Sending Emails from Verified Domains

If you’re still sending email from an onmicrosoft.com address, Microsoft is tightening the rules. This matters because your messages could start getting throttled or blocked, which means invoices, password resets, and customer updates might never arrive. Microsoft’s goal is to stop spammers who spin up fresh tenants and abuse the shared onmicrosoft.com domain. But the side effect is real organizations will see lower deliverability and limits on bulk or automated sends until they move to a proper, verified domain. What’s changing? Microsoft is putting sending limits and stricter checks on any email that leaves an onmicrosoft.com address. Because it’s a shared domain used by millions, one bad actor can hurt the reputation for everyone. The fix is simple but urgent: switch to your own branded domain and set up modern email authentication (SPF, DKIM, and DMARC). That tells receiving mail systems, “Yes, this is really us,” and helps keep your mail out of spam and off block lists. What should you do now? Audit where onmicrosoft.com shows up—service accounts, no-reply inboxes, ticketing tools, scanners, CRM alerts, and scripts. Register or connect your custom domain, add the DNS records, and rotate apps and automations over to the new addresses. Test mail flow, watch for bounce backs, and update address books, forms, and templates. Train your team so they know which sender addresses are approved going forward. A little cleanup today will save a lot of missed messages tomorrow. #Microsoft365 #EmailSecurity #ITAdmin #ChangeYourPassword Follow me for regular updates on Microsoft 365 changes, security tips, and clean-up checklists that keep your org’s email flowing.

Email marketers, it's time to mark your calendars. On February 1st, 2024, Google and Yahoo will require bulk senders to authenticate their emails, make unsubscribing easy, and stay under a spam rate limit. Let's walk through the new standards: ✅ Email Authentication: Senders need DMARC, SPF, and DKIM verification. 🚫 Easy Unsubscription: One-click unsubscribe with a two-day honor period. 🙅 Low User-Reported Spam: Under 0.3% spam rate threshold. These new requirements are a good thing! Less spam in inboxes means your legitimate emails are more likely to be seen. Authenticated emails are also essential for security reasons, making phishing attempts easier to squash. Emails also look more reputable and on-brand from your organization's domain than your technology provider's. (The same guidance applies to URLs.) For nonprofits, these rules take effect after the EOY fundraising season. That said, February 1st will be here before you know it. Here are some steps to take: EMAIL AUTHENTICATION There are two ways to verify if you have DMARC, SPF, and DKIM records in place. 1. Find an email from your organization sent to your personal Gmail address. Click the three dots and select "Show Original." Each record should be marked as "PASS." 2. Use a web tool such as EasyDMARC's domain scanner. Enter each domain you use to send bulk emails, and it will show you whether DMARC, SPF, and DKIM records are in place. If you don't have all three in place, check with your tech provider for a how-to guide. EASY UNSUBSCRIPTION To meet the new "one-click" unsubscribe requirements, emails must include a List-Unsubscribe header. Email services use this to add unsubscribe links directly to their interfaces, so readers don't need to dig through the fine print to find the link. Look for an underlined "Unsubscribe" link in Gmail next to the email sender. In Yahoo's interface, click the three dots next to the spam button and look for an "Unsubscribe" option. Most modern email platforms have this covered, but contact yours if it is not in place. Honoring unsubscribes within two days means ensuring you have your email tool(s) set up correctly to exempt opt-outs. This should be instant, but watch out if you send from multiple platforms. When someone asks to unsubscribe from one tool, make sure their choice is respected in all the others. This is all the more reason to integrate your tech stack and have a centralized system for collecting consent, sending emails, and managing opt-outs. LOW USER-REPORTED SPAM With the right tools, the 0.3% threshold is easy to manage. First off, enable Google's Postmaster Tools to see where you stand. Secondly, make sure you only send to engaged contacts. This will reduce your spam rate and increase your engagement rates. Email deliverability doesn't need to be a mysterious process! Familiarize yourself with the terminology, get your house in order, and commit to better email practices.

Key Email Authentication Methods: SPF, DKIM, and DMARC To protect against email spoofing, phishing, and other malicious activities, three primary email authentication methods are used: SPF, DKIM, and DMARC. SPF (Sender Policy Framework) : 📧 Verifies the sending server’s authorization How it works : • The domain owner publishes a list of allowed mail servers in a DNS record. • When an email is received, the recipient’s mail server checks the sender's IP address against the SPF record. • If the sender's IP is in the list, the email passes SPF; otherwise, it fails. SPF Record : nslookup -type=txt shodan.io | grep -i spf nslookup -type=txt _spf.google.com | grep -i spf dig example.com TXT | grep -i spf DKIM (DomainKeys Identified Mail) : 🔒 Confirms the email's authenticity How it works : • The sender's domain signs the email with a private cryptographic key. • The recipient’s mail server uses the public key to verify the signature. • If the signature matches, the email passes DKIM; if not, it fails. DKIM Record : v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1LfA... This record specifies the public key used to verify the DKIM signature. DMARC (Domain-based Message Authentication, Reporting & Conformance) : 🛡️Combines SPF and DKIM and enforces authentication and provides reporting How it works : • DMARC requires that either SPF or DKIM (or both) pass and align with the domain in the “From” header. • The domain owner sets a DMARC policy in their DNS record that tells the receiving server what action to take if authentication fails: none (monitor), quarantine (mark as spam), or reject. DMARC Record : v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com This DMARC policy specifies that emails failing SPF/DKIM should be rejected, and reports should be sent to dmarc-reports@yourdomain.com. How They Work Together : • SPF checks whether the server sending the email is authorized to do so. • DKIM ensures that the email content has not been tampered with during transit. • DMARC enforces alignment between the domain in the “From” field and the domains used for SPF and DKIM, and it instructs receiving mail servers on what to do if SPF or DKIM checks fail. https://lnkd.in/eiQ2kYFn https://lnkd.in/eCZRqGGf https://lnkd.in/eKjEgggP #EmailSecurity #SPF #DKIM #DMARC #PhishingProtection #EmailAuthentication #InfoSec

New Outlook rules take effect today & Microsoft will begin rejecting / bouncing emails from domains that lack proper authentication. If your domain isn’t set up with SPF, DKIM, and DMARC, your emails may not reach any Outlook, Hotmail, or Live users. This is especially critical for anyone sending emails to more than 5,000 recipients at once. Initially, Microsoft announced that unauthenticated emails would be filtered into spam. However, last week they changed course and decided to enforce rejections right from the start. As a result, many companies will likely see more rejected / bounced emails, flagged with the 550 5.7.515 error code. Whatever system you use for mail distribution, make sure your domain is properly authenticated with their infrastructure. Even if you think it is, it's worth double-checking the authentication settings and analyzing your #DMARC reports from the past month to ensure all existing mail streams are properly configured. #Microsoft #EmailDeliverability