How to Set Up Microsoft 365 for Better Cold Email Inboxing
M365 has different setup requirements than Google Workspace. Here's the correct configuration and the mistakes that cause M365 cold emails to land in spam.
Microsoft 365 setup for cold email has several non-obvious requirements that catch operators off guard. The default M365 configuration is optimized for internal business email, not outbound cold email. Here's what to change and verify.
The correct M365 authentication setup
SPF record
M365 requires a specific SPF include: v=spf1 include:spf.protection.outlook.com -all. Note the -all rather than ~all — Microsoft's own documentation recommends hardfail for M365 domains. If you're sending through additional infrastructure (like a warmup tool), add their include before the -all: v=spf1 include:_spf.google.com include:spf.protection.outlook.com -all (if you ever forward through other services).
DKIM setup
DKIM is not enabled by default in M365. You must enable it in Microsoft 365 Defender:
- Go to security.microsoft.com
- Email & Collaboration → Policies & Rules → Threat Policies → DKIM
- Select your domain → Enable
- Publish both CNAME records Microsoft provides to your DNS (selector1 and selector2)
Verify publication with the DKIM checker — look for selector1 and selector2.
DMARC record
Add: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. Start with none and monitor. Verify with DMARC lookup.
M365-specific sending limits
M365 has lower safe sending limits for cold email than GWS:
- Maximum recommended: 10 sends per inbox per day for cold email
- Week 1 warmup: 2–3 per day
- Week 2: 4–6 per day
- Week 3: 7–9 per day
- Week 4+: 10 per day
Microsoft's technical limit is higher, but the safe cold email limit is much lower. Use the sending limit planner with M365 selected to configure your warmup ramp.
Domain requirements for M365 cold email
Domain age
Microsoft applies stricter filtering to new domains than Google does. The minimum recommended domain age for M365 cold email is 30–60 days. New M365 accounts on fresh domains are very likely to land in spam during the first few weeks.
MX record configuration
When you set up M365, your domain's MX record should point to Microsoft's mail servers (yourdomain-com.mail.protection.outlook.com). This is typically set up automatically during M365 setup, but verify it with the MX checker.
Reply handling
Ensure the M365 inbox is actually monitored or has forwarding configured. Sending domains that never receive replies are flagged as spam infrastructure. Set up a catch-all or monitor the inbox actively.
Common M365 cold email problems
Outlook filtering Outlook
When both sender and recipient use Microsoft products, the filtering is applied twice — once at send and once at receive via Exchange Online Protection. M365-to-M365 delivery is notably harder than M365-to-Gmail. If your target audience is heavy Outlook users, consider whether GWS might outperform M365 for those sequences.
ATP Safe Links interference
Microsoft's Advanced Threat Protection can rewrite and scan links in emails. If your tracking domain isn't configured correctly or doesn't respond fast enough, ATP can cause link failures. Ensure your tracking domain has fast response times and valid SSL.
Conditional access policies
Some M365 accounts have conditional access policies that restrict sending behavior. If your account was set up with enterprise-level security policies, those might interfere with cold email sending patterns. Check with your IT administrator or M365 admin console.
Verifying your M365 setup
Use the launch checklist to verify all setup elements before sending. For M365 specifically, pay extra attention to DKIM — it's the most commonly misconfigured element and has the largest impact on M365 deliverability.
Run the checks first
Before replacing anything, run a free inbox placement test. You might find the issue is DNS, not the domain — and save yourself a week of unnecessary work.