Back to ResourcesDMARC Guides

Microsoft’s Latest Update to May 5th DMARC rules

By Samuel ChenardMay 1, 20253 min read
Microsoft’s Latest Update to May 5th DMARC rules
__wf_reserved_inherit We previously covered the Microsoft’s new email authentication requirements that are set to roll out on May 5, 2025, for Outlook and Hotmail. Today Microsoft just released an update providing more clarity on the action that will be taken against non-compliant emails.

What’s New in This Update

Microsoft has just updated its new security requirements strategy to tackle non-compliant emails. Here’s the key change since the original announcement:

  • Immediate Rejections: As of May 5, 2025, emails that fail SPF, DKIM, or DMARC authentication checks will be rejected outright. Senders will receive a specific error message: "550; 5.7.515 Access denied, sending domain [SendingDomain] does not meet the required authentication level." This applies to all senders, with no exceptions, ensuring clarity on why messages are blocked. There will be no grace period or temporary Junk folder routing, instead full rejection will begins immediately on May 5, 2025.
This update eliminates any temporary measures or phased enforcement. Compliance with SPF, DKIM, and DMARC is essential by May 5, 2025, to avoid email delivery issues, regardless of your sending volume.

Compliance Checklist Recap

Ready to ensure your emails comply with Microsoft’s new rules? Here’s a streamlined roadmap to get you there:

Five-step flow to comply with Microsoft's email authentication rules: audit, monitor with p=none, analyze reports, set up SPF and DKIM, then tighten DMARC policy. Follow these five steps before May 5, 2025 to avoid outright rejection.

1. Audit Your Setup

Check your current email authentication status using Palisade’s Microsoft Compliance Checker. This reviews your SPF, DKIM, and DMARC configurations, giving you a baseline to identify what needs fixing.

2. Start DMARC Monitoring

Set up DMARC with a p=none policy to monitor email traffic without affecting delivery. This step provides insights into how your emails are authenticated.

Example DMARC Record:

v=DMARC1; p=quarantine; rua=mailto:reports@example.com; 3. Analyze Reports and Wait for a Full Cycle

Wait for a full cycle—typically a few days to weeks, depending on your email volume—to collect and analyze DMARC reports. These reports highlight authentication issues and unauthorized senders.

4. Set Up SPF and DKIM Properly

Use your DMARC report data to configure SPF and DKIM:

  • SPF: Update your DNS with a record listing only authorized mail servers. Keep it under the 10 DNS lookup limit to avoid issues.
  • DKIM: Generate and publish a DKIM key to digitally sign your emails, proving their authenticity.
5. Gradually Shift DMARC Policy

Once SPF and DKIM are solid, tighten your DMARC policy:

  • Move to p=quarantine to flag suspicious emails as spam.
v=DMARC1; p=quarantine; rua=mailto:reports@example.com;
  • Then shift to p=reject to block unauthorized emails entirely.
v=DMARC1; p=reject; rua=mailto:reports@example.com; This gradual approach minimizes disruptions to legitimate emails. __wf_reserved_inherit Palisade's AI-first DMARC agent can carry the authentication work across your domains:
  • Investigate the services sending mail for each domain.
  • Work through SPF and DKIM alignment.
  • Move DMARC toward enforcement after legitimate sources are accounted for.
After publishing changes, verify a real delivered message and continue reviewing DMARC reports. A valid DNS record alone does not prove that every sending path authenticates correctly. __wf_reserved_inherit

Check your current Microsoft results

The May 5, 2025 enforcement date has passed. Check Microsoft's current sender requirements, then test the exact production paths that send to Outlook and Hotmail recipients.

If you manage 10 or more domains, Palisade's AI-first DMARC agent can investigate the sources and carry the SPF, DKIM, and DMARC work across the portfolio.

Keep going with AI

Ask AI how this applies to you

Take this guide to your assistant — each question opens pre-filled, with a link back to this page so it can read the details.

  • How does this apply to my domain?
  • What should I do about it, step by step?

Share this article

Samuel Chenard

Written by

Samuel Chenard

CEO & Co-Founder, Palisade

Samuel Chenard is the CEO and co-founder of Palisade, AI-first DMARC software for MSPs and teams managing 10 or more domains.

More from Samuel

Related articles