Strengthening Email Ecosystem: Outlook’s New Requirements for High‐Volume Senders
April 29th Update - Changes have been made to the action take on messages that do not meet requirements, please see details below. Introduction In an era where email remains one of the most widely used tools for personal and business communications, Outlook is stepping up its commitment to protect inboxes and preserve trust in the digital ecosystem. Today, we’re announcing new requirements and best practices designed to strengthen email authentication for domains sending more than 5,000 emails per day. These new requirements will enforce stricter standards by including mandatory SPF, DKIM, DMARC settings. Outlook is pushing the broader industry toward best practices and safeguarding the millions of individuals and small businesses that rely on us every day. These measures will help reduce spoofing, phishing, and spam activity, empowering legitimate senders with stronger brand protection and better deliverability. Outlook has always prioritized user safety and reliability; we’re proud to further invest in this solution that will keep our customers safe and reinforce the best practices across the industry. We believe that by raising the bar for large senders, we can inspire lasting change that benefits everyone. What's Changing? For domains sending over 5,000 emails per day, Outlook will soon require compliance with SPF, DKIM, DMARC. Non‐compliant messages will first be routed to Junk. If issues remain unresolved, they may eventually be rejected. Senders will soon start requiring compliance with the following requirements: SPF (Sender Policy Framework) Must Pass for the sending domain. Your domain's DNS record should accurately list authorized IP addresses/hosts. DKIM (DomainKeys Identified Mail) Must Pass to validate email integrity and authenticity. DMARC (Domain-based Message Authentication, Reporting, and Conformance) At least p=none and align with either SPF or DKIM (preferably both). Learn more about email authentication here. Additional Email Hygiene Recommendations Large senders should also adopt these practices to maintain quality and trust: Compliant P2 (Primary) Sender Addresses: Ensure the “From” or “Reply‐To” address is valid, reflects the true sending domain, and can receive replies. Functional Unsubscribe Links: Provide an easy, clearly visible way for recipients to opt out of further messages, particularly for marketing or bulk mail. List Hygiene & Bounce Management: Remove invalid addresses regularly to reduce spam complaints, bounces, and wasted messages. Transparent Mailing Practices: Use accurate subject lines, avoid deceptive headers, and ensure your recipients have consented to receive your messages. Outlook reserves the right to take negative action, including filtering or blocking—against non‐compliant senders, especially for critical breaches of authentication or hygiene. Enforcement Timeline Starting today, we encourage all senders and particularly those that send at high volume to review and update their SPF, DKIM, and DMARC records, in preparation for when the enforcement begins, starting in May. After careful consideration and to ensure the protection of users and remove any confusion on why a message was in the junk folder for both the recipient and sender, we have made a decision to reject messages that don't pass the required authentication requirements detailed above. The rejected messages will be designated as "550; 5.7.515 Access denied, sending domain [SendingDomain] does not meet the required authentication level." This change will state taking effect on May 5th as originally stated. After May 5th, 2025, Outlook will begin routing messages from high volume non‐compliant domains to the Junk folder, giving senders an opportunity to address any outstanding issues. NOTE: that in the future (date to be announced), non-compliant messages will be rejected to further protect users. Next Steps Prepare Now: Audit your DNS records (SPF, DKIM, DMARC) and verify you meet all the requirements. To view the authentication header, visit this. To learn how to read authentication headers, click here. Stay Informed: We’ll provide updates on official rollout schedules, and dates for when rejection actions will begin through a blog post. Join Our Mission: Embracing better authentication and hygiene not only benefits your deliverability but also helps protect the entire email ecosystem. For additional resources or support, visit sender support. Thank you for partnering with us to make email a more secure, transparent, and trusted channel for everyone. Frequently Asked Questions (FAQ) Why is Outlook requiring these changes specifically for high‐volume senders? Large senders have a broader impact on inbox safety. By focusing on senders of 5,000+ messages a day, we significantly reduce the likelihood of spam and spoofing campaigns reaching our user base. How do SPF, DKIM, and DMARC help me as a sender? These authentication protocols verify your emails for recipients. Compliant senders often see improved deliverability, fewer bounce‐backs, and stronger brand credibility. Do I still need to do this if I send fewer than 5,000 emails/day? While enforcement first targets large senders, all senders benefit from these best practices. Strong authentication protects your reputation. What exactly is a “functional” unsubscribe link? It’s a link placed in your email that allows recipients to quickly opt out of future mail. It should be easy to find and reliable when clicked. Will these changes stop all spam? No system eliminates