Email has been both a blessing and a curse for billions of users. Unfortunately, it’s definitely been a blessing for hackers and a curse for consumers who receive their phishing attacks, malware attachments and more. Although highly-targeted “spear” phishing attacks are increasingly seen as the way to go by sophisticated threat actors, there’s no doubting the broad impact that spray-and-pray scammers, sending large volumes of email on a daily basis, have on the email ecosystem. It’s these malicious spam floods that can cause the most significant security issues, and it’s these that Microsoft is focusing on as it introduces new email security rules impacting the 500 million users of outlook.com, including hotmail.com and live.com addresses. Here’s what you need to know and do before May 5.
New Outlook Security Rules Come Into Force On May 5
Google has already taken action against the problem of malicious bulk senders impacting the security of users of the Gmail service by introducing new sender authentication requirements on April 1. The point of these news rules is to mitigate the risk of criminals using unauthenticated or compromised domains to deliver dangerous payloads. Now, at last, Microsoft is following suit and introducing similar rules to “reduce the likelihood of spam and spoofing campaigns reaching our user base,” according to an April 2 Microsoft announcement on the Windows Defender security blog.
Applying to domains sending more than 5,000 emails in a single day, and to the Outlook.com consumer service that supports hotmail.com, live.com, and outlook.com consumer domain addresses, the May 5 rules will require mandatory Sender Policy Framework, DomainKeys Identified Mail and Domain-based Message Authentication, Reporting, and Conformance compliance. “Non‐compliant messages will first be routed to Junk,” Microsoft said, and eventually rejected if issues remain unresolved.If you are sending marketing materials, or maybe just run a large hobby mailing list, you need to take note.
The full email authentication process has been explained in some detail by Microsoft, but the bullet point compliance requirements are as follows:
- SPF: Must pass for the sending domain, and your domain’s DNS record should accurately list authorized IP addresses/hosts.
- DKIM: Must pass to validate email integrity and authenticity.
- DMARC: Must ensure, at least, p=none is in the configuration as well as aligning with SPF or DKIM, and preferably both.
