Yesterday in a recorded webinar, Ross Adams of Microsoft stated that “it is a matter of when, not if” Microsoft will join Yahoo and Google in requiring a stronger set of requirements for senders who want to reach user inboxes.
This is exciting news for the industry as the requirements first outlined by Google and Yahoo become more universally adopted. The new rules require bulk email senders to follow a set of common best practices, including using aligned authentication, having a DMARC policy, and making it easy for users to unsubscribe.
If you’re compliant with Google and Yahoo’s rules, you’re already in good shape when it comes to Microsoft mailboxes, so this news is mostly public confirmation mailbox providers (MBPs) at large are no longer lax when it comes to security.
Unfortunately, there is no formal announcement or timeline for enforcement by Microsoft (yet). However our data tells a different story…
Microsoft Has Been Harsher Than Google and Yahoo for Months
When we first started analyzing data around the Yahoo and Google announcement, we found senders without aligned authentication saw the lowest inbox placement rates at Microsoft in comparison to Yahoo and Google. This trend has continued even as the enforcement rollout has started at Google and Yahoo.
Our data shows a few key dates like one day in September 2023, a full month prior to the Google and Yahoo announcements, where we can see large scale pattern changes around the deliverability of mail not using aligned authentication.
We know Microsoft has focused on aligned authentication for senders for many years. It was 9 years ago they launched their “BestGuessPass” DMARC analysis result. Microsoft was logging the result of a DMARC analysis even when the domain did not have a DMARC policy established.
For a quick catch-up on DMARC, we have an explainer blog you can read here, but in a nutshell, DMARC isn’t an authentication standard itself. Instead, it’s a mechanism to verify if authentication methods like DKIM and SPF are aligned. If they’re aligned, they pass DMARC and can be delivered safely.
If authentication isn’t aligned, it fails DMARC and based on the policy present, the mailbox provider will either deliver the mail to the inbox (p=none), put it in spam (p=quarantine), or reject it outright (p=reject.). It is clear that since Microsoft has been analyzing DMARC — regardless of the existence of a policy — they strongly see value in understanding the outcome of the result.
We’ve been keeping an extra close eye on delivery to get a sense of how MBPs are treating unauthenticated mail now that Google and Yahoo require authentication.
What we’ve seen over the last few months has been surprising, to say the least!
Google and Yahoo Are Still Giving Grace
We’ll give you an example. One of our senders was distributing email to all major MBPs via two different domains for their brand but one was authenticated and fully aligned; the other was authenticated only by SocketLabs shared domains. Everything else was the same: they were sending to the same lists with similar content and links using the same dedicated IP for delivery.
With these Yahoo and Google requirements in place since February, you would think their unaligned domain must be struggling, right?
Nope! Their open rate at Google was about 33% and approximately 27% at Yahoo. Not bad, especially considering their domain isn’t technically compliant with their rules!
The open rate of their unaligned mail at Microsoft?
Not even 4%.
Authentication Makes a Major Difference at Microsoft
When they finally did authenticate their mail — to get themselves compliant with Yahoo and Google’s new requirements — they saw major improvement at Microsoft, with their unique open rate jumping from 4% to almost 19%.
The improvement at Google and Yahoo was significantly less, with their open rates increasing by no more than a few percentage points at either provider.
Signals like this, while anecdotal, tell us Microsoft has long held the belief proper authentication is the price of entry to their users’ mailboxes and encouraged legitimate senders to authenticate because they assume those who don’t are spammers not totally invested in their holistic email performance.
Conclusion
It seems like yesterday’s statement by Microsoft is simply starting to formalize a belief and commitment they’ve made years ago! By doing this, it helps legitimize the overall movement we’re seeing toward more user-friendly email (easy unsub, safer mail, etc.) and makes it clear, all major MBPs are expecting the same kind of behavior from senders.
We’ll be sure to let you know when there’s a more formal announcement from Microsoft that we can link to. Until then, feel free to contact us if you’d like to chat through what this change means for your organization.
