Microsoft Cracks Down On Bulk Email With Strict New Outlook Rules (betanews.com)
- Reference: 0177332753
- News link: https://it.slashdot.org/story/25/05/05/1817247/microsoft-cracks-down-on-bulk-email-with-strict-new-outlook-rules
- Source link: https://betanews.com/2025/05/05/microsoft-email-blocks-start-may-2025/
> Microsoft has officially begun [2]rejecting high-volume emails that don't meet its new authentication rules.
>
> Here's the deal. If you send more than 5,000 messages per day to Outlook.com addresses (including hotmail.com and live.com) and you're not properly set up with SPF, DKIM, and DMARC, your emails may never arrive.
[1] https://slashdot.org/~BrianFagioli
[2] https://betanews.com/2025/05/05/microsoft-email-blocks-start-may-2025/
Re: (Score:2)
The self-service bulk mailing services like Mailgun will tell you how to configure your SPF, DKIM, and DMARC correctly, but it's still the senders responsibility to configure it properly. I've seen some really dumb setups in the past, where the client configures DomainA.com as their sending domain but forgets to change the From address on their e-mails to match.
Re: (Score:2)
More than that, if someone is sending that kind of volume without SPF, DKIM, and DMARC being set properly, they are likely already being blocked.
I read the summary and was like "wait, they aren't already doing that? Google has been doing that for years..."
Re: (Score:2)
> The numbers for a casual email user that's legitimate are much lower than 5000 emails per day to a collection of 5000 different people.
> It's simply not reasonable for Microsoft to allow 5000 emails from a single email address If they haven't considered the other operational considerations that are required here.
This is more likely to be impacting people running their own solutions like a self-hosted Listmonk instance, someone who didn't set up Mailchimp correctly, or a shell script that sends out unauthenticated e-mails as straight SMTP traffic...and it's targeting anyone who sends e-mails to 5,000 outlook.com users in total, not to a single recipient.
Are they going to block their own emails? (Score:2)
I get the RUA reports for my company's Microsoft-hosted email. Frequently, email sent from one Microsoft "tenant" to another Microsoft "tenant" fails SPF checks.
Re: (Score:2)
I receive similar reports from them, and the exact same e-mails sent to @gmail.com, @comcast.net, and others do validate correctly, but O365 properties can't. So I'd say this is more of a Microsoft filter problem then anything else.
Re: (Score:2)
Are you using oultlook.com for your company's hosted email? If not then YOU have to setup your DNS correctly.
Re: (Score:3)
> Are you using oultlook.com for your company's hosted email? If not then YOU have to setup your DNS correctly.
Yes, and yes it is set up correctly. The problem is that Microsoft uses servers not listed in its SPF record (include:spf.protection.outlook.com ) to send to itself.
As the post above notes: emails sent to other destinations do not fail SPF checks.
Unexplained Requirements (Score:5, Informative)
That's funny. I run a small family mailing list and I can tell you that O365 doesn't check SPF/DKIM correctly anyhow. I routinely receive DMARC reports from them where they can't validate the exact same code that Google, Comcast, et al can.
Plus if you don't have SPF/DKIM/DMARC setup, nothing ever makes it to an O365 box anywhere, it just evaporates in their filters somewhere. That was a hoot to troubleshoot.
Re: (Score:2)
In my case, the DMARC reports from MS mail services are always marked as spam by Spamassassin because:
> BASE64_LENGTH_79_INF BODY: base64 encoded email part uses line length greater than 79 characters
> MIME_BASE64_TEXT RAW: Message text disguised using base64 encoding
> FORGED_SPF_HELO
This doesn't happen with any other provider (Gmail's reports are fine).
Microsoft joins Google, Yahoo!, Comcast ... but... (Score:1)
Google and Yahoo! have had the same polilcy for years. I was running a mailing list for an HOA and even at 150 emails spread out over Google, Yahoo!, and Comcast they were being rejected if SPF/DKIM/DMARC wasn't perfect.
HOWEVER even though I have a business paid Google-served email address I KEEP GETTING SPAM and ALL OF IT comes from Google. So while they're not helpful for others to send mail to their clients, they're more than happy to let their own customers spam their other (including paying customers
Re: (Score:1)
Why yes, you are a know-nothing idiot. I have ran mailing lists, and ActBlue does that.
SO maga yourself, loser.
E
Re: (Score:2)
This isn't an insult contest.
You mean to tell me that... (Score:4, Funny)
the 500 million Phishing reports I sent in FINALLY got read? ;-D
Here's *MY* deal, Microsoft (Score:2)
> Here's the deal. If you send more than 5,000 messages per day to Outlook.com addresses and you're not properly set up with SPF, DKIM, and DMARC, your emails may never arrive.