spam entirely, but these measures make it much harder for malicious actors to succeed and give legitimate senders higher trust. What does “alignment” mean for DMARC? Alignment ensures the “From” domain matches (or sub domain) the domain used by SPF and/or DKIM. This prevents bad actors from exploiting your domain name. My SPF record has multiple include statements—could that cause issues? If you exceed 10 DNS lookups, your SPF check might fail. Tools exist to “flatten” your record or reduce the number of includes. Why does Outlook recommend ARC for forwarding/mailing lists? Forwarding can break DMARC alignment. ARC preserves the original authentication checks, preventing legitimate forwarded mail from being wrongfully flagged. How often should I clean my mailing lists? Aim to remove inactive or invalid addresses regularly—monthly or quarterly. This lowers bounce rates, cuts costs, and reduces spam complaints. If I use a 3rd‐party email vendor, do I still need SPF, DKIM, DMARC records in my domain DNS? Yes. Even if you outsource sending, authentication is tied to your domain. Coordinate with your provider to ensure correct DNS settings. How does Outlook handle DMARC aggregate (rua) and forensic (ruf) reports? We send RUA to the addresses specified in your DMARC record. You can analyze these to see who is sending on behalf of your domain, spot domain abuse, and confirm alignment. We don’t have plans to send RUF. Can separate mail systems have unique DKIM selectors? Yes. Managing multiple selectors (e.g., selector1, selector2) helps maintain clarity and isolate reputation concerns across various business units or campaigns. Learn more about how to configure DKIM here. Does publishing a strict DMARC policy (p=reject) offer better security? Absolutely, once your legitimate sources are aligned, p=reject is the most effective at thwarting domain spoofing. We advise moving gradually (none → quarantine → reject) to avoid unintended mail loss. If someone regularly reports my emails as spam despite authentication, what can I do? Authentication ensures emails are from you, but user perception still matters. Review your content, frequency, and opt‐out process to ensure recipients remain engaged and not overwhelmed. Will adding to safe senders list bypass the new enforcement? No. Safe Sender list won’t be honored.SafeLinks Protection for Links Generated by M365 Copilot Chat and Office Apps
The world is experiencing rapid changes, with artificial intelligence (AI) significantly transforming businesses and lifestyles. Additionally, it is impacting cybersecurity, as attackers leverage AI to refine their techniques. Microsoft is committed to ensuring that its AI-powered tools are secure and reliable for business applications. The security of AI remains a primary focus. M365 Copilot Chat Copilot serves as the user interface for AI, beginning with Copilot Chat. It is the chat experience utilized daily, powered by extensive knowledge from the web and designed to ensure safety and security for business applications. This platform signifies a fundamental change in our work methods, allowing individuals to operate more intelligently, efficiently, and collaboratively. While Copilot Chat is a powerful new on-ramp for everyone in your organization to build the AI habit, Microsoft 365 Copilot remains our best-in-class personal AI assistant for work. It includes everything in Copilot Chat and more. Enhancing Security of M365 Copilot Chat with SafeLinks We are excited to announce some important updates to M365 Copilot Chat that will enhance security and user experience: 1. SafeLinks protection at Time-of-Click of URL: Microsoft Defender for Office 365's SafeLinks protection has been successfully released worldwide for Copilot Chat on Desktop, Web, Outlook Mobile, Teams Mobile and Microsoft 365 Copilot Mobile app (iOS and Android)! M365 Copilot Chat has integrated with SafeLinks in Defender for Office 365 to provide time-of-click URL protection for the hyperlinks included in its chat responses. This functionality applies to users with Microsoft Defender for Office 365 Plan 1 or Plan 2 service plans. No policy configuration is needed within the SafeLinks policy. Within Microsoft Defender for Office 365 Security Center, the URL protection report will show the relevant summary and trend views for threats detected and actions taken on URL clicks generated from within M365 Copilot Chat. Moreover, Security Operations Center analysts will be able to see the source of the originating URL clicks in the investigation and hunting experiences within Microsoft Defender for Office 365. 2. Native Time-of-Click URL Reputation Check: For users without SafeLinks protection (which is available as part of Microsoft Defender for Office 365), M365 Copilot Chat will natively enable time-of-click URL reputation check for the hyperlinks returned in its chat responses. 3. Hyperlink Display Changes: M365 Copilot Chat no longer redacts hyperlinks in its chat responses if they are found in the grounding data used to generate the responses. These updates ensure that M365 Copilot Chat remains a secure and reliable tool for your organization, helping you navigate the complexities of modern cybersecurity. What’s Next? Following this release, SafeLinks protection will be available to Copilot App Chats for Word, PowerPoint and Excel. Conclusion As AI continues to evolve, so do the threats that come with it. At Microsoft, we are dedicated to staying ahead of these threats and providing our customers with the tools they need to stay secure. With the integration of SafeLinks, M365 Copilot Chat is poised to be a game-changer in the world of business AI. Note: This blog post is associated with Message Center post MC1013453. Learn more Microsoft Defender for Office 365 SafeLinks protection M365 Copilot Chat
