The following is a summary of best practices for sending email to Microsoft 365 (formerly Office 365) users. The base spam, malware, and phishing protections of Microsoft 365 are similar to Outlook.com. However, businesses can configure Microsoft 365 with standard or strict spam filter and mail flow rules depending on their internal policies and desired business outcomes.
Configuration flexibility can lead to varied outcomes across Microsoft 365 customers for B2B and B2C marketing campaigns.
Infrastructure
Regions |
Worldwide |
Website |
|
Domains |
{customer}.onmicrosoft.com |
Resources
- Microsoft 365 Administration Guide
- Microsoft (Outlook.com and Hotmail) deliverability best practices
- Microsoft 365 Error Codes
- This resource also gives direction on fixing issues based on the error code received. Use the left side navigation bar to select a specific code.
- Microsoft's Junk Mail Reporting Program (JMRP)
- Microsoft Smart Network Data Services (SNDS)
- SNDS provides data for Outlook.com users, but it could provide additional data points to help B2B senders identify issues.
- Check your subscriber domain list to determine if you send email to Outlook.com or Hotmail.com subscribers.
Methodology
Microsoft 365 uses Exchange Online Protection (EOP) and Microsoft Defender to protect users from spam, viruses and malware. These security services enable Microsoft to deploy a multi-layered strategy to protect users before and after email delivery.
- Edge protection: Throttling for denial-of-service attacks, IP and Domain reputation, and Backscatter detection.
- Sender intelligence: Account compromise detection, SPF, DKIM, and DMARC authentication, Domain spoofing, and Impersonation protection.
- Content filtering: Mail flow rules, Antivirus, Machine learning (on the header, body, and URLs), URL reputation blocking, content heuristics, and attachment protections.
- Post-delivery protection: Safe link URL protection and retroactive spam, phishing, and malware protections for email already delivered to mailboxes.
Microsoft 365 best practices
- Security
- Ensure all servers are protected from unauthorized access and use.
- Ensure all servers are free from viruses and malware.
- Make sure all email sent from your servers is authorized.
- Infrastructure
- Follow all Internet and SMTP standards.
- Ensure your HELO/EHLO is configured with a valid fully qualified domain name (FQDN).
- Ensure your IP address (IPv4 or IPv6) has a valid, non-generic rDNS (PTR) record.
- If you use IPv6, some Microsoft 365 customers may configure their system to reject mail from these IPs.
- Do not send email through an open relay or open proxy server.
- Do not send email from a dynamic IP address.
- Sending best practices
- Consent
- Use opt-in consent methods.
- Do not purchase lists or engage in list harvesting techniques from websites and social networks.
- List hygiene
- Ensure you have good list hygiene practices and frequently suppress inactive subscribers.
- Reputation
- Sign up with Microsoft's Junk Mail Reporting Program (JMRP) and immediately suppress all complainers from receiving future emails.
- High subscriber complaints will harm your sending reputation.
- Follow all email marketing sending best practices to ensure a high IP and Domain reputation.
- Senders with a poor sending reputation will be rejected by Microsoft 365.
- Microsoft 365 has a dynamic safe list of trusted senders. The safe list does not have an application process, but senders might be added to it by Microsoft when demonstrating a consistent, good sending reputation.
- Sign up with Microsoft's Junk Mail Reporting Program (JMRP) and immediately suppress all complainers from receiving future emails.
- Sending guidelines
- Do not engage in domain spoofing or your email will be perceived as phishing.
- Respect the receiving server resources and reduce volume and frequency should throttling occur.
- Encourage recipients to add your sending address to their safe senders list. Email addresses in a safe senders list bypass the spam filter and get delivered to the inbox.
- Send messages no larger than 25 MB.
- Administrators can set the maximum size from 1MB to 150MB, however the default maximum size accepted is 25MB.
- Unsubscribe
- Include a prominent unsubscribe link in all emails and immediately honor all unsubscribe requests.
- Consent
- Authentication
- Authenticate all email using Sender Policy framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC).
- Work towards a quarantine or reject DMARC policy to help protect your brand from unauthorized domain use.
- If sending email from IPv6, it must pass either SPF or DKIM or your email will get quarantined or rejected.
- Authenticate all email using Sender Policy framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC).
- Engagement
- Send to people that want to receive your email. Highly engaged subscribers improves your sending reputation and can lead to higher inbox placement.
- Content
- Branding
- Include your brand name in the friendly from address and within the email content to ensure your email is easily recognized by the recipient.
- B2B senders should also include a brand name until a relationship with the recipient has been established.
- A top reason for high complaints is when the recipient doesn't recognize the sender.
- Do not use scripting languages in email design such as ActiveX, JavaScript, or VBScript.
- Always include valid, reputable URLs in your email content. Do not link to websites involved in phishing or malware.
- Use the standard URL format. Avoid using IP addresses in the URL.
