Updated May 28, 2025
Microsoft now requires high-volume senders (those sending more than 5,000 emails per day) to improve email deliverability and reduce spam by implementing SPF, DKIM, and DMARC records. While these requirements primarily target large-volume senders, implementing these best practices benefits all email senders by improving deliverability and protecting your domain's reputation.
What changed
Starting in May 2025, Microsoft requires high-volume senders to comply with three email authentication protocols:
SPF (Sender Policy Framework): Must pass for the sending domain
DKIM (DomainKeys Identified Mail): Must pass to validate email integrity
DMARC (Domain-based Message Authentication, Reporting, and Conformance): Must be set to at least p=none and align with either SPF or DKIM
Non-compliant messages from high-volume senders are rejected with the error: "550; 5.7.515 Access denied, sending domain [SendingDomain] does not meet the required authentication level."
This article focuses on DMARC. For more information regarding SPF and DKIM, see Improve email deliverability with SPF and DKIM records.
Understanding DMARC
DMARC builds upon SPF and DKIM records to provide an additional layer of email authentication. While SPF and DKIM verify that emails are authorized to be sent from your domain, DMARC tells receiving email servers what to do when an email fails authentication checks.
A DMARC record includes a policy that can be set to:
p=none: Monitor only (emails are delivered normally but reports are generated)
p=quarantine: Suspicious emails are sent to spam/junk folders
p=reject: Failing emails are rejected entirely
Setting up DMARC records
DMARC records are added to your domain's DNS settings as TXT records. The basic format for a DMARC record is:
Name/Host: _dmarc.yourdomain.com
βValue: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
DMARC policy recommendations
Start with p=none: Begin with a monitoring-only policy to understand your email sending patterns without affecting delivery.
Gradually increase strictness: Once you've confirmed your legitimate email sources are properly authenticated, you can move to p=quarantine and eventually p=reject for maximum protection.
Include reporting: The rua parameter specifies where aggregate reports should be sent. These reports help you monitor who is sending emails from your domain and identify potential security issues.
DMARC alignment
For DMARC to pass, the "From" domain in your email must align with the domain used by either SPF or DKIM (preferably both). This alignment prevents bad actors from exploiting your domain name even if they can send emails that pass SPF or DKIM checks.
Additional best practices
Beyond DMARC implementation, Microsoft recommends:
Use compliant sender addresses that can receive replies
Provide functional unsubscribe links for marketing emails
Regularly remove invalid email addresses from your lists
Use accurate subject lines and transparent mailing practices
For questions about configuring DNS records, contact your domain registrar or DNS provider. If you need assistance with email deliverability in Dubsado, feel free to reach out to our Customer Care team.
FAQ
Do I need to set up DMARC if I send fewer than 5,000 emails per day?
While Microsoft's enforcement currently targets only high-volume senders (5,000+ emails per day), setting up DMARC is still recommended for all senders. Implementing DMARC provides several benefits regardless of your sending volume:
Improved email deliverability and reputation
Protection against domain spoofing and phishing attempts
Better brand credibility with email providers
Preparation for potential future requirements
Most Dubsado users send well below the 5,000 daily threshold, but adding a basic DMARC record with p=none is a simple step that can help protect your domain and improve email delivery rates.