Part 2: Build custom email security reports and dashboards with workbooks in Microsoft Sentinel
Security teams in both small and large organizations track key metrics to make critical security decisions and identify meaningful trends in their organizations. Defender for Office 365 has rich, built-in reporting capabilities that provide insights into your security posture to support these needs. However, sometimes security teams require custom reporting solutions to create dedicated views, combine multiple data sources, and get additional insights to meet their needs. In January of this year, we shared an example of how you can use workbooks in Microsoft Sentinel to build a custom dashboard for Defender for Office 365. Today, we are excited to announce the release of an updated version of the Microsoft Defender for Office 365 Detections and Insights – Microsoft Sentinel workbook. Over the past few months, we have received feedback from numerous security teams, offering a multitude of ideas for new insights, updated visuals, and improved structure for the workbook. We have incorporated these suggestions into this update to enhance the experience for all users of the Microsoft Defender for Office 365 Detections and Insights workbook. What’s new? We have changed the workbook structure and divided visuals and insights related to the same topic to be on their own tab. We have also added many new visuals and updated existing visuals. Using tabs for easier navigation Simply use the tabs now on the top of the workbook to navigate between the various insights' groups. Notable changes: False Positive and False Negative Submissions insights are separated to have their own tab A new tab added for Quarantine Insights. The complete list of tabs is: Detection Overview | Email - Malware Detections | Email - Phish Detections | Email - Spam Detections | URL Detections and Clicks | Email - Top Users/Senders | Email - Detection Overrides | False Negative (FN) Submissions | False Positive (FP) Submissions | File - Malware Detections (SharePoint, Teams and OneDrive) | Post Delivery Detections and Admin Actions | Quarantine Insights Please note: The workbook has a total of 12 tabs. If all tabs are not visible, you can access the remaining tabs using the "..." located at the end of the tab list on the right side. New insights and visuals We have added new insights and visuals to help security team members better understand their Email security posture. Some examples: Detection Overview tab - Bad traffic percentage (%) - Inbound Emails Visualizes bad traffic (% of emails with threats) compared to total inbound emails over time summarizing the data daily. Email – Malware/Email-Phish detection tabs - Zero Day detections (URL & Attachment detonation) Visualizes total emails with Malware/Phish detections over time summarizing the data daily by detection technologies/controls used for detecting unknown-unique malware and phish (URL detonation, File detonation). Email - Phish Detections tab - Top Domains Outbound with Emails with Threats Inbound (Partner BEC) Visualizes top outbound recipient domains by outbound email volume and shows total number of inbound emails with Threats from the same domains (as inbound senders). Email – Malware/Phish/Spam Detection tabs - Detections by delivery location Visualizes total emails with Malware/Phish/Spam detections over time summarizing the data daily by Delivery Location. These insights can help security teams drive towards stronger security posture by adopting Quarantine as filter verdict action replacing Move to Junk email folder. URL Detections and Clicks tab – Top malicious URLs clicked by users Visualizes top malicious URLs with the number of clicks attempts performed by users. False Negative (FN) Submissions tab – new insights added for user defined filter verdict override configuration impacting the delivery action of the reported email, top 10 inbound P2 senders' domains of reported emails, top subjects of the internal emails reported by users as Phish, number if user reported Phish emails where the email is already in the Junk email folder. Updated Insights We have updated existing insights by adding additional information to them or visualizing the raw data in a different way. Some examples: Email – Malware/Phish/Spam Detection tabs - Email Top 10 Domains sending Malware table view now has Total emails sent by the sender domain and bad traffic % from the sender domain. Grid views are now searchable: False Negative (FN) Submissions/ False Positive (FP) Submissions are separated now on their own tab, existing insights got updated to understand better what users and security team members are submitting. Malware family related visuals on Email – Malware detections and File - Malware Detections (SharePoint, Teams and OneDrive) are using searchable grid now: How can I get the updated version? The latest version of the Microsoft Defender for Office 365 Detections and Insights workbook is available as part of the Microsoft Defender XDR solution in the Microsoft Sentinel - Content hub. Version 3.0.12 of the solution has the updated workbook template. If you already have the Microsoft Defender XDR solution deployed, version 3.0.12 is available now as an update. After you install the update, you will have the new workbook template available to use. If you install