Your emails to @outlook.com, @hotmail.com or @live.com addresses bounce with “550; 5.7.515 Access denied, sending domain does not meet the required authentication level.”
Since May 5, 2025 Microsoft rejects mail from high-volume domains that fail SPF, DKIM or DMARC checks. If your domain sends 5,000+ emails a day — or shares infrastructure that does — unauthenticated mail is refused outright, not even sent to spam. The threshold is sticky: cross 5,000/day even once and the requirements apply to your domain permanently, whatever your volume today.
v=DMARC1; p=none; rua=mailto:you@yourdomain — and make sure SPF or DKIM aligns with your From domain.DNS changes propagate within minutes to 48 hours. Mailbox providers pick up the new records on their next check — most senders see bounces stop within a day of correct configuration.
Formal enforcement targets bulk senders, but partial authentication already costs you inbox placement at every volume — and spoofing protection matters regardless of how much you send.
Hosting support can add DNS records for you, but they don't know which services send as your domain. You (or a monitoring tool reading your DMARC reports) have to provide that list — that's the actual hard part.