Our recent webinar, “Stay Deliverable: Meet Microsoft Outlook’s New Email Sender Requirements,” brought in an engaged audience with insightful questions about how Microsoft’s updated policies affect bulk email senders. From domain management and alignment to monitoring and implementation challenges. As promised, to ensure everyone gets the answers they need, we’ve compiled some of the most important questions from the webinar, along with expert responses from our team. Let’s dive in! 1. Domain Management & Alias Complexity I have multiple domains, with one being main and others as alias domains. We’re having deliverability problems with aliases due to DMARC and Gmail/Yahoo requirements. Should I separate them entirely? There’s no specific indication that having alias domains could affect deliverability with Google and Yahoo. When it comes to alias domains, you can only set DKIM alignment to pass with the From: address alias domain. SPF alignment will always fail. Also, it’s good to note that the primary domain will continue sharing its reputation with alias domains in general. You can separate them entirely or set them up as secondary domains, where they will be fully independent from the primary domain and won’t share reputation. Even so, the reputation relies on thousands of data points. If I have EasyDMARC on my primary domain, do I need to set it up again on subdomains I send from? No. If you add just your primary domain, then your subdomains will automatically populate in your DMARC aggregate reports once we receive reports indicating there are outgoing emails from your subdomains. DMARC for subdomains will automatically inherit everything (policy and reporting) directly from the root/primary domain. If you don’t have an explicit DMARC record on your subdomain, it will inherit everything from your root domain. 2. Tools and Platform Mismatches How do you deal with Bluehost saying “no issues” when EasyDMARC shows otherwise? There are ESPs or hosting providers that show there are no problems if everything is set correctly from a DNS perspective. However, there are cases where, even if you’ve set your DNS records correctly (SPF, DKIM, or DMARC), things can still fail depending on your sending practices. It’s always best to follow the live process of DMARC reports, which are generated every 24 hours and show exactly what MBPs are saying about your authentication process. 3. Provider-Specific Requirements Are SPF, DKIM, and DMARC requirements different for Microsoft vs Gmail? If we’re good with Google, are we good with Microsoft too? Generally, yes. Both require senders to have SPF and DKIM authentication set up with DMARC implemented using at least p=none. When it comes to alignment, Google and Microsoft both require either SPF or DKIM to be aligned with the From: address domain, but Microsoft goes a step further by preferring both to be aligned. Google has Postmaster Tools. Is there a Microsoft equivalent? Microsoft provides SNDS, which is an IP-based Postmaster tool, unlike Google Postmaster, which is domain-based. That being said, Microsoft SNDS is useful and can be implemented if you have dedicated IP pools. Are there extra DMARC requirements for domains like cox.net or frontier that transitioned to Yahoo? Yes.  4. Implementation Clarifications What is “alignment” in the DMARC context? Alignment in DMARC means that the domain in the From: header matches (or is a subdomain of) the domain used in SPF or DKIM authentication. DMARC passes only if either SPF or DKIM passes and aligns with the From domain. Without alignment, even valid SPF/DKIM results won’t satisfy DMARC. If the sending server only supports SPF, what can be done? If SPF is the only supported authentication method, you must ensure SPF passes and aligns with the domain in the From: header to satisfy DMARC. Use a custom Return-Path domain that aligns, or adjust the From domain to match the SPF-authenticated domain. However, relying only on SPF is risky because intermediate forwarding can break SPF. DKIM signing is recommended for redundancy, better deliverability, and to avoid false positives. Is continuous monitoring needed after you configure DMARC? If yes, why? Yes, continuous monitoring is critical even after DMARC is configured. Email ecosystems change frequently; new services, new domains, or third-party platforms may start sending on your behalf without proper SPF/DKIM. Monitoring DMARC reports helps you detect unauthorized sources, misconfigurations, and alignment issues in real time. Without monitoring, you risk delivery failures. 5. Record Limits and Best Practices Can a domain have two SPF records? No, a domain must have only one SPF TXT record per domain level. If you publish more than one, SPF validation will fail with a PermError. Instead, you should merge all mechanisms and includes into a single record. Use tools to validate syntax and avoid duplication when combining SPF entries. Note: You can have an SPF record on different subdomains. What if a domain’s SPF needs more than 10 includes? Does EasyDMARC help with this? Yes, we have an EasySPF solution that replaces includes with resolved IPs and keeps your record within limits. It also auto-updates your SPF record regularly to reflect IP changes. Will having different DKIM selectors cause a conflict? No, multiple DKIM selectors can coexist without conflict. Selectors are used to locate the DKIM public key in DNS, and each selector is independent. This allows different services (e.g., Microsoft, Mailchimp) to sign with their own selectors. Just ensure each selector’s DNS record is correct and that you monitor them using DMARC Aggregate reports. 6. Sending Limits and Provider Rules This requirement applies to domains sending 5000+ emails/day via Microsoft 365, not just outlook.com/hotmail.com, right? No, this requirement is not about sending from Microsoft 365. It applies to any domain that sends over 5,000 emails per day to Microsoft’s consumer email services, such as outlook.com, hotmail.com, and live.com. The infrastructure you send from doesn’t matter—what matters is the volume of messages received by Microsoft consumer mailboxes. These domains must comply with Microsoft’s SPF, DKIM, and DMARC requirements or risk delivery issues. Microsoft 365 (enterprise mail) is not currently affected by this enforcement.  7. Miscellaneous but Useful Why did it take companies so long to adopt SPF, DKIM, DMARC if the solution existed for years? Adoption lagged due to a lack of awareness, poor tooling, and fear of breaking legitimate email flows. SPF and DKIM require precise DNS setup, and DMARC enforcement can cause delivery issues if alignment isn’t handled properly. Which BIMI cert is being de-trusted? The Entrust BIMI VMC is being de-trusted by Google starting August 31, 2024. This means BIMI logos using Entrust-issued VMCs will no longer display in Gmail after that date. Define CMC, please. CMC stands for Certified Mark Certificate. It’s a BIMI-compatible certificate issued to organizations without a registered trademark, allowing them to display a verified logo (without the blue checkmark) in email clients. Unlike a VMC, which requires a registered trademark, a CMC can use logos that are pending trademark approval or internally validated. For full compliance, does reporting (RUA/RUF) need to be enabled and monitored? No, enabling RUA/RUF is not required for DMARC compliance, but it’s strongly recommended (for us, it’s required). Reports don’t affect enforcement but provide visibility into who’s sending mail on your behalf and whether it passes SPF/DKIM. Without reports, you’re flying blind and could miss abuse or misconfigurations. Monitoring RUA reports helps you maintain ongoing compliance and security. What does “unsubscribe processing timeline (must honor within 2 days)” mean exactly? Does it include users who mark as spam? It means if a user clicks “unsubscribe,” their request must be processed and fully effective within 2 days, no more emails after that. It doesn’t apply to users who mark emails as spam, but high spam complaint rates are still tracked and can affect your domain reputation. Final Thoughts The new requirements from Microsoft mark a significant step toward a more secure and reliable email ecosystem but they also demand proactive configuration and monitoring from senders. We hope these answers clarify the nuances of authentication, domain reputation, and compliance as they relate to both Microsoft and other major mailbox providers. If you still have questions or need help implementing the right email security practices, our team is always here to support you. Stay tuned for more updates and educational sessions as the email landscape continues to evolve. The post Answering Your Webinar Questions: Meet Microsoft Outlook’s New Email Sender Requirements appeared first on EasyDMARC.