It’s been over a month since Microsoft announced that it would require SPF, DKIM and DMARC to successfully deliver emails to Outlook domains for bulk senders. It’s yet another huge change in the email landscape.
With the deadline now passed, it’s time to reflect on what it means for businesses and for MSPs supporting their clients.
For a brief overview of SPF, DKIM and DMARC, you can see here, but for now let’s get started with why businesses shouldn’t be overlooking the change because of the ‘bulk sender’ label.
Beyond bulk senders – why everyone should care
When Microsoft made the announcement back in April, it seemed like a move aimed at large scale marketers or ‘bulk senders’ who hit 5,000 messages a day. But there’s a catch: the 5,000 threshold isn’t a daily average. If a domain sends 5,000 emails on any single day then it will be classified as a bulk sender permanently.
What does this mean? One newsletter blast, one billing cycle or one marketing campaign could push your domain over the limit. Even if you’re not hitting that number regularly, you’re still at risk of disrupting deliverability if you’re not meeting the SPF, DKIM and DMARC rules. And, with Gmail and Yahoo already enforcing similar rules, this isn’t a Microsoft issue – it’s becoming the new standard across the email ecosystem and represents the importance of tightening up email security across the board.
The problem with Microsoft’s change
With this change now in full effect, if businesses don’t have a properly configured DMARC policy in place there’s a high chance of email deliverability (and security) being affected.
And, one of the biggest issues of this change was that only 7 days before Microsoft enforced the DMARC requirements, they changed the goal posts. The change implemented was, if businesses do not have a DMARC record in place, then emails will be ‘bounced’ rather than ending up in junk folders.
What this decision demonstrated is that Microsoft have set a precedent that they are happy to provide incredibly short notice on significant email security and deliverability changes. This makes it extremely difficult for businesses to respond in a reasonable time and is a significant call to action for all businesses to get ahead of the curve and ensure DMARC is in place.
So, how do we get DMARC right?
DMARC is a journey. It isn’t just a quick one-off event. Most domains should begin with a DMARC policy set to p=none (the most lenient policy). From there, reports needs to be analysed and all legitimate sending servers identified – these will include email clients, marketing platforms, CRMs, billing platforms, ticketing systems and so on.
In other words, anything that sends emails from your domain will need to be configured with SPF, DKIM or both as required (different platforms have different requirements here – it’s yet another complication to manage). Once everything is in place, you can gradually move to p=quarantine and eventually p=reject.
This is a process that can take weeks or months, especially if you’re managing multiple systems or email domains. This is why at Brigantia, we’re partnered with Sendmarc, a platform that simplifies and automates the DMARC journey, making it as fast, reliable and stress free as possible. Sendmarc guarantees to take a domain to p=reject within 90 days – something other competitors don’t promise.
The importance of DMARC for security
When we talk about DMARC, it’s not just about email deliverability. Critically, it’s also about security. Without a DMARC policy in place, domains are vulnerable to spoofing. That means cyber criminals can impersonate an individual or business and send emails that look like they came from them.
This isn’t a ‘could’ happen scenario – spoofed emails are one of the most common threats for phishing and fraud. And you don’t need to be a household name to be targeted. In fact, smaller businesses are often seen as easier marks, precisely because they’re less likely to have strict DMARC policies.
DMARC, along with properly configured SPF and DKIM, makes impersonation dramatically harder. It tells receiving mail servers to verify that a message claiming to be from a domain actually is and to act if it’s not.
So, even if your clients are willing to risk email deliverability issues, are they willing to risk email impersonation? MSPs have to take the lead on securing email domains.
DMARC and the opportunity for MSPs
For MSPs, the shift in the DMARC landscape is both a challenge and opportunity. The challenge is the scale of it. They have to support dozens or even hundreds of clients configure and enforce email authentication policies correctly. But the opportunity to deliver this effectively is huge.
DMARC compliance is a valuable service offering and one that needs to become part of the norm when providing email security and services. When it comes to DMARC, clients need more than just technical configuration, they need ongoing support and monitoring to ensure email infrastructures continue to meet delivery requirements and remain secure. This is where MSPs can step up and where solutions like Sendmarc come in.
Sendmarc has made it possible for Brigantia partners to deliver DMARC at scale with confidence, and with tangible results. It couldn’t be easier to manage multiple client domains (without having to log in to multiple DNS management portals individually!), and Sendmarc guarantees getting any domain to p=reject within 90 days.
Take DMARC action …
Microsoft’s deadline has passed, and the direction is clear, domains need to be secured and every business needs to have the right configurations in place so emails continue to safely reach inboxes.
If you’re interested in finding out about Sendmarc and how it can work for your clients, get in touch to book a demo, or head to our Sendmarc vendor page.
