Executive Summary
Email remains the single most exploited attack vector in enterprise environments. Despite all the investment in endpoint protection, identity security, and cloud governance, the majority of successful breaches still begin with a message landing in someone’s inbox. In 2026, that reality has not changed — but the sophistication of the threats has.
Business Email Compromise (BEC) attacks have evolved beyond simple executive impersonation. Today’s threat actors use LLM-generated content to craft convincing social engineering emails, chain adversary-in-the-middle (AiTM) attacks against multi-factor authentication, embed attacks inside QR codes to bypass URL scanners, and abuse OAuth consent flows to gain persistent mailbox access — all without ever triggering a traditional malware detection.
For organisations running Microsoft 365, Exchange Online Protection (EOP) and Microsoft Defender for Office 365 provide a powerful, deeply integrated defence stack. But the gap between what these tools can do and what most organisations have actually configured is significant. In the majority of environments I have worked in, the default settings have been left in place, authentication protocols are partially deployed, and the advanced threat protection features that would catch the most dangerous attacks are either unlicensed or misconfigured.
This article covers what you actually need to do — from getting the email authentication foundations right, through hardening EOP policies, enabling advanced Defender for Office 365 protections, and meeting your compliance obligations — based on what works in practice across enterprise Microsoft 365 deployments.
Overview: The Exchange Online Security Stack
How the Layers Work Together
Microsoft’s email security architecture for Exchange Online works as a series of cumulative layers. Understanding which layer does what is essential for knowing where your gaps are and what you need to license or configure to close them.
Layer What It Does Included With
Exchange Online Protection (EOP) Anti-spam, anti-malware, connection filtering, bulk mail controls All Exchange Online / M365 plans
Defender for Office 365 Plan 1 Safe Links, Safe Attachments, anti-phishing with impersonation protection M365 Business Premium, E3 add-on
Defender for Office 365 Plan 2 Threat Explorer, Attack Simulation, automated investigation, advanced hunting M365 E5, standalone add-on
Microsoft Purview DLP, sensitivity labels, communication compliance, eDiscovery, retention M365 E3/E5 (varies by feature)
One of the most common misconceptions I encounter is organisations believing that because they have Microsoft 365, they have full email security. EOP alone is a reasonable baseline but it will not catch sophisticated phishing, targeted impersonation attacks, or zero-day malware delivered through attachments. Defender for Office 365 Plan 1 is the minimum I recommend for any organisation where email security matters — which is every organisation.
Email Authentication: SPF, DKIM, and DMARC
Why Authentication Is the Foundation
Before any threat protection policy can work effectively, your email authentication must be correctly configured. This is not optional and it is not advanced — it is the foundation on which everything else sits. An organisation with Defender for Office 365 Plan 2 but a broken DMARC record is significantly less protected than one with EOP only and a correctly configured authentication stack.
SPF, DKIM, and DMARC are three interdependent protocols that together verify that an email claiming to come from your domain actually did.
SPF: Authorising Your Sending Sources
SPF (Sender Policy Framework) works by publishing a DNS TXT record that lists every IP address and service authorised to send email on behalf of your domain. When a receiving mail server gets a message claiming to be from you, it checks your SPF record to see if the sending server is on the approved list.
The most common SPF mistakes I see in enterprise environments:
⦁ Using ~all (soft fail) instead of -all (hard fail). Soft fail records pass SPF for messages from unauthorised sources — they just add a header. This is worthless from a DMARC enforcement perspective if your messages lack DKIM signatures.
⦁ Exceeding ten DNS lookups. SPF validation fails silently when a record requires more than ten DNS lookups to resolve. Organisations that have added multiple third-party email senders over the years hit this limit regularly without realising it.
⦁ Forgetting subdomains and parked domains. Every domain you own that does not send email should have an SPF record stating exactly that — otherwise attackers can use those domains freely.
DKIM: Signing Your Messages
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outbound message. The receiving mail server uses the public key in your DNS record to verify that the message has not been altered in transit and that it genuinely came from a server authorised to sign for your domain.
