2025/06/20 by Yves-Marie Le Pors-Chauvel.

Outlook Deliverability: A Silent Shift with Serious Consequences

Starting on June 17th, 2025 at 11:10 UTC, multiple high-volume senders - particularly in France - began experiencing a sudden surge in DKIM failures on emails sent to Microsoft domains (Outlook, Hotmail, etc.).
These bounces occurred even though SPF and DMARC were properly configured.
DKIM Failure - Outlook Logo

What We've Observed

Our engineers quickly identified the root cause: a change in how Outlook servers handle incoming messages. Historically, Outlook was checking the DKIM Signature and then automatically "fixing" some non-compliant messages.
For example:
  • Adding a missing Date header
  • Properly encoding non-ASCII characters in headers using MIME-word, as required by RFC 2047

DKIM validation must happen before any modifications are made to the message. If adjustments are made before DKIM is evaluated, the altered content will no longer match the original content, and DKIM will fail.

Why This Matters

DKIM relies on a strict rule: every signed header must be exactly identical at the time of sending and receiving. Any alteration — even well-intentioned or technically valid — invalidates the signature.

Since May 5th, 2025, Microsoft has enforced stricter authentication rules: for high-volume senders (more than 1.000 messages per day), if the DKIM Signature has a fail statuts, the message is rejected. Combined with the new verification order, this has led to 100% rejection rates for some messages.

How Postmastery is Responding

Using our tool Email Audit and our in-depth expertise in email infrastructure and authentication, we've helped several affected companies to:

  • Identify the exact causes of DKIM failures (missing headers, incorrect encoding, etc.)
  • Adjust DKIM signing strategies to ensure full RFC compliance at send time
  • Implement more resilient practices to withstand strict validations
Our engineers have replicated the behavior and developed tailored fixes.

Key Takeways

  • Microsoft has changed how it handles non-compliant messages before DKIM verification
  • Only fully RFC-compliant messages now pass DKIM validation
  • High-volume senders are especially affected due to Outlook’s updated policies
  • A delivery audit can help prevent widespread rejection issues

Need Help ?

Noticing unusual bounce rates from Microsoft domains since June 17th? Get in touch - we’ll help you identify the issue and implement a reliable solution. In case of any need, feel free to reach out to us!

Comments are closed.

There are many more interesting blogs by category for you to read.

Our blog is here to provide the knowledge you need around email and delivery.

Subscribe for more Industry News