Technology Advisor Blog



DMARC Gets Serious: Microsoft Enforces Stricter Email Rules

Posted by Ann Westerheim on 4/30/25 4:47 PM

AdobeStock_405329011-CroppedStarting May 5, 2025, all businesses - regardless of size - must meet Microsoft’s stricter email authentication requirements when sending to Outlook, Hotmail, and Live addresses. These changes are designed to reduce spoofing and impersonation, aligning with similar updates from Google and Yahoo to improve overall email security.

💸 The Rising Cost of Phishing: Why It Matters

Phishing isn’t just an annoyance - it’s big business for cybercriminals and a growing cost for organizations of all sizes.

When someone clicks a fake email link or enters a password on a spoofed site, it can lead to:

  • Stolen data or money

  • Compromised email accounts

  • Costly downtime and recovery

  • Damage to your reputation

The average cost of a phishing attack is now in the tens of thousands of dollars for small businesses - and it’s rising every year.

One bad click can cost a lot. That’s why email security and employee awareness are more important than ever.

Untitled (600 x 600 px) (1)For the May 5th deadline, the first tightening of security applies to bulk mail senders:  a single domain that sends more than 5,000 emails must configure DMARC, SPF, and DKIM.  Without these implementations, your legitimate won't get delivered - they'll go to a spam folder or be outright rejected.  While the first lockdown focuses on bulk mail (think marketing campaigns like your upcoming sale or golf invitation), we expect to see more regulation over time and impact ALL email. 

This is not a new concept - NIST published their recommendations over five years ago in Trustworthy eMail.

💡 What Is DMARC - and Why Do SPF and DKIM Matter?

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a security policy that helps protect your domain from being used in email spoofing - when cybercriminals pretend to send email from your business.

But DMARC doesn’t work alone. It builds on two key technologies:

  • SPF (Sender Policy Framework):
    Verifies that the email came from an approved server. Think of it as a “who’s allowed to send on our behalf” list.

  • DKIM (DomainKeys Identified Mail):
    Adds a digital signature to your message, proving it wasn’t altered in transit and really came from your domain.

With both SPF and DKIM in place, DMARC checks whether messages are authenticated correctly - and then tells receiving email servers what to do if they’re not (e.g., mark as spam or reject them entirely).

Does your business accept credit card payments?

Earlier this year (March 31), the Payment Card Industry Industry (PCI) placed similar requirements on any business that processes credit cards.  Typically compliance requires quarterly scans of your system. If you fail, you will lose your ability to process credit cards.  We strongly advise getting ahead of this and being proactive.  DMARC is listed as GOOD PRACTICE, and worth it to protect your reputation.

eMail - Phishing - DMARC

What if my business doesn't send bulk email or get paid by credit card?

If you don't send bulk email or if your business doesn't process credit cards, do you still need to care about this?  YES! 

Implementing DMARC is more than just a compliance requirement - it's also a tool to safeguard your organization's email.  

  • Prevents eMail Fraud - Blocks phishing, spoofing and unauthorized email use.  "Business eMail Compromise" is a common cyber threat and a common attack vector for cyber criminals.
  • Improves eMail Deliverability - Your legitimate email will get harder and harder to reach the intended inbox as more recipients use email security filtering to protect themselves.
  • Protects Brand Reputation - Helps prevent brand impersonation.  Your customers really don't want to get a fake invoice "from" you that's actually from a criminal! 

    email phishing username password

Is setting up DMARC a one time "set it and forget it" task?

Nothing in cybersecurity is "set it and forget it".  

Setting up DMARC, SPF, and DKIM is a great first step - but ongoing reporting is what keeps you protected.

DMARC reports show who’s sending email using your domain (legit or not), so you can:

  • Spot unauthorized senders trying to spoof your email - you'll see a lot of attempts.

  • Fix misconfigured systems that may be sending unauthenticated mail. Did your marketing department just set up a new outreach platform?

  • Verify that your settings are working and legitimate messages are getting through.

Without reporting, you’re flying blind. With reporting, you’re in control.

At Ekaru we're here to help!  We're already setting up DMARC compliance and reporting for our "all in" clients, and if you just need this one service, we can help on a stand alone basis.  Contact us today!

Phishing eMail

About the author:

Ann Westerheim - Ekaru - Cybersecurity

Ann Westerheim, PhD is the Founder and President of Ekaru, a Technology Service Provider of cybersecurity and IT services for small and medium businesses in the greater Boston area.  Ann is an accomplished technology innovator and leader with three engineering degrees from MIT.  She has twenty years of high tech experience in research, advanced development, product development, and as an entrepreneur. Her career has spanned a vast range of technology endeavors including research in thin film semiconductors and superconductors, microprocessor fabrication, development of early Internet medical applications, and now focusing on the application of technology in business. She has an avid focus on the "last mile" of technology and decreasing the digital divide.

https://www.linkedin.com/in/annwesterheim/ 

 

Topics: eMail, SPF record, Cybersecurity, email scams, cybersecurity, DMARC

Subscribe by Email





    Browse by Tag

    See all tags...


    Posts by Month

    See all months...


    Connect With Us



    Older Blog Posts

    For older Ekaru blog posts, go to ekaru.blogspot.com.