Email Security for Microsoft 365: Complete Setup Guide
Setting up email security for Office 365 is not automatic. Microsoft 365 includes Exchange Online Protection across all plans, but critical protections are disabled at setup: DKIM signing inactive, DMARC not configured, legacy authentication enabled, and audit logging off on some plan types. The baseline is functional against commodity threats. It is insufficient against advanced phishing, BEC, and zero-day attacks without deliberate configuration.
Most organizations discover this after the fact. Their IT provider completes the Microsoft 365 migration, declares the job done, and six months later a BEC attack succeeds because the Defender features that would have stopped it were never enabled. This guide covers every configuration step needed to make M365 email security actually work, from Defender policies through SPF, DKIM, and DMARC.
Is Microsoft 365 Email Secure by Default?
Microsoft 365 arrives with Exchange Online Protection active on every plan. EOP handles spam filtering, known malware blocking, and basic phishing detection at no extra cost. For commodity threats it is functional. For advanced phishing, BEC, and zero-day attacks, EOP alone is not enough. Microsoft’s own security data shows millions of phishing emails bypass EOP and reach M365 inboxes every month.
The detail most guides skip entirely is how much your licensing tier determines your actual security posture. A Business Basic or Business Standard user has EOP and nothing else. A Business Premium user gets Microsoft Defender for Office 365 Plan 1 included at no additional cost, adding Safe Links, Safe Attachments, and advanced anti-phishing policies. An E5 user gets the full Defender Plan 2 stack including Attack Simulator and Threat Explorer.
Giving identical setup advice to a Business Basic organization and an E3 organization is meaningless. The tools available are completely different, and the configuration steps that apply to one plan simply do not exist on another.
Beyond licensing, the default configuration state adds a second layer of risk. DKIM signing is not active at setup. DMARC is absent on almost every new tenant. Audit logging is disabled on some plan types and must be manually enabled. Legacy authentication protocols remain active by default. These defaults reflect Microsoft’s prioritization of usability during onboarding. Correcting them is the first task in any M365 email security configuration.
What Email Security Features Does Microsoft 365 Include?
Microsoft 365 email security features vary significantly by plan. Understanding what your licensing includes determines which configuration steps apply and what gaps remain.
| Plan | EOP | Defender Plan 1 | Defender Plan 2 | Attack Simulator | Sentinel |
| Business Basic | Yes | No | No | No | No |
| Business Standard | Yes | No | No | No | No |
| Business Premium | Yes | Included | No | Limited | No |
| E3 | Yes | Add-on | Add-on | Add-on | Limited |
| E5 | Yes | Included | Included | Yes | Yes |
| Defender Plan 1 (standalone) | Yes | Yes | No | No | No |
| Defender Plan 2 (standalone) | Yes | Yes | Yes | Yes | Yes |
Business Premium includes Defender Plan 1 at no extra cost, making it the minimum recommended plan for most businesses. E5 delivers the complete security stack. For other plans, Defender is available as a paid add-on. For context on how these features fit the broader email security picture, see Types of Email Security: A Complete Breakdown.
What Is Microsoft Defender for Office 365?
Microsoft Defender for Office 365 is the advanced threat protection layer that sits above EOP. It replaced the product formerly known as Office 365 Advanced Threat Protection and is available in Plan 1 and Plan 2 tiers.
Plan 1 adds Safe Links with time-of-click URL scanning, Safe Attachments with attachment sandboxing, and advanced anti-phishing policies that include impersonation detection, mailbox intelligence, and spoof intelligence controls. The Strict Preset Security Profile applies Microsoft’s maximum protection configuration for designated users in a single action.
Plan 2 extends this with Threat Explorer for threat investigation and analysis, Attack Simulator for internal phishing simulations, automated investigation and response to handle detected threats without manual intervention, and Threat Trackers for monitoring active attack campaigns. Plan 2 also enables integration with Microsoft Sentinel for SIEM-level email visibility.
How Do You Set Up Anti-Phishing Policies in Microsoft 365?
Configure anti-phishing policies in the Microsoft Defender portal under Email and Collaboration, then Anti-phishing.
The default policy applies to all users with conservative settings that are insufficient for high-value targets. Start by assigning the Strict Preset Security Profile to executives, finance staff, and anyone with payment authorization access. This applies the most aggressive detection thresholds in a single step.
For custom policies, configure these settings:
- Impersonation protection for specific named users such as the CEO and CFO
- Domain impersonation protection for primary domains and close partners
- Mailbox intelligence to detect unusual sender patterns for each protected user
- First contact safety tips to warn recipients when a message comes from a new sender
- Spoof intelligence set to quarantine failed messages rather than deliver them
Review the quarantine daily for the first two weeks to calibrate false positive rates and adjust detection thresholds accordingly.
How Do You Configure SPF, DKIM and DMARC for Microsoft 365?
Configuring email authentication for Microsoft 365 requires DNS changes and one Defender portal action. Follow these five steps in order.
Step 1: Configure your SPF record
Add Microsoft’s include statement to your DNS SPF record. The include value is include:spf.protection.outlook.com. Ensure all other legitimate sending sources are already in your SPF record before the enforcement qualifier.
Step 2: Enable DKIM signing
In the Microsoft Defender portal, go to Email Authentication and enable DKIM signing for your domain. Add the two CNAME records Microsoft generates to your DNS. Allow 24 hours for propagation.
Step 3: Create a DMARC DNS TXT record
Start with: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
Step 4: Review DMARC aggregate reports for two to four weeks
Use a DMARC reporting tool to map every source sending email on your domain’s behalf before enforcing policy.
Step 5: Progress DMARC to p=quarantine then p=reject
Move to p=quarantine once all legitimate senders pass. Progress to p=reject only after confirming no false rejections. Never jump directly to p=reject without this review process.
For the full technical explanation, see our guide on SPF, DKIM and DMARC Explained.
How Do You Set Up Safe Links and Safe Attachments in Defender?
Configure Safe Links and Safe Attachments through the Microsoft Defender portal under Email and Collaboration, then Policies and Rules.
For Safe Links, create a policy with these settings enabled: scan links in email messages on click, scan linked files and content, track user clicks, and do not allow users to click through to the original blocked URL.
For Safe Attachments, enable Dynamic Delivery. This setting delivers the email body to the recipient immediately while the attachment is scanned in an isolated sandbox. When the attachment is confirmed clean, it replaces the placeholder in the message. This eliminates delivery delays while maintaining full protection against malware and ransomware delivered via attachments.
Apply both policies to all users at minimum. Apply the Strict Preset Security Profile to executives and finance staff separately for stronger detection thresholds.
What Are the Microsoft 365 Email Security Best Practices?
The most important Microsoft 365 email security action is disabling legacy authentication protocols: SMTP AUTH, POP3, and IMAP.
Here is the specific detail that explains most M365 BEC incidents. MFA protects the interactive sign-in experience on modern authentication protocols. It does not protect legacy authentication. An attacker with a stolen M365 password can connect to the mailbox directly via IMAP or POP3 without triggering any MFA challenge. The victim’s MFA is active. Their account is still compromised.
This is the attack mechanism behind a significant proportion of M365-targeted BEC losses documented in FBI IC3 reports. The victim organization had MFA. Their IT provider confirmed it was active. Legacy authentication was still enabled on the tenant. The attacker used it. Disabling legacy authentication through Conditional Access in Microsoft Entra ID eliminates this attack path completely. Create a Conditional Access policy blocking all legacy authentication client types for all users. Run it in reporting-only mode for one week to identify any service accounts or legacy mail clients still using these protocols before enforcing.
The table below covers the remaining critical settings.
| Setting | Where to Configure | Default State | Recommended State |
| DKIM Signing | Defender Portal, Email Authentication | Disabled | Enabled |
| Legacy Authentication | Entra ID, Conditional Access | Enabled | Blocked for all users |
| Audit Logging | Microsoft Purview Compliance Portal | Off (some plans) | Enabled |
| DMARC Policy | DNS TXT Record | Not configured | p=quarantine minimum |
| Safe Links | Defender Portal, Policies | Off (requires Defender) | Strict policy for all |
| Safe Attachments | Defender Portal, Policies | Off (requires Defender) | Dynamic Delivery enabled |
| MFA for All Users | Entra ID, Security Defaults | Off (legacy tenants) | Enabled |
| Strict Preset Security | Defender Portal, Preset Policies | Not assigned | Assigned to executives |
| Outbound Spam Policy | Defender Portal, Anti-spam | Default only | Custom for finance users |
When Should You Use a Third-Party Email Security Tool with Microsoft 365?
Third-party email security tools add genuine value alongside Microsoft 365 in specific scenarios: advanced BEC detection beyond what Defender’s mailbox intelligence provides, deeper DLP aligned to GDPR or HIPAA, email archiving and eDiscovery for legal teams, and multi-vendor environments needing a unified security console.
The deployment detail that almost no competitor guide covers is the double filtering misconfiguration. When you deploy a third-party SEG in front of M365, email flows through the SEG and then arrives at Microsoft’s mail servers. If you have not configured M365 to trust the SEG’s sending IP range in your inbound connector or enhanced filtering settings, Defender treats SEG-filtered email as arriving from an unknown source and rescans it. Legitimate email the SEG already cleared gets quarantined by Defender. This generates false positives that frustrate users, create help desk tickets, and undermine confidence in the entire security setup.
The fix is simple: add the SEG vendor’s sending IP range to your enhanced filtering configuration before go-live. Every major SEG vendor publishes the specific IP ranges and the M365 configuration steps required. Confirm this is done before switching MX records.
For comparison of SEG and API-based deployment models alongside M365, see What Is a Secure Email Gateway (SEG)? and API-Based Email Security vs SEG: Which Is Better?
How Do You Monitor and Report on Microsoft 365 Email Security?
Use the Microsoft Defender portal as your primary monitoring interface. The key reports are the Threat Protection Status report, which shows detections over time broken down by malware, phishing, and spam; Mail Flow reports showing delivery patterns and authentication failures; and Message Trace for tracking the delivery path of any specific message during an investigation.
Microsoft Secure Score provides a continuous view of your M365 security configuration quality, ranking improvement actions by score impact. Review it monthly and work through the highest-impact actions in order. For advanced monitoring, integrate M365 email logs with Microsoft Sentinel to create a unified SIEM view alongside other security data.
Cyber Security Solutions Ltd recommends starting with Secure Score and the Threat Protection Status report before building a Sentinel integration. For a broader best practices framework, see Email Security Best Practices: The Definitive 2026 Checklist.
Conclusion
Properly configured email security for Office 365 requires deliberate action across authentication setup, Defender policy configuration, legacy authentication blocking, and ongoing Secure Score monitoring. The plan you are on determines the tools available. Getting the configuration right on those tools is what determines whether M365 actually protects your organization. To have your current M365 email security setup reviewed against best practice, visit cybersecuritysolutionsltd.com for a free configuration assessment.
“`htmlFAQs
EOP provides baseline spam and malware filtering for all M365 plans but is insufficient against advanced phishing, BEC, and zero-day attacks. Organizations on Business Basic or Business Standard have EOP only and carry significant exposure to sophisticated threats. Microsoft Defender for Office 365 Plan 1, included in Business Premium, provides the minimum protection level most businesses actually need.
Defender Plan 1 includes Safe Links, Safe Attachments, and advanced anti-phishing policies. Plan 2 adds Threat Explorer for investigation, Attack Simulator for internal phishing simulations, automated investigation and response for self-remediating threat handling, and Threat Trackers for monitoring active campaigns. Plan 1 is included in Business Premium. Plan 2 is included in E5.
In the Microsoft Defender portal, go to Email Authentication under Email and Collaboration. Your domain should show DKIM signing as enabled with both CNAME records detected. You can also verify by sending a test email to Gmail and viewing the message headers, where a correctly configured domain will show dkim=pass in the Authentication-Results field.
Legacy authentication protocols (SMTP AUTH, POP3, IMAP) bypass MFA completely. An attacker with a stolen M365 password connects via IMAP without triggering any MFA challenge. This is the mechanism behind most M365 BEC cases where MFA was confirmed active. Disabling legacy authentication through Conditional Access in Microsoft Entra ID eliminates this attack path entirely.
Safe Links rewrites URLs in emails and checks the destination at the moment a user clicks, catching links that were safe at delivery but became malicious afterward. Safe Attachments opens email attachments in an isolated sandbox before delivery and blocks files exhibiting malicious behavior. Both require Defender Plan 1 and address different threat vectors within the same email.
Open Secure Score in the Microsoft Defender portal and review improvement actions ranked by score impact. Prioritize the highest-impact actions first: enabling MFA for all users, blocking legacy authentication, enabling DKIM signing, creating a DMARC policy, and applying Safe Links and Safe Attachments policies. Each completed action updates your score and builds a documented record of security improvements.
