Starting on June 17th, 2025 at 11:10 UTC, multiple high-volume senders - particularly in France - began experiencing a sudden surge in DKIM failures on emails sent to Microsoft domains (Outlook, Hotmail, etc.).

These bounces occurred even though SPF and DMARC were properly configured.

Since the original publication of this blog post, we've continued monitoring Outlook's behavior and uncovered additional examples of how Microsoft's filtering systems are becoming increasingly unforgiving when it comes to RFC compliance — particularly with message headers, DNS records, and content structure.

While many mailbox providers apply a more tolerant approach to message validation, Outlook now strictly enforces compliance, and any deviation from standard specifications often leads to authentication failures or outright deliverability issues.

New Observations:

• DKIM DNS records with leading or trailing whitespaces/tabs
  Even characters such as spaces or tabs before or after a DKIM record in DNS can break validation in Outlook. Other mailbox providers might ignore such whitespace, but Outlook does not, this is not RFC Compliant.

• Duplicated MIME-Version header in single-part messages
  Outlook flags this as a non-compliant structure. Even though the message may render correctly, having multiple MIME-Version headers in a simple-part message is not compliant and contributes to DKIM failures if Outlook "repairs" the message before verification.

Key Outlook Behaviors to Be Aware Of:

• Strict DNS Parsing for SPF/DKIM/DMARC

  • SPF: If the DNS record has syntactic issues, Outlook will consider it as a failure, even if the record is technically resolvable and interpreted by other providers.

  • DKIM: Non-compliant formatting in DNS will lead to a DKIM fail. Until June 17, Outlook was auto-correcting these issues before verification, which is not the case anymore and now results in failing signature check — another cause of DKIM failure.

  • DMARC: In cases where multiple DMARC records are present for a domain, Outlook ignores them altogether — treating the domain as if no DMARC record is published.

• Message Header Repairing Before DKIM Check
  Outlook appears to "fix" malformed headers (e.g. encoding issues, missing or duplicated header) before evaluating the DKIM signature, which means that even if the signature was valid at the time of sending, the verification fails due to post-modification.

These are just a few examples, so, if you encounter these Outlook authentication errors, check that all the elements are perfectly RFC Compliant: the DNS records, but also and above all the headers and contents for the DKIM signature.

Our engineers quickly identified the root cause: a change in how Outlook servers handle incoming messages. Historically, Outlook was checking the DKIM Signature and then automatically "fixing" some non-compliant messages.

For example: