Microsoft 365 Email Security: Complete Configuration Checklist

Microsoft 365 ships with a capable email security stack, but the default configuration leaves significant gaps that attackers routinely exploit. Exchange Online Protection (EOP) is enabled for every tenant, while Defender for Office 365 Plan 1 and Plan 2 add sandboxing, advanced hunting, and attack simulation on top of it. This checklist covers what to configure across both tiers to harden your tenant against phishing, malware, and business email compromise.

Email Authentication: SPF, DKIM, DMARC

Before configuring any Microsoft-specific controls, your domain's email authentication records must be correct. These are DNS controls, not M365 settings, but Microsoft's security controls depend on them.

SPF

Microsoft 365 automatically includes its sending infrastructure in your SPF record when you set up a custom domain. Verify your record includes include:spf.protection.outlook.com:

yourcompany.com  TXT  "v=spf1 include:spf.protection.outlook.com -all"

If you also send from other services (Mailchimp, Salesforce, etc.), add their include: directives before -all.

DKIM

Microsoft 365 generates DKIM keys for each domain. Enable signing in the Defender portal:

1. Go to Microsoft 365 Defender > Email & collaboration > Policies & rules > Threat policies > Email authentication settings > DKIM
2. Select your domain and toggle DKIM signing to Enabled
3. Microsoft provides two CNAME records to publish in your DNS:

selector1._domainkey.yourcompany.com  CNAME  selector1-yourcompany-com._domainkey.yourtenant.onmicrosoft.com
selector2._domainkey.yourcompany.com  CNAME  selector2-yourcompany-com._domainkey.yourtenant.onmicrosoft.com

Microsoft rotates keys automatically between these two selectors.

DMARC

Publish a DMARC record and configure reporting to a mailbox you monitor:

_dmarc.yourcompany.com  TXT  "v=DMARC1; p=reject; rua=mailto:dmarc@yourcompany.com; pct=100"

Start with p=none if you are uncertain all legitimate senders pass DKIM/SPF alignment, then move to p=quarantine and finally p=reject.

Exchange Online Protection Configuration

EOP is the first layer of filtering for all inbound mail. These settings are in the Defender portal under Email & collaboration > Policies & rules > Threat policies.

Anti-spam policies

The default anti-spam policy is applied to all users. Review and tighten these settings:

Spam threshold: Set the Bulk Complaint Level (BCL) threshold to 6 or lower. The default is 7, which lets significant amounts of bulk mail through.

High confidence spam action: Change from "Move to Junk" to "Quarantine" for high-confidence spam.

Phish action: Ensure high-confidence phishing messages are set to "Quarantine message" rather than just moving to Junk.

Allowed/blocked senders: Audit the global allow list regularly. Organizations accumulate allowed senders over time, and each one bypasses spam filtering entirely.

Safety tips: Enable all safety tips (first contact, unverified sender, unusual characters in sender address).

Anti-malware policies

Default settings block common malicious file types. Add to the block list:

.exe, .bat, .cmd, .vbs, .ps1, .js, .jse, .wsf, .wsh, .scr, .hta, .pif,
.iso, .img, .dll, .com, .msi, .reg, .lnk

Enable "Zero-hour Auto Purge" (ZAP) to retroactively quarantine malware that was delivered before detection signatures were available.

Anti-spoofing and impersonation

In the anti-phishing policy:

• Enable spoof intelligence — allows EOP to analyze patterns and detect spoofed senders
• Enable unauthenticated sender indicators — adds a ? to the sender photo and tags messages as "via" when the sender does not pass authentication
• Impersonation protection (Defender for Office 365 Plan 1+) — configure domain and user impersonation protection for your executives and commonly impersonated domains

Defender for Office 365: Safe Attachments

Safe Attachments detonates file attachments in a sandbox before delivery, catching malware that evades signature-based detection.

Safe Attachments policy configuration

1. Go to Threat policies > Safe Attachments
2. Create a policy applying to all users in your domain
3. Recommended settings:

• Action for unknown malware: Block (do not deliver the message at all)
• Enable redirect: Yes — send blocked attachments to a security mailbox for review
• Safe Attachments for SharePoint, OneDrive, and Teams: Enable this separately under Global Settings

Enabling Safe Attachments for SharePoint and OneDrive prevents files uploaded to those services from being shared if they contain malware.

Dynamic Delivery

For organizations where attachment delay is unacceptable (executive workflows, for example), Dynamic Delivery sends the message body immediately and replaces the attachment with a placeholder while scanning proceeds. The real attachment is delivered once it passes, or blocked if malware is found. This reduces the user-visible scanning delay to near zero.

Defender for Office 365: Safe Links

Safe Links rewrites URLs in emails and Office documents, routing clicks through Microsoft's scanning infrastructure in real time. This catches phishing links that were clean at delivery but were updated to point to malicious content after the email landed in the inbox.

Safe Links policy configuration

1. Threat policies > Safe Links
2. Create a policy for all users

Recommended settings:

• Action on unknown URLs in email messages: On
• Action on unknown or potentially malicious URLs within Microsoft Teams: On
• Apply real-time URL scanning for suspicious links and links that point to files: Enabled
• Wait for URL scanning to complete before delivering: Enabled (adds slight delay but catches more)
• Do not rewrite URLs for links that match these patterns: Use sparingly — only for internal URLs that cause false positives, not as a blanket exception list
• Track user clicks: Enabled — creates an audit trail for incident investigation

Attack Simulator and Security Awareness

Defender for Office 365 Plan 2 includes Attack Simulator, which lets you run simulated phishing campaigns against your own users.

Running a phishing simulation

1. Go to Email & collaboration > Attack simulation training
2. Create a simulation using a credential harvest or malware attachment template
3. Target all users or a specific department
4. Set a landing page that explains the simulation after a user clicks
5. Schedule training automatically for users who fail

Run simulations monthly. Track click rates over time. Departments with consistently high click rates need additional training or tighter technical controls.

Audit Logging and Alerting

Enable unified audit logging

Verify audit logging is enabled:

Get-AdminAuditLogConfig | Select-Object UnifiedAuditLogIngestionEnabled

If it returns False:

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Alert policies to configure

In Microsoft 365 compliance > Alert policies, enable or create alerts for:

• Malware detected in email (default alert, verify it is enabled)
• Email messages containing phish URLs delivered (default)
• Unusual increase in email reported as phish
• Suspicious email sending patterns detected
• User restricted from sending email (account compromise indicator)
• Forwarding/redirect rule created — inbox rules that forward all mail to external addresses are a key business email compromise indicator

Mail forwarding audit

Run this PowerShell query periodically to find all external mail forwarding rules:

Get-Mailbox -ResultSize Unlimited | Where-Object {$_.ForwardingSmtpAddress -ne $null} | Select-Object Name, ForwardingSmtpAddress

Get-InboxRule -Mailbox * | Where-Object {$_.ForwardTo -like "*@*" -or $_.RedirectTo -like "*@*"} | Select-Object Name, ForwardTo, RedirectTo, MailboxOwnerID

Any external forwarding rules you do not recognize should be treated as potential account compromise.

Secure Score Recommendations

Microsoft Secure Score in the Defender portal provides a prioritized list of security improvements specific to your tenant configuration. Filter by "Identity" and "Email" to focus on the most impactful email security items. Common high-value improvements include enabling MFA for all admins, configuring DMARC enforcement, enabling Safe Links and Safe Attachments, and disabling legacy authentication protocols (Basic Auth).

Review Secure Score monthly and track improvements over time as a metric for your email security posture.