In Exchange Online, DKIM signing is not enabled by default for custom domains. You must explicitly enable it in the Microsoft Defender portal or Exchange Admin Centre. This is the single most commonly skipped email authentication step and one of the most impactful to fix — DKIM is what makes DMARC enforcement reliable when messages pass through mailing lists, forwarding services, or third-party relays that break SPF alignment.
FIELD NOTE
In a recent enterprise engagement, the customer had SPF and DMARC configured but DKIM had never been enabled for their primary domain. They had been running p=quarantine DMARC for 18 months without ever knowing that the DKIM validation was silently failing for all their outbound mail. Legitimate newsletters and partner communications were being quarantined by recipients. The fix took 20 minutes — enabling DKIM in the Defender portal and publishing the two CNAME records in DNS. The impact was immediate.
DMARC: Enforcement and Reporting
DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together. It tells receiving mail servers what to do with messages that fail authentication — nothing (p=none), quarantine them (p=quarantine), or reject them outright (p=reject). It also provides reporting so you can see exactly who is sending email claiming to be from your domain.
The recommended deployment path:
- Publish p=none to start collecting DMARC reports without affecting mail flow. Run this for 30 days minimum.
- Analyse the aggregate reports (rua address). Identify all legitimate sending sources that may not be fully authenticated.
- Fix any SPF or DKIM alignment issues for legitimate senders — third-party marketing tools, HR systems, ticketing platforms.
- Move to p=quarantine at 25% (pct=25) to begin enforcement on a portion of failing messages.
- Gradually increase pct value and move to p=reject once you are confident in your authentication coverage.
A common mistake is rushing to p=reject before the authentication baseline is solid. The result is legitimate business-critical email being rejected at destination and a frantic rollback. Patience in the DMARC deployment phase saves significant pain later.
Real-World Challenges
Challenge 1: Undocumented Third-Party Senders
Most enterprises have accumulated a long list of third-party services that send email on their behalf — marketing automation platforms, HR systems, CRM tools, support ticketing systems, invoice platforms, and more. Many of these were deployed by business units without IT involvement and are not in the SPF record or configured for DKIM signing.
Before hardening email authentication, map every service that sends email using your domain. A DMARC reporting tool accelerates this discovery — the aggregate reports show you every sending source, authenticated or not, which makes the mapping exercise significantly faster than trying to reconstruct it from memory or documentation.
Challenge 2: Default Policies Left Unchanged
The default EOP and Defender for Office 365 policies are designed to minimise false positives for the broadest possible customer base. For most enterprise environments, especially those in finance, legal, healthcare, or government, the defaults are not tight enough.
I routinely find anti-phishing policies with impersonation protection disabled, Safe Attachments policies set to monitor rather than block, Safe Links configured to rewrite URLs but not to click-verify in real time, and spam confidence thresholds set too high. Each of these represents a gap that a targeted attacker will exploit.
Challenge 3: External Auto-Forwarding
Automatic forwarding of mailbox contents to external recipients is a data exfiltration risk that is almost universally underestimated. When an account is compromised, attackers frequently set up external forwarding rules immediately to maintain access to communications even after the primary compromise is remediated.
By default, Exchange Online allows users to configure automatic forwarding to external addresses. In almost every enterprise engagement, blocking external auto-forwarding is one of the first changes I recommend — the legitimate business use cases for it are rare and almost always addressable through alternative means.
Challenge 4: Business Email Compromise Detection Gaps
BEC attacks are specifically designed to bypass technical controls. They often involve no malicious links or attachments — just a convincing message from a spoofed or lookalike domain asking someone to transfer money, change payment details, or share credentials. The technical detection challenge is significant because the message itself looks legitimate.
In 2026, Microsoft added LLM-based filters to Defender for Office 365 that analyse email language to infer attacker intent — a meaningful improvement in BEC detection for messages that pass all authentication checks. But this only helps if organisations are on the right licence tier and have moved beyond default policy settings.
Implementation Approach
Phase 1: Authentication Baseline (Weeks 1-3)
The first priority is always getting authentication right before touching any filtering policy. Hardening spam or phishing policies before authentication is in order creates noise — you cannot accurately evaluate false positive rates when your own outbound mail is not correctly signed.
