What Microsoft domains should I exclude from my email segmentation?

Key findings

• Incomplete exclusions: Simply excluding hotmail%, msn%, live%, and outlook% is often insufficient, as Microsoft hosts many other domains.
• Hidden domains: Numerous domains, including country-specific TLDs and corporate addresses, can route through Microsoft's mail exchange (MX) servers like olc.protection.outlook.com or mail.protection.outlook.com.
• SNDS limitations: While SNDS provides insight into traffic and complaints, its data (such as complaint samples) is only available for a limited time, usually seven days, leading to blank pages if checked later.
• Custom domains: Many organizations use custom domains that are hosted by Microsoft, making them subject to Microsoft's filtering, even if their domain name doesn't immediately suggest a Microsoft affiliation.

Key considerations

• Identify all microsoft MX records: To truly exclude Microsoft-bound email, you need to identify all current and legacy Microsoft Mail Exchange (MX) records. This includes *.olc.protection.outlook.com, *.mail.protection.outlook.com, and even older ones like mx_N.hotmail.com.
• Leverage mail logs: Analyze your mail logs for recipient domains whose MX records resolve to Microsoft's protection services. This is the most accurate way to find domains you might be missing in your exclusion list. This is also important for identifying all Microsoft domains contributing to IP blocks.
• Broaden exclusion criteria: Instead of only specific domains, consider excluding based on MX record patterns or using more general wildcard matches, while being careful not to exclude legitimate non-Microsoft addresses. Learn more about domain exclusions.
• Continuous monitoring: Microsoft's infrastructure can change. Regularly review your exclusion lists and monitor your SNDS data (paying attention to its transient nature) to catch any newly routing domains or changes.
• Address underlying deliverability: If you're seeing unexpected traffic or issues, it might also point to broader deliverability challenges. Review best practices for improving deliverability to Microsoft.

Key opinions

• Basic exclusions are insufficient: Marketers frequently find that excluding only the main Microsoft domains like Outlook and Hotmail doesn't cover all traffic to Microsoft's network.
• Custom domains are a blind spot: A significant challenge is identifying third-party or custom domains that use Microsoft for their email hosting (e.g., via Microsoft 365 or Azure AD), as these are not immediately obvious.
• SNDS data can be confusing: Seeing RCPT commands or other activity in SNDS for IPs supposedly not sending to Microsoft can be perplexing, especially when complaint sample links return blank pages due to data expiration.
• Regional variations matter: Country-specific TLDs or less common Microsoft-affiliated domains (like windowslive.com) are often overlooked in initial exclusion setups.
• Impact of old accounts: Some marketers suggest that traffic might originate from very old or less common accounts that still route through legacy Microsoft servers.

Key considerations

• Deep dive into MX records: Marketers should analyze the MX records of unexpected recipient domains to confirm if they resolve to Microsoft's infrastructure (e.g., *.protection.outlook.com). This information is crucial for accurate segmentation.
• Refine exclusion logic: Instead of only matching domain names, consider using more precise rules, perhaps by adding a period to the end of wildcard matches (e.g., outlook%. ) to prevent overly broad exclusions or unintended matches.
• Cross-reference with SNDS: Even with blank complaint samples, SNDS still provides valuable data on send volume and reputation. Use it to monitor and identify any unexpected traffic to Microsoft properties, which could indicate a gap in your segmentation or even a Microsoft email block that SNDS does not clearly detail.
• Maintain an updated list: Given Microsoft's evolving infrastructure, regularly update your list of domains that route through their system. This is an ongoing task to ensure accurate segmentation and prevent email list compliance.
• Consider Outlook rules: Although not directly for exclusion, understanding how to manage outlook rules can provide insight into how end-users manage their inboxes, indirectly impacting deliverability.

Key opinions

• Dynamic infrastructure: Microsoft's email infrastructure is not static, with ongoing changes in server configurations and routing, making comprehensive exclusion lists a moving target.
• Multiple MX records: Beyond primary domains, Microsoft uses a range of MX records, including older hotmail.com servers and various protection.outlook.com instances for freemail and Office 365.
• Third-party hosting: Many organizations, including educational institutions, host their email services on Microsoft platforms, meaning their custom domains behave like Microsoft domains for deliverability.
• SNDS data limitations: While SNDS is valuable, experts caution that its complaint samples are only available for a short period (seven days), requiring prompt action for effective troubleshooting.
• Comprehensive approach needed: A truly effective exclusion strategy goes beyond simple domain lists and involves analyzing MX records and understanding Microsoft's diverse mail routing.

Key considerations

• Automate MX record checks: To effectively manage exclusions, experts recommend automating the process of checking recipient domain MX records against known Microsoft MX patterns. This can help prevent hidden SPF DNS timeouts.
• Stay informed on changes: Keep up to date with Microsoft's documentation and industry discussions about their email infrastructure changes. This proactive approach is essential for maintaining good deliverability to Microsoft Outlook and Hotmail.
• Monitor real-time data: Given the transient nature of SNDS complaint samples, integrate real-time monitoring of your email campaigns to quickly identify and address any unintended sends to Microsoft domains.
• Understand DMARC/SPF/DKIM: Properly configured DMARC, SPF, and DKIM records are fundamental for any domain, especially when dealing with various mail infrastructures like Microsoft's. This also helps mitigate spoofing.
• Review email headers: Analyzing Microsoft email headers can provide deep insights into how their filters are classifying your messages and confirm which Microsoft systems are processing your mail, even for unexpected domains. This is part of what Microsoft email headers reveal.

Key findings

• Diverse services: Microsoft's email ecosystem encompasses various services, including Outlook.com, Hotmail.com, and Microsoft 365, all using shared or similar underlying infrastructure.
• Custom domain integration: Documentation confirms that custom domains can be configured to use Microsoft's mail exchange servers, routing their email through Microsoft's protection services.
• Protection services: Microsoft's email security (e.g., Exchange Online Protection) processes inbound mail for a wide array of domains, not just those directly owned by Microsoft.
• Authentication importance: Official guides stress the necessity of proper domain authentication (SPF, DKIM, DMARC) for domains sending to or through Microsoft's network.
• Filtering mechanisms: Microsoft's documentation details their spam filtering and blocklist mechanisms that apply to all mail routed through their systems, regardless of the recipient domain's visible name.

Key considerations

• MX record analysis: Documentation implicitly supports the need to examine MX records to determine if a domain uses Microsoft's services for email, even if it's a dbmail.com rather than outlook.com.
• Federated identities: When integrating with services like Google Cloud and Microsoft Entra ID (formerly Azure AD), documentation advises careful mapping of identities and domains, reinforcing that email flow can be complex across different platforms. Learn more about federating Google Cloud with Microsoft Entra ID.
• Adherence to standards: Microsoft's systems rely heavily on email authentication standards. Ensuring your sending domains have strong domain authentication is a documented best practice for deliverability.
• Monitoring tools: While not always explicitly listed for exclusion purposes, tools like SNDS are provided by Microsoft for senders to monitor their reputation and address issues with traffic to Microsoft-hosted domains. This can also help you understand why emails to Microsoft domains are throttled.