Being properly "setup" on SPF, DKIM and DMARC isn't the only requirement by MS to drop emails. Another primary requirement is for Microsoft to actually care about their customers' emails and actually deliver them, instead of simply pretending to be an email service.
So here's my deal to you, Microsoft: you stop dropping valid emails into the void without any warnings/valid reasons, and I won't bring about a class-action lawsuit against you. Deal?
Re: (Score:2)
> Being properly "setup" on SPF, DKIM and DMARC isn't the only requirement by MS to drop emails. Another primary requirement is for Microsoft to actually care about their customers' emails and actually deliver them, instead of simply pretending to be an email service.
> So here's my deal to you, Microsoft: you stop dropping valid emails into the void without any warnings/valid reasons, and I won't bring about a class-action lawsuit against you. Deal?
My experience has been identical. After being forced onto Outlook for one of my projects I ended up capturing everything before they decide arbitrarily it doesn't even need to go to a spam folder and evaporates them - and send it to a gmail account. But that doesn't help the people I send email to. Spent a weekend setting up the alphabet soup, still MS dumped them.
I finally set up a groups.io group, which still has some issues, for people suffering from the psychotic message killing.
Next (Score:3)
What is Microsoft going to do about the low volume - like one off - emails that end up in the big bit bucket in the sky?
After moving me onto Web based outlook, and having stuff mysteriously not appear, I capture all the emails and forward them to gmail before Outlook messes with them.
I even get people wondering where emails I was sending them went to, my first question is "Outlook your reader?" Most of the time, the answer is yes.
This was all known long ago with the magic 8 ball toy which keeps telling us "Outlook Not So Good"
Re: (Score:2)
Literally the same thing they've done about it for the last decade: not a goddamn thing .
What you're describing is exactly what I've gotten out of Microsoft, Comcast, Google, and to a lesser extent other large webmail providers. They do not care about deliverability if you're not signed up with some of their BS partner programs, which are not documented anywhere. If you try, you'll get stuck in bot-hell of generated KB articles that are all fucking wrong .
Forget outlook.com (Score:2)
Even when doing SPF and DKIM right and sending a few mails per month, they still want you to manually apply for whitelisting if you run an own mail server. Good that not too many people I communicate with use it, because they really do not want your mail if you aren't one of the big players.
Re: (Score:2)
Really? I've never had an issue. I did have to get my ISP to set up a PTR record for me, but that's the only issue I've had that was outside my direct control.
Re: (Score:2)
They have IP ranges they dislike. If you're unlucky your hoster got the IPv4 addresses only recently and then Microsoft does not like your mails. I once had a server with an IP from a block that was reserved for a long time and they blocked everything. Other than some people I never had a problem with Google, though. I think you should have SPF/DKIM/DMARC and then Google is happy. I'd wish it would be that easy for Hotmail/Outlook.
Re: (Score:2)
Also never had an issue. I have SPF, DKIM, FCrDNS and DMARC set up and for bonus points, I also set up DNSSEC.
The only provider I have deliverability problems with is Apple ("foo@me.com" addresses.) No issues with Google, MSFT or Yahoo.
Re: (Score:2)
Are you absolutely sure about that ? Because my experience is vastly different. Even jumping through hoops, setting up crypto verification (SPF, DKIM, DMARC), I routinely get comments from family members that my mail doesn't go through. Sometimes they can find it in their Spam folder, but usually it's just gone , shuffled off to the big /dev/null in the sky . No error, no rejection on my end, just "mail accepted for delivery" from their SMTP gateways, then poof .
Re: (Score:2)
But you have a valid PTR, right? If the reverse lookup fails, your mail doesn't even get far enough for SPF and DKIM to matter.
Pretty rich, coming from Microsoft (Score:3)
I've been running email systems for a long, LONG time. I'm currently running about three dozen of them, handling email for different operations on different networks using different MTAs on different operating systems. (All open-source of course)
The anti-spam defenses in place at all of these are extensive and very well-planned, as they should be. They include rules in routers, rules in firewalls, rules in MTAs, and more. All of them are custom-tuned, all of them are monitored on a daily basis, and quite frequently adjusted to deal with emerging threats. As a result of all this effort, almost no spam gets through AND the false positive rate is running at about 4 messages/year.
And yet...of that "almost no spam [that] gets through", almost all of it is from Microsoft or Google. All of it passes SPF, DKIM, etc. checks: it really is from them. Together these two operations have accounted for roughly 85% of all false negative (e.g., received) spam over the last three years.