- Audit current SPF records for all domains. Check DNS lookup counts. Fix overly permissive records.
- Enable DKIM signing in the Microsoft Defender portal for all custom domains. Publish the CNAME records.
- Publish DMARC records at p=none with aggregate reporting for all domains, including parked and inactive domains.
- Run DMARC reports for 30 days. Use a reporting tool to visualise the results.
- Fix authentication for all legitimate third-party senders identified in DMARC reports.
- Move DMARC to p=quarantine, then p=reject once authentication coverage is confirmed.
Phase 2: EOP Policy Hardening (Week 3-4)
Once authentication is solid, move to hardening the EOP filtering policies. Microsoft provides Standard and Strict preset security policies in the Defender portal — for most organisations, applying the Standard preset to all users and Strict to high-risk accounts (executives, finance, HR, IT admins) is a practical starting point.
⦁ Anti-spam: Lower the spam confidence level (SCL) threshold. Enable high-confidence spam filtering. Quarantine rather than deliver to junk folder for high-confidence detections.
⦁ Anti-malware: Enable the common attachment types filter. Configure zero-hour auto purge (ZAP) to retroactively quarantine malware delivered before detection.
⦁ Anti-phishing: Enable spoof intelligence. Configure mailbox intelligence. Set action to quarantine for spoofed senders.
⦁ Outbound spam: Configure per-user sending limits. Set up alerts for accounts exceeding normal sending volume — a strong indicator of account compromise.
Phase 3: Defender for Office 365 Advanced Protection
With EOP hardened, the focus moves to the advanced threat protection layer. These are the controls that catch sophisticated phishing, malicious attachments, and targeted impersonation attacks.
Safe Attachments
Safe Attachments detonates email attachments in a sandbox environment before delivering them to users. The policy should be set to Block — meaning if the sandbox detects malicious content, the message is quarantined rather than delivered with the attachment removed. Enable Dynamic Delivery to reduce the user experience impact of the sandbox delay.
Apply Safe Attachments policies to SharePoint, OneDrive, and Teams as well — attackers increasingly deliver malicious files through collaboration channels rather than email to bypass email-specific controls.
Safe Links
Safe Links rewrites URLs in email and documents to route through Microsoft’s verification service, checking link reputation at click-time rather than at delivery. This is critical for catching links that were benign at delivery but have since been weaponised.
Enable click verification, meaning users must confirm they want to proceed to a flagged URL rather than being silently redirected. Enable tracking of user clicks on links. Do not use allow-list entries to bypass Safe Links for large domains — attackers frequently compromise legitimate services and host phishing pages there.
Anti-Phishing and Impersonation Protection
Configure impersonation protection for your most targeted users — executives, finance team, HR, and IT administrators. Enable domain impersonation protection for your primary business domains and key partner domains. Set mailbox intelligence to learn communication patterns and flag messages from addresses that impersonate known contacts.
LICENSING REMINDER
Safe Links, Safe Attachments, and impersonation protection require Defender for Office 365 Plan 1 or Plan 2. These features are not available in Exchange Online Protection alone. If your organisation is running M365 Business Premium or E5, you already have the licence — the features just need to be configured.
Phase 4: Compliance Controls
Email security is not only about blocking threats — it also encompasses governance, retention, and legal obligations. The following are the most commonly required compliance controls in enterprise Exchange Online environments.
⦁ Retention policies via Microsoft Purview: Define how long emails must be retained and when they are automatically deleted. Apply litigation hold to mailboxes involved in legal proceedings.
⦁ Data Loss Prevention (DLP): Configure policies that detect and block outbound email containing sensitive data — credit card numbers, personally identifiable information, confidential document labels. Start with audit mode before enforcing.
⦁ Communication compliance: Required in regulated industries. Enables review of communications for policy violations, insider risk indicators, and regulatory compliance.
⦁ Mailbox auditing: Ensure mailbox auditing is enabled for all users. Exchange Online enables unified audit logging by default, but confirm it is active and that audit log data is being ingested into your SIEM.
