Microsoft requires high-volume senders to authenticate their mail with SPF, DKIM, and DMARC records. Even if you send far less than that, adding a DMARC record protects your domain's reputation and helps your emails land in the inbox instead of the spam folder.
Microsoft email authentication overview
Microsoft requires high-volume senders (those sending more than 5,000 emails per day) to comply with three email authentication protocols:
SPF (Sender Policy Framework): must pass for the sending domain
DKIM (DomainKeys Identified Mail): must pass to validate email integrity
DMARC (Domain-based Message Authentication, Reporting, and Conformance): must be set to at least
p=noneand align with either SPF or DKIM
Non-compliant messages from high-volume senders are rejected with the error: 550; 5.7.515 Access denied, sending domain [SendingDomain] does not meet the required authentication level.
This article focuses on DMARC. For SPF and DKIM, see how to set up SPF and DKIM records.
These requirements primarily target high-volume senders, but the underlying practices benefit every sender by improving deliverability and protecting your domain's reputation.
Understanding DMARC
DMARC builds on SPF and DKIM to add another layer of email authentication. If you haven't set those up yet, see how to set up SPF and DKIM records first. Where SPF and DKIM verify that a message is authorized to be sent from your domain, DMARC tells receiving email servers what to do when a message fails those authentication checks.
A DMARC record includes a policy set to one of three values:
p=none: monitor only, so mail is still delivered normally, but reports are generated
p=quarantine: suspicious mail is sent to spam or junk folders
p=reject: failing mail is rejected entirely
Setting up your DMARC record
DMARC records are added to your domain's DNS settings as a TXT record, at your domain registrar or DNS provider, not in Dubsado. The basic format is:
Name/Host:
_dmarc.yourdomain.comValue:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
DMARC is configured entirely at your domain registrar or DNS provider. Dubsado doesn't host DMARC records, and there's no DMARC setting inside Dubsado.
DMARC policy recommendations
Roll out DMARC gradually so you don't risk your own mail delivery while you get authentication right.
Start with p=none: begin with a monitoring-only policy so you can understand your sending patterns without affecting delivery.
Gradually increase strictness: once you've confirmed your legitimate email sources are properly authenticated, move to
p=quarantineand eventuallyp=rejectfor stronger protection.Include reporting: the
ruaparameter sets where aggregate reports are sent. These reports show you who's sending mail from your domain and help you spot potential security issues.
DMARC alignment
For DMARC to pass, the "From" domain in your email must align with the domain used by either SPF or DKIM, preferably both. This alignment stops bad actors from exploiting your domain name even if they manage to pass SPF or DKIM checks on their own.
Additional best practices
Beyond DMARC, Microsoft recommends a few broader sending practices:
Use compliant sender addresses that can receive replies
Provide functional unsubscribe links for marketing emails
Regularly remove invalid email addresses from your lists
Use accurate subject lines and transparent mailing practices
For questions specific to configuring DNS records, contact your domain registrar or DNS provider. For help with email deliverability in Dubsado, reach out to Customer Care.
FAQ
Do I need to set up DMARC if I send fewer than 5,000 emails per day?
Microsoft's enforcement currently targets only high-volume senders (5,000+ emails per day), but DMARC is worth setting up no matter your volume. It improves deliverability and reputation, protects against domain spoofing and phishing, builds credibility with email providers, and prepares your domain for any future requirements. Most Dubsado users send well below the daily threshold, but a basic p=none record is a simple, low-risk step.