So it's pretty damn arrogant (note my handle, I'm familiar with the concept) of them to make any claims or impose any requirements on anyone, given how miserably they've both failed. What I'd like to see -- but won't -- is both of them turning them attention inwards and reducing their spam output to zero. Then, and only then, will they have any credibility with me. (Don't tell me it can't be done. I've done it, and at some large operations. And I did it without the enormous financial and personnel resources that they enjoy.)
Re: (Score:2)
Due to the nature of the service, I give them a bit of leeway and instead judge on how fast they respond to abuse reporting.
Re: (Score:2)
First, let's note that "controlling outbound spam from Microsoft et.al." is not and should not be our problem. It's theirs. They are 100% responsible for that, and it's disingenuous to insist that those of us who don't have billions of dollars and armies and employees do their jobs for them.
Second, have you checked on their responsiveness to spam/abuse/other complaints sent to their RFC 2142 mandatory role addresses lately? IF you get a response at all, and that's a big if, it's likely to be automate
Re: Pretty rich, coming from Microsoft (Score:1)
If you haven't worked on antispam for a consumer domain like outlook, Gmail, Yahoo, etc, then you likely underestimate just for hard it is.
It's nothing like antispam for companies that only give email addresses to their employees. The attack volume is magnitudes greater, for both inbound and outbound. There is also a much smaller difference between desired bulk mail (like newsletters) and abusive bulk mail.
The amount of email that gets blocked at the IP level is staggering, even though connection ba
Re: (Score:2)
This. The only SPAM I get is from MS and Google. The only phishing attempts are from MS and Google. They all have SPF/DKIM.
If I had MOD points it would be +1 informative.
How will they correlate? (Score:2)
So, if you don't have DKIM, SPF, etc. set up, and you send spam from different IP addresses using different sender domains... how will MSFT know who to attribute the 5000 emails to?
Seems silly to me. You either demand correct SPF, DKIM and DMARC from all senders, or you don't. Either way, it won't make much difference to the volume of spam.
Slashdot emails also fail DMARC (Score:3)
For months now, slashdot notification emails have been failing DMARC tests, causing all the emails to go to spam. Pretty annoying!
Re:Their new policy is the DNS should be correct? (Score:4, Insightful)
What an incredibly cumbersome and unnecessary solution you've come up with to a problem that doesn't exist.
Re:Their new policy is the DNS should be correct? (Score:4, Interesting)
Oh, Microsoft has issues with email. For the last 3-weeks they've been sending emails to me that looked so scummy and trashy, that I assumed they were junk, from an attacker. Today, my account manager from Microsoft emailed me asking why I hadn't clicked the link in the email they kept sending. I forwarded him one of the emails, and asked if those scummy looking trash emails were the ones he was referring to, and sure enough, they were from Microsoft.
The bad URL encoding, the bad template, lacking any kind of digital signature, rushed language that I click the link, and wording that sounded like a primary school student wrote it, who would have clicked on that link? Honestly, some of the communication I have with Microsoft, you'd wonder if they ever took a basic skills test. A lot of the communication is so poorly done, that if it's not an attack, you may as well assume it is.
They sent the same email over 30 times, who does that unless they're trying to get you to click the link, to steal your information? They had other means to get me the information, they had other contact methods, including my account manager, but intentionally picked the scummy, trashy, spamming email approach. Oh, and they fail DNS validation occasionally because of Microsoft quality.
Re: (Score:2)
Oh the problem DEFINITELY exists. However.. You can't just name PGP as the solution.
Even Microsoft has no power to unilaterally rewrite the rules of Email - you can't just adopt a PGP signing and web-of-trust requirement. Their own customers would tear them a new one the moment they start rejecting all their legitimate emails.
The requirement to SPF+DKIM Authenticate your emails is nothing - that's an existing industry standard. I believe Google is already enforcing this. Just about all legitimate
Re: (Score:1)
DKIM is a form of message signing. Also I love you call PGP simple. Why do you think secure messaging apps have taken off so well, yet PGP is still the realm of, well these days, almost no one? Only a few die hard nerds use it. PGP is terrible, clunky and a giant joke. Sure it was great 30 years when it was invented, but it's been long surpassed.
Suggesting it as a solution to anything in 2025 shows how out of touch you are with reality. The world has _long_ since moved on.
Re: (Score:2)
PGP is a gold standard for identity validation, look at Proton, their entire ecosystem depends on it. The reason Microsoft won't build it into a product, they can't exploit it, driving up licensing costs, and digitally molest their user base with it, and since Microsoft is basically just Epstein as a company, they're not interested. PGP is not difficult to use, it's tooling is excellent, the documentation is good, Its platform support is spectacular, so really the only reason to not use it, is some type