the Microsoft Defender XDR solution for the first time, you are deploying the latest version and will have the updated template ready to use. How to share the workbook with others Leveraging Microsoft Sentinel workbooks for reporting to leadership is a common use case. A common concern is granting recipients access to Microsoft Sentinel or all of the tables within the workspace. Using some different RBAC components, this can be done. For details, see the Manage Access to Microsoft Sentinel Workbooks with Lower Scoped RBAC on the Microsoft Sentinel Blog. Can I edit the workbook and change the visuals? Yes, absolutely. The Microsoft Defender for Office 365 Detections and Insights is a workbook template in Microsoft Sentinel. It is ready to use with a few simple clicks, however when needed you can save and edit the workbook based on your organization’s need. You can customize each visual easily or review the underlying KQL. Simply edit the workbook after saving, then adjust the underlying KQL query, change the type of the visual, or create new insights. More information: Visualize your data using workbooks in Microsoft Sentinel | Microsoft Learn Why use workbooks in Microsoft Sentinel for email security reports and insights? There are many potential benefits to using workbooks if you already use Microsoft Sentinel and already stream the hunting data tables: You can choose to store data for a longer period of time via configuring longer retention for tables you use for your workbooks. For example, you can store Defender for Office 365 Email Events table data for 1 year and build visuals over a longer period of time. You can configure auto-refresh for the workbook to keep the data shown up to date. You can access ready-to-use workbook templates and customize them if it's needed. Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum. More information Integrate Microsoft Defender XDR with Microsoft Sentinel Learn more about Microsoft Sentinel workbooks Microsoft Defender for Office 365 Detection Details Report – Updated Power BI template for Microsoft Sentinel and Log Analytics Learn more about Microsoft Defender XDR
Built-in report button is available in Microsoft Outlook across platforms
Outlook and Defender for Office 365 are excited to announce the release of built-in report button in Microsoft Outlook across platforms (web, new Outlook for Windows, classic Outlook for Windows, Outlook for Mac, Outlook for Android, Outlook for iOS, and Outlook for android Lite) for both personal and commercial accounts. You can find the built-in button across Outlook: Outlook on the web. New Outlook for Windows. Outlook for Mac version 16.89 (24090815) or later. Classic Outlook for Windows version Current channel: Version 16.0.17827.15010 or later. Monthly Enterprise Channel: Version 16.0.18025.20000 or later. Semi-Annual Channel (Preview): Release 2502, build 16.0.18526.20024 Semi-Annual Channel: Release 2502, build 16.0.18526.20024 Outlook for iOS version 4.2511 or later and Outlook for Android version 4.2446 or later. Outlook for Android Lite Benefits the built-in report button provides for security admins It works out of the box with no setup required The reporting experience for end user is the same across consumer and commercial accounts The report button is consistent across Outlook clients The report button is front and center on all clients The report button is present on the grid view, reading panel, preview panel, context menu The report button enables the user to select in bulk and report messages at once You can turn on and off the pre and post reporting popups for users in your organization using You can customize the individual pre and post reporting popup by adding text and links in 7 diff languages The report button is present on shared and delegate mailboxes enabling end users to report emails. Now present on outlook for web, new outlook for windows, outlook for mac, outlook for android and outlook for iOS The end user reports made by these clients are routed as per the message reported destination configured in the user reported settings. You can view the user report as soon as they are made on the If you have configured Microsoft only or Microsoft and my reporting mailbox in the user reported settings, the result from Microsoft analysis are available on the result column You can turn off the built-in report button on user reported settings by Selecting non-Microsoft add-in button and providing the address of the reporting mailbox of the 3 rd party add-in, or Deselecting monitor reported messages in outlook Note: The report phish add-in and the report message add-in does not provide support for shared and delegate mailbox. The report phish add-in, the report message add-in, and the built-in report button all read from the same user reported settings and use the same internal reporting API. In a way there are two different doors (entry point) to the same house (the backend). For the moment, the report message and report phish add-in are in maintenance mode to provide enough time for customers to migrate to the built-in button. To learn more, please check out Transition from Report Message or the Report Phishing add-ins - Microsoft Defender for Office 365 | Microsoft Learn Report phishing and suspicious emails in Outlook for admins - Microsoft Defender for Office 365 | Microsoft Learn User reported settings - Microsoft Defender for Office 365 | Microsoft Learn Protect yourself from phishing - Microsoft Support Report phishing - Microsoft Support How do I report phishing or junk email? - Microsoft Support
