400,000 DMARC boost after Microsoft’s high-volume sender update

Microsoft’s decision to join Google and Yahoo in enforcing stricter rules for high-volume senders has triggered an immediate response across the internet. In the last 30 days alone, 406,042 new domains have deployed Domain‑based Message Authentication, Reporting & Conformance (DMARC), pushing the global total to 13.09 million.

While not all domains will be exclusive Outlook users, a 3.2 % month‑on‑month jump is strong evidence that organizations are listening and acting. Yet with Microsoft’s enforcement date of May 5 2025 just days away, there is no time for complacency. 

The good news is that you can check if you already meet the requirements in 30 seconds, with our free Red Sift Investigate tool. 

DMARC surges year-on-year

At the end of March 2024, the total number of domains reporting at either p=none, quarantine or reject was 12.69m. 30 days on, the total number of domains with DMARC reporting hit 13.09m.

Earlier this year we noted a 2.3m increase at the one year mark of Google and Yahoo’s bulk sender requirements. It would be hard at this stage to accurately predict the impact of Microsoft, but we would expect to see a trend of anywhere between 2-4m in uptake 11 months from now.   

How does each policy differ?

DMARC reporting can be broken down into 3 options:

  1. Visibility (p=none): You learn who is sending on your behalf.
  2. Control (p=quarantine): You quarantine suspicious messages to limit risk.
  3. Enforcement (p=reject): You stop impersonation before it reaches the inbox.

Progressing from visibility to enforcement is not optional; it is the only way to comply fully with Microsoft’s high-volume sender policy and to defend your customers, partners, and brand. Use our guide to get started.

Our research below breaks down the difference between each policy: 

Month
p=none
p=quarantine
p=reject
March 2025
8.48m
2.12m
2.07m
April 2025
8.74m
2.17m
2.16m
% increase
+3.3%
+2.36%
+4.35%

Our analysis shows the gap between none and reject currently stands at 6.58m. However, momentum and awareness on the importance of a p=reject policy is moving in the right direction, with the largest % increase in the last 30 days being for a DMARC policy of p=reject, at 4.35%. 

Secure your email and protect your brand

As Microsoft begins enforcing its high-volume sender policy on May 5 2024, domains without a robust DMARC stance risk increased spam placement or outright rejection. DMARC is the frontline defence that prevents attackers from spoofing your brand, safeguards customer trust, and keeps legitimate traffic flowing.

Red Sift OnDMARC accelerates your journey from p=none to p=reject with automated domain discovery, step‑by‑step SPF/DKIM guidance, and deep forensic insights—all optimized for Microsoft 365 environments. Reach your target audience with OnDMARC, the fastest, most reliable way to meet Microsoft’s new standards and keep every genuine email in the inbox where it belongs.

Check if you’re ready for the new requirements with our free Red Sift Investigate tool. 

PUBLISHED BY

Jack Lilley

1 May. 2025

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
DMARC

400,000 DMARC boost after Microsoft’s high-volume sender update

Jack Lilley

Microsoft’s decision to join Google and Yahoo in enforcing stricter rules for high-volume senders has triggered an immediate response across the internet. In the last 30 days alone, 406,042 new domains have deployed Domain‑based Message Authentication, Reporting & Conformance (DMARC), pushing the global total to 13.09 million. While not all domains will be exclusive Outlook users,…

Read more
DMARC

Red Sift partners with Gradian to strengthen email security through OnDMARC

Jack Lilley

Today Red Sift launches a new partnership with Gradian, a leading data protection provider, to offer its award-winning applications, including Red Sift OnDMARC, to new and existing customers. Established through Red Sift’s relationship with UK distributor E92plus, the two companies look to strengthen defences against phishing and Business Email Compromise (BEC) attacks. Allowing organisations…

Read more
Cybersecurity

DMARCbis: What are the changes and how to be ready

Jack Lilley

Executive Summary: DMARCbis, also known as DMARC 2.0, is the forthcoming update to the DMARC email authentication protocol, designed to address limitations and ambiguities in the original standard, with an expectation to be finalized and published in 2025. The update introduces clearer guidelines, a new method for determining organizational domains, and streamlined record management.…

Read more
Certificates

TLS certificates are changing: What you need to know

Red Sift

Executive summary: TLS certificates are about to get significantly shorter-lived. Starting 15 March 2026, newly issued public-trust certificates will max out at 200 days—and just three years later, that lifespan drops to 47 days. Backed by Google, Apple, and Mozilla, this shift aims to make the web safer through fresher data, faster failover, and…

Read more