Microsoft 365 admins warned over new Gmail anti-spam rules

Microsoft 365 administrators have been issued fresh guidance to avoid falling foul of new anti-spam policies introduced by Google. 

Google unveiled a raft of changes last week for bulk senders on Gmail that aim to improve security for users. 

The new rules, due to come into effect in February 2024, will require organizations that send over 5,000 daily emails to implement SPF/DKIM and DMARC email authentication for domains. 

Bulk senders will also be required to provide recipients with easily accessible ‘one-click’ options to unsubscribe from email correspondence. 

Google said the changes aim to improve security for users and tackle phishing attacks. 

In its advisory, Microsoft warned administrators that failure to adhere to the new authentication standards risks having communications marked as spam. 

“By setting up email authentication for your domain, you can ensure that your messages are less likely to be rejected or marked as spam by email providers like Gmail, Yahoo, AOL, [or] Outlook.com,” Microsoft said. 

“This is especially important when sending bulk email (large volume email), as it helps maintain the deliverability and reputation of your email campaigns.”

Microsoft 365 anti-spam advice

Microsoft’s advisory noted that using its 365 platform to send mass emails is ill-advised anyway and could result in users being penalized. 

“EOP (Exchange Online Protection) has strict outbound spam controls that can block or segregate your email to a special high-risk delivery pool if it exceeds sending limits.,” the advisory warned.

”Using Microsoft 365 to send bulk (mass) email is not a supported use of the service.”

For users sending bulk emails outside of EOP, the advisory recommended sending bulk emails through on-premise email servers. Additionally, it recommended using third-party bulk email providers for mass email activities. 

“These companies have a vested interest in working with customers to ensure good email sending practices,” the advisory noted. 

For users choosing to send bulk emails using EOP, Microsoft outlined a series of outbound spam protection recommendations. 

This included avoiding sending a “large rate or volume” of emails that causes users to run afoul of sending limits offered by the service. 

The guidance added that this includes not sending correspondence to large volumes of recipients using the bcc field. 

“Avoid using addresses in your primary email domain (for example, contoso.com) as senders for bulk email,” the advisory added. “Doing so can affect the delivery of regular email from senders in the domain.”

Microsoft also recommended custom subdomains for bulk emails, but warned that these must be configured with email authentication records in DNS, which includes SPF, DKIM, and DMARC.