Lessons Learned from the Field
What Worked Well
⦁ Deploying Preset Security Policies as the baseline and then customising exceptions. Starting from a documented, tested baseline is significantly more reliable than building policy from scratch. Microsoft’s Standard and Strict presets represent the recommended configuration for most enterprise workloads.
⦁ Using Attack Simulation Training (Defender Plan 2) before and after implementing controls. Running a simulated phishing campaign against your user population gives you a measurable baseline. Running the same simulation three months after training and policy hardening gives you evidence of improvement that leadership can see.
⦁ Blocking external auto-forwarding via the outbound spam policy before any other hardening work. It is the highest-impact, lowest-risk change in most environments and takes about five minutes to configure.
⦁ Integrating Exchange Online audit logs with Microsoft Sentinel from day one. Email-related incidents are significantly faster to investigate when all relevant signals — delivery events, user activity, quarantine releases, inbox rule changes — are available in a single query interface.
Common Mistakes to Avoid
⦁ Applying Strict preset policy to all users without testing. The Strict policy is aggressive. Applied without exceptions or a pilot phase it will generate a significant volume of quarantine releases and user complaints. Pilot with a small group, tune exceptions, then roll out broadly.
⦁ Not monitoring the quarantine. Enabling quarantine without a process to review it is not a security improvement — it is a backlog. Set up quarantine release policies that are appropriate for your organisation and ensure end users know how to review their quarantined messages.
⦁ Treating DMARC reporting as a one-time setup task. Email sender environments change constantly. New services get added, SPF records drift, DKIM keys expire or get misconfigured after domain changes. Review DMARC aggregate reports monthly, not once at setup.
⦁ Missing the SMTP DANE and DNSSEC improvements. Microsoft began rolling out SMTP DANE with DNSSEC for Exchange Online in early 2026 along with a DNSSEC Enablement Wizard in the Exchange Admin Centre. This modernises the DNS security of your mail flow and is worth reviewing if your organisation has strict transport security requirements.
Security and Compliance Considerations
Zero Trust Alignment
Email security is a core component of Zero Trust, not a separate programme. The Zero Trust principle of verify explicitly applies directly to email — every message should be authenticated at the protocol level before any content-based filtering is applied. Never trust the From header alone. The combination of SPF, DKIM, and DMARC is the technical implementation of that principle.
The assume breach principle translates to configuring Zero-hour Auto Purge (ZAP) — the capability in Defender for Office 365 that retroactively quarantines messages that were delivered before a threat was identified. Even after hardening all inbound controls, some malicious messages will get through. ZAP is the safety net that catches them after detection rather than assuming delivery means clean.
Identity Protection
Account compromise is the most common precursor to email-based attacks. When an attacker gains access to a legitimate Microsoft 365 account, they can send mail that passes all authentication checks, set up internal forwarding rules, and use the account’s communication history to craft highly convincing follow-up attacks against other employees.
Phishing-resistant MFA for all accounts is the single most impactful identity control. Entra ID Conditional Access policies should require MFA for all mail-sending clients, block legacy authentication protocols that cannot support MFA, and apply sign-in risk policies that challenge or block high-risk authentication events.
Data Protection
Email is one of the highest-risk data egress channels in any organisation. Sensitive data leaves organisations through email daily — sometimes accidentally, sometimes through compromised accounts, and sometimes through insider risk. Purview DLP policies applied to Exchange Online give you visibility and control over what is being sent externally.
Apply sensitivity labels to documents and emails to enforce classification-aware transport rules. Confidential-labelled content can be restricted from external forwarding, encrypted in transit, and flagged for compliance review — all automatically based on the label applied to the content.
Troubleshooting Guidance
Issue: Legitimate Emails Landing in Quarantine After Policy Hardening
Root cause: The sender’s domain fails SPF, DKIM, or DMARC checks, or the message matches an anti-phishing or anti-spam rule that is more aggressive than the previous configuration.
Resolution: Check the email headers for X-Forefront-Antispam-Report and X-Microsoft-Antispam values to identify which rule triggered the quarantine. Use the Message Trace in the Exchange Admin Centre to follow the full delivery path. If the sender is legitimate, add the domain to your allowed senders list or, better, contact the sender to fix their authentication configuration.
Issue: DMARC Reports Showing Unexpected Failing Sources
Root cause: A service that sends email on behalf of your domain is not correctly configured for SPF or DKIM alignment, or a new service has been deployed without authentication configuration.
Resolution: Identify the sending source from the DMARC aggregate report. Determine whether the source is a legitimate, authorised service. If yes, add its sending IPs to your SPF record and work with the vendor to enable DKIM signing. If no, investigate whether the source represents a compromised service or unauthorised use of your domain.
Issue: Users Complaining That External Links Are Blocked by Safe Links
Root cause: Safe Links is correctly blocking a URL that has been flagged as malicious, or a legitimate URL has been incorrectly classified.
Resolution: Check the URL classification in the Defender portal under Threat Intelligence. If the URL is incorrectly classified as malicious, submit it as a false positive through the Microsoft Submissions portal. Avoid adding broad domain exclusions to Safe Links — this defeats the purpose of the control. Address specific false positives individually rather than creating wide exceptions.
Issue: DKIM Validation Failing After Domain Change or Certificate Renewal
Root cause: The DKIM CNAME records in DNS have not been updated to reflect the new selector or the key has been rotated in the Defender portal without the DNS records being updated.
Resolution: In the Microsoft Defender portal, navigate to Email & Collaboration > Policies & Rules > Threat Policies > Email Authentication Settings > DKIM. Verify the current selector values and confirm the corresponding CNAME records in your DNS match exactly. DNS propagation can take up to 72 hours — allow time before assuming a configuration error.
Best Practices
Quick Wins (Do These First)
⦁ Enable DKIM signing for all custom domains in the Defender portal — takes 20 minutes, high impact
⦁ Block external auto-forwarding via the outbound spam policy — five minutes, prevents a common data exfiltration and account compromise persistence technique
⦁ Apply the Standard Preset Security Policy to all users — replaces inconsistent manual policy configuration with a tested baseline
⦁ Enable Zero-hour Auto Purge (ZAP) for malware and phishing — retroactively catches threats delivered before detection
⦁ Enable mailbox auditing and confirm audit logs are flowing to your SIEM
Enterprise Recommendations
⦁ License Defender for Office 365 Plan 1 as the minimum for all users — EOP alone is not sufficient for enterprise threat exposure
⦁ Apply Defender for Office 365 Plan 2 to high-value targets: executives, finance, HR, and IT administrators
⦁ Implement DMARC enforcement (p=reject) for all domains, including inactive and parked domains
⦁ Configure Attack Simulation Training on a quarterly cycle — measure click rates before and after security awareness training
⦁ Integrate Exchange Online audit logs with Microsoft Sentinel and build detection rules for suspicious inbox rule creation, external forwarding, and abnormal sending volumes
⦁ Review quarantine policies with end users — they should know how to request releases and understand why messages are held
Long-Term Operational Guidance
⦁ Treat email authentication as a living configuration — review DMARC reports monthly and audit SPF records after any new service deployments
⦁ Stay current on Exchange Online DNS security improvements — Microsoft’s SMTP DANE, DNSSEC, and MTA-STS capabilities are being actively enhanced in 2026 and represent meaningful transport security improvements
⦁ Conduct an annual email security assessment — threat landscape, licensing, policy configuration, and detection coverage all change and your email security posture should be formally reviewed at least once a year
Key Takeaways
SUMMARY
Exchange Online email security is not a default-on capability — it is a stack of controls that must be deliberately configured, maintained, and monitored. Getting authentication right first, then hardening filtering policies, then adding advanced threat protection is the path that consistently delivers results in enterprise deployments.
⦁ Authentication first — SPF, DKIM, and DMARC correctly configured is more impactful than any filtering policy
⦁ Defaults are not enough — EOP defaults are designed for breadth, not depth; enterprise environments need deliberate hardening
⦁ BEC is the hardest problem — technical controls alone cannot stop all BEC; user awareness training, process controls around financial transactions, and identity protection are essential complements
⦁ Compliance is inseparable from security — Purview DLP, retention policies, and audit logging are part of a complete email security programme, not a separate workstream
⦁ Measure your posture — Attack Simulation Training gives you quantifiable data on user susceptibility that justifies security investment and tracks improvement over time
Frequently Asked Questions
Do I need Defender for Office 365 if I already have EOP?