- Some Microsoft 365 customers may identify messages as spam if the URLs redirect to anything other than TCP ports 80, 8080, or 443.
- Ensure all attachments are free from viruses and malware.
- Some Microsoft 365 customers may identify messages as spam if they contain links to .biz or .info websites.
- Some Microsoft 365 customers may identify messages as spam if they contain the following HTML tags.
- <embed>
- <form>
- <iframe>
- <object>
- <img>
- Avoid sending attachments with the following file extensions as they are automatically treated as malware and your message will be quarantined or rejected.
- ace, apk, app, appx, ani, arj, bat, cab, cmd,com, deb, dex, dll, docm, elf, exe, hta, img, iso, jar, jnlp, kext, lha, lib, library, lnk, lzh, macho, msc, msi, msix, msp, mst, pif, ppa, ppam, reg, rev, scf, scr, sct, sys, uif, vb, vbe, vbs, vxd, wsc, wsf, wsh, xll, and xz.
- Some Microsoft 365 customers may choose to configure their system to view common attachment file types as malware, such as: 7z, 7zip, doc, docx, pdf, pptx, xls, xlsx, zip, and zipx.
- Ensure you are sending email in the language expected by the recipient.
- Some Microsoft 365 customers may filter email messages using specific languages or coming from specific countries.
- Branding
- Warm up new IP addresses or domains
- Warming up IPs and domains is typically associated more with B2C senders, but is recommended for all senders as a best practice. IP and domain reputation are factors for Microsoft 365 delivery and properly warming up an IP or domain will help establish a good sending reputation.
- Warm up new IP addresses and domains and make sure to update your Junk Email Reporting Program (JMRP) account to receive complaint feedback.
- New IP addresses using the same Return-path domain inherits the domain reputation, which can help with the warm up process if you have a good domain reputation.
Microsoft 365 troubleshooting support
If you have an established relationship with an Microsoft 365 customer and encountering delivery problems, contact them directly and ask to be added to their allowlist. Individual recipients can also add you to their personal safe list to ensure inbox delivery.
- Best practices
- Ensure you are following all recommended best practices.
- Complaint processing
- Ensure all IPs are are signed up with Microsoft's Junk Mail Reporting Program (JMRP) and all complainers are added to your suppression list.
- Review your SMTP error codes
- Refer to Microsoft's SMTP error codes for additional information about why your email is being deferred or blocked.
- Immediately suppress email addresses that return an SMTP error code indicating the address is an unknown user or inactive account.
- If you get an error code indicating a "maximum delivery threshold", wait for an hour and try again.
- There is a receiving limit of 3600 messages per hour for a mailbox or group coming from all senders.
- The receiving limit is 1200 messages per hour from a single sender.
- Check for blocklistings
- Microsoft 365 internal blocklist
- If you get an error code indicating your IP or domain is blocked at Microsoft, you can submit a delist request. This process will also tell you if your IP is on the blocklist. It is recommended that you try to investigate and fix the cause of the listing. If you don't fix the cause, the listing is likely to recur. There is no guarantee that Microsoft will delist your IP.
- The error code will look similar to this:
- 550 5.7.606-649 Access denied, banned sending IP [IP address]
- Microsoft 365 blocklist delist request
- Spamhaus
- Microsoft 365 uses Spamhaus as a third-party blocklist.
- The error code will look similar to this:
- 5.7.1 Service unavailable; Client host [IP address] blocked using Spamhaus
- Spamhaus lookup
- The error code will look similar to this:
- Microsoft 365 uses Spamhaus as a third-party blocklist.
- Microsoft 365 internal blocklist
- Refer to Microsoft's SMTP error codes for additional information about why your email is being deferred or blocked.
- Review the message headers
- Copy and paste a Microsoft 365 header from Everest and use the message header information to help you troubleshoot. You can also view the message headers directly in Everest.
- Message header information
-
X-Forefront-Antispam-Report:
-
Contains information about the message and about how it was processed.
-
-
X-Microsoft-Antispam:
-
Contains additional information about bulk mail and phishing.
-
- A bulk message with a higher score is more likely to generate complaints.
- The default spam threshold is: 7 (scores of 8 or 9 go to junk folder).
- Spam Confidence Level (SCL):
- Messages with a higher SCL score has a higher confidence that it is spam.
- The default spam threshold is: 4 (5 or higher goes to junk folder).
-
-
- Check your SPF, DKIM, and DMARC configuration and results
- Check the Microsoft 365 Authentication-results message header in Everest to ensure all authentication results are passing (=pass).
- Ensure all IPs and domains are up to date.
- New IPs, domains, mail streams, ESPs, and mail servers are common reasons why SPF, DKIM, and DMARC are not updated.
- If you are getting failed results and if your IPs and domains are up to date, you may have a setup configuration error.
- Check your content
- Check the reputations of all URLs within your content. Microsoft doesn’t publicly disclose how they identify dangerous websites, but you can check: