recipient address counts as a hard bounce signal in many ESPs and may be removed from the list. Anyone crossing the threshold without DMARC therefore loses not just today’s mail, but addresses long-term.
2. The 5,000 limit is per domain. Microsoft counts mails per 24 hours per sending domain. If you send from info@, newsletter@ and service@ on the same domain, everything goes into one bucket. Subdomain separation (news.example.com vs. mail.example.com) becomes more interesting because it lets you steer the volume profile per auth setup — provided each subdomain has its own clean records.
3. The DMARC policy may stay soft — the records must be correct. Microsoft currently requires only p=none. In practice that means: DMARC reports are running, hard policy is not mandatory. But: SPF and DKIM must be aligned to the From domain. This is exactly where many setups fail — the ESP’s DKIM signs with mailgun.example-mail.net, but the From address is info@example.com. Without proper alignment to the From domain a valid DKIM signature does not help, the DMARC check fails.
Why barely anyone noticed
Microsoft announced the date in April 2025 but barely communicated it outside the deliverability bubble. Unlike Google/Yahoo in 2024 there was no broad press wave and almost no coverage in German marketing media. On top of that: anyone without a DMARC report receiver configured does not see the reject — the bounce in many ESPs looks like an invalid recipient address. The consequence is that senders often only wake up when larger B2B contacts with @outlook.com addresses call to ask why the confirmation mail did not arrive.
The second point: in the DACH market the share of Outlook addresses in B2B lists is often underestimated. Many freelancers and small businesses use Outlook.com or Hotmail addresses as their business inbox, plus there are @live.com and @msn.com populations. In typical newsletter lists that quickly adds up to 10–20 % — sending without DMARC here burns a relevant share of the list silently.
What to do now
Check your DMARC setup in ten minutes: A dig TXT _dmarc.your-domain.com shows whether a record exists and what the policy looks like. Tools like dmarcian.com or mxtoolbox.com do the same via web form. If the record is missing entirely, that is the immediate work site.
Enable DMARC reporting before tightening the policy: Add rua=mailto:dmarc-reports@your-domain.com, collect reports for a few weeks, check which sending paths really align. Only then move from p=none to p=quarantine or p=reject.
Split transactional and marketing onto subdomains: order confirmations via transactional.example.com, newsletters via news.example.com. That way bad marketing reputation and good transactional reputation do not drag at each other, and you keep control over the auth setup per leg.
Background in the lexicon
The clean SPF/DKIM/DMARC setup explained step by step: → Email Deliverability: SPF, DKIM, DMARC
Entdecke mehr
Marketing
Corporate discipline that creates demand, wins customers and maintains relationships — from brand building and content through paid channels and SEO to CRM and loyalty.
LexikonGDPR-compliant email marketing — consent, double opt-in, logging
When you may send emails, what double opt-in, opt-in logging and soft opt-in mean — and what a bought list actually risks.
NewsApple Mail and Gmail overwrite the preheader with AI summaries
If you carefully craft preheaders, you no longer see them in the Apple inbox. What senders need to know and how to write AI-readable mails.