EOP provides solid baseline protection against spam, known malware, and basic phishing. It will not catch sophisticated targeted attacks, zero-day malware in attachments, or BEC attacks that use lookalike domains or compromised third-party accounts. Defender for Office 365 Plan 1 adds Safe Links, Safe Attachments, and impersonation-aware anti-phishing — controls that are essential for enterprise environments where targeted attacks are a realistic risk.
What is the fastest way to find out what is sending email from my domain?
Publish a DMARC record at p=none with an aggregate reporting address (rua=mailto:youraddress@domain.com) and give it 30 days. The aggregate reports will show you every source sending email that claims to be from your domain, authenticated or not. A DMARC reporting tool or service will visualise this data in a format that is much easier to work with than raw XML aggregate reports.
Should I use Preset Security Policies or build custom policies?
Start with Preset Policies — Standard for all users and Strict for high-risk accounts. They represent Microsoft’s recommended configuration and are updated as the threat landscape evolves. Build custom policies only where you have a specific business need that the presets do not accommodate. Every custom policy is a maintenance burden and a potential configuration drift risk.
How do I handle third-party services that break DKIM or SPF?
Third-party services that relay email through their own infrastructure will often break SPF alignment because the sending IP is not in your SPF record. Solutions depend on the service: add the sending IP to your SPF record, configure the service to use DKIM signing with a subdomain of your primary domain, or use ARC (Authenticated Received Chain) if the service supports it. Never add the service’s entire sending infrastructure to an allow list that bypasses authentication checks — this defeats the purpose of your authentication configuration.
What should I do first if I suspect an account has been compromised through email?
Immediately reset the account password and revoke all active sessions in Entra ID. Check the account’s inbox rules for any external forwarding rules and delete them. Review the account’s sent items for any suspicious outbound messages. Enable a litigation hold on the mailbox to preserve evidence. Run a Message Trace in the Exchange Admin Centre to understand what was received and sent. Report the incident to Microsoft through the Defender portal if you believe it is part of a broader campaign.
Conclusion
Email security is the area where I see the largest gap between what organisations believe they have configured and what is actually in place. The combination of EOP and Defender for Office 365 is genuinely capable of stopping the vast majority of email-based attacks — including sophisticated BEC campaigns — but only when the full stack is correctly deployed and actively maintained.
The organisations that get this right share a consistent set of characteristics: they treat email authentication as critical infrastructure rather than a one-time setup task, they apply deliberate hardening rather than accepting defaults, they monitor their security posture through DMARC reporting and attack simulation, and they integrate email security telemetry into their broader SOC workflow so that threats detected in email can be correlated with identity and endpoint signals.
In 2026, with BEC attacks growing in sophistication, LLM-generated phishing content becoming indistinguishable from legitimate correspondence, and Microsoft actively expanding Exchange Online’s DNS security capabilities, there has never been a better time to invest properly in email security. The tools are there. The question is whether your configuration is keeping up.
SUGGESTED INTERNAL LINKS
Microsoft Defender for Office 365: Safe Links and Safe Attachments Deep Dive | Configuring Conditional Access for Exchange Online | Microsoft Purview DLP for Email: Getting Started | Microsoft Sentinel: Connecting Exchange Online Audit Logs | Zero Trust for Microsoft 365: A Practical Implementation Guide
Stay Ahead of Email Threats with Modern Workplace Security
Follow Modern Workplace Security for field-tested, enterprise-grade content on:
Microsoft Intune | Entra ID | Microsoft Defender | Microsoft Purview
Exchange Online | Microsoft Sentinel | Autopilot | SCCM | Zero Trust
Practical guidance from real enterprise implementations — no generic theory, no recycled documentation.
Have a question about Exchange Online security or a compliance challenge you are working through? Leave a comment or reach out via the contact page.