Email Authentication Changes: What Microsoft and Google Are Enforcing (and What It Means for You)

by | 2 May 2025 | Articles, Implement

Spam email significantly contributes to global internet traffic. Estimates vary, but recent industry reports suggest that between 45% and 55% of all email traffic is classified as spam, equating to between 10% and 15% of global internet traffic. 

This is a significant risk, considering the wasted bandwidth, which is ultimately paid for by both businesses and consumers. Moreover, a large proportion of spam carries phishing or malware threats, posing inherent cybersecurity risks. 

With phishing attacks and spam on the rise, email security has become more important than ever. To protect their users, tech giants like Microsoft and Google are taking significant steps. Starting this year, they are enforcing stricter email authentication requirements, particularly for high-volume or bulk email senders. 

If you send a high volume (more than 5,000 per day) of marketing emails or newsletters to Outlook.com or Gmail addresses, these changes will affect you. 

What’s Being Enforced? 

Both Microsoft and Google now require bulk senders to have SPF, DKIM, and DMARC in place. 

  • SPF (Sender Policy Framework)
    SPF is like a “guest list” for your domain. It tells email servers which IP addresses are allowed to send emails on your behalf.
    Why it matters: If someone tries to send spam pretending to be you, SPF can block it. 
  • DKIM (DomainKeys Identified Mail)
    DKIM adds a digital signature to your emails. Think of it like sealing an envelope with a wax stamp to prove it’s really from you and hasn’t been tampered with.
    Why it matters: It helps ensure the message hasn’t been altered in transit and confirms it’s truly from your domain. 
  • DMARC (Domain-based Message Authentication, Reporting & Conformance)
    DMARC tells receiving email servers what to do if an email fails SPF or DKIM checks. You can ask them to accept, quarantine, or reject suspicious messages.
    Why it matters: This is your chance to control how spoofed emails are handled and to get reports about abuse. 

Key Dates to Know 

  • Microsoft: Enforcement starts May 5, 2025
    Microsoft will begin enforcing these rules for consumer services (like @outlook.com, @hotmail.com). If your domain isn’t properly authenticated, your messages will be rejected entirely. There is currently no timeline outlining when this will be applied to Microsoft 365 business services, but it is a matter of when, not if. 
  • Google: Enforcement started February 1, 2024
    Google’s rules already apply to any sender sending over 5,000 emails/day to Gmail users.
    If you don’t meet their requirements – like having valid SPF, DKIM, and DMARC records, plus easy unsubscribe options, your messages will be blocked or marked as spam. 

Why is this important for law firms 

Implementing SPF, DKIM, and DMARC is particularly crucial for law firms, where trust, confidentiality, and regulatory compliance are non-negotiable. Here are some real-world examples demonstrating how these technologies can help protect your business: 

1. Protecting Against Spoofed Emails in Legal Scams

Example: A scammer sends an email to a client pretending to be from a law firm, asking them to transfer funds to a fraudulent account for an ongoing transaction. 

How SPF/DKIM/DMARC helps: If the law firm had DMARC in place with SPF and DKIM, the spoofed email would have likely been rejected or flagged as suspicious, preventing the client from being deceived. 

2. Safeguarding Client Confidentiality

Example: A hacker intercepts a legal email chain and inserts themselves by spoofing a solicitor’s address, gaining access to case-sensitive information. 

How SPF/DKIM/DMARC helps: With properly configured email authentication, any forged or unauthorised email impersonating the solicitor would fail checks and be quarantined or rejected, reducing the chance of a data breach. 

3. Meeting Regulatory and Cybersecurity Expectations

Example: Under GDPR and Solicitors Regulation Authority (SRA) guidance, law firms must implement “appropriate technical measures” to safeguard data. 

How SPF/DKIM/DMARC helps: These protocols are considered baseline best practice for securing outbound email. Failure to use them could be viewed as negligence in the event of a data incident. 

4. Improving Email Deliverability & Reducing Spam Risk

Example: A firm’s legitimate emails (e.g. court filing confirmations or client updates) end up in recipients’ spam folders, delaying critical communications. 

How SPF/DKIM/DMARC helps: Authenticated emails are more trusted by spam filters. These protocols improve deliverability, ensuring timely delivery of vital correspondence. 

5. Protecting Your Reputation

Example: A fraudulent email claims to come from your firm offering “legal services” in a phishing campaign, damaging your brand and trustworthiness. 

How SPF/DKIM/DMARC helps: These protocols prevent misuse of your domain, protecting your firm’s name from being used illegitimately. 

Final Thoughts  

Regardless of the volume of emails you send, implementing SPF, DKIM, and DMARC is beneficial for your business. While these terms may sound technical, they are designed to: 

  • Keep your emails out of spam folders
  • Protect your domain from being spoofed 
  • Build trust with your audience 

Email authentication used to be optional – now, it’s essential and it’s time to lock things down. 

Need help setting up SPF, DKIM, or DMARC? Don’t worry, speak to your IT department, Managed Service Provider, or our expert team at Baskerville Drummond. 

Latest Articles

Talk to us today

Get In Touch

Discover more from Baskerville Drummond LLP

Subscribe now to keep reading and get access to the full archive.

Continue reading