Email Security Checklist for Microsoft 365 Businesses

By cAIberOps | Last Updated: April 10, 2026

Microsoft 365 is the backbone of email for most small and medium-sized businesses. But out of the box, M365 is configured for convenience, not security. Many of the settings that protect your organization from phishing, account takeover, and data loss are either disabled by default or require deliberate configuration. This checklist walks through every email security control your M365 environment should have in place, organized by priority. If you complete everything on this list, you will have a meaningfully stronger email security posture than the vast majority of SMBs.

Priority 1: Authentication and Access Controls

Enable multi-factor authentication on every account with no exceptions. This is the single most impactful security control you can deploy. MFA should cover all user accounts, all admin accounts, and all service accounts that support it. Use the Microsoft Authenticator app or hardware security keys rather than SMS-based MFA, which is vulnerable to SIM swapping attacks. Configure conditional access policies to require MFA for all sign-ins, not just those Microsoft deems risky.

Disable legacy authentication protocols. Older protocols like POP3, IMAP with basic auth, and SMTP AUTH do not support MFA, which means they provide a backdoor for attackers who have stolen credentials. Disable these protocols in your tenant unless a specific business application absolutely requires them, and if so, limit them to specific accounts with restricted permissions.

Use dedicated admin accounts. Administrators should have separate accounts for daily email use and for administrative tasks. Admin accounts should never be used for regular email, web browsing, or any activity that exposes them to phishing. Label these accounts clearly and enforce MFA plus conditional access policies that restrict admin sign-ins to trusted devices and locations.

Priority 2: Email Authentication Records

Publish an SPF record for every domain your organization uses to send email. The SPF record tells receiving mail servers which systems are authorized to send email on behalf of your domain. Set the policy to -all (hard fail) to instruct receivers to reject email from unauthorized sources. A common mistake is leaving SPF at ~all (soft fail), which provides minimal protection.

Enable DKIM signing for all sending domains. DKIM adds a cryptographic signature to outbound email that proves the message was not altered in transit and genuinely originated from your domain. M365 supports DKIM with 2048-bit RSA keys. Enable both selector1 and selector2 for key rotation. Verify DKIM is actively signing by checking email headers on outbound messages.

Configure DMARC with at least a quarantine policy. DMARC ties together SPF and DKIM and tells receiving servers what to do when authentication fails. Start with p=none and monitoring to collect data, then move to p=quarantine once you are confident legitimate email is properly authenticated. The goal is eventually reaching p=reject, which instructs receivers to outright block unauthenticated email claiming to be from your domain. Enable DMARC reporting by setting an rua tag so you receive aggregate reports showing who is sending email as your domain.

Priority 3: Anti-Phishing and Anti-Malware Configuration

Review and tighten anti-phishing policies in the Security and Compliance center. Enable impersonation protection for your executives and key personnel. Add your most important domains to the domain impersonation protection list. Set the action for detected impersonation to quarantine rather than just adding a tip to the message. Enable mailbox intelligence to help detect impersonation based on each user's communication patterns.

If you have Defender for Office 365, enable Safe Attachments with dynamic delivery so users receive the email body immediately while attachments are scanned in a sandbox. Enable Safe Links to rewrite and scan URLs at time of click rather than only at delivery. Configure Safe Links to apply to internal email as well, not just external, to protect against compromised internal accounts.

Priority 4: Mail Flow Rules and Data Loss Prevention

Audit existing mail flow rules for unauthorized forwarding. Attackers who compromise an account often create inbox rules that forward copies of all incoming email to an external address. Check all user mailboxes for forwarding rules pointing to external domains. Consider blocking auto-forwarding to external recipients at the tenant level using a transport rule, then whitelist specific exceptions as needed.

Configure data loss prevention policies if your organization handles sensitive data such as Social Security numbers, credit card numbers, health records, or client financial information. DLP policies can detect sensitive content in outbound email and either warn the sender, require approval, or block the message. Even basic DLP policies provide a safety net against accidental data exposure.

Priority 5: Logging and Monitoring

Enable unified audit logging in your M365 tenant. Audit logs record sign-in activity, mailbox access, admin actions, file access, and permission changes. Without audit logging, you have no forensic trail if an incident occurs. Ensure logs are retained for at least 90 days. If your license supports it, extend retention to one year. Review sign-in logs regularly for impossible travel alerts, sign-ins from unfamiliar locations, and failed MFA attempts which may indicate credential stuffing attacks.

Priority 6: User Training and Reporting

Enable the Report Message add-in for Outlook so users can flag suspicious emails with one click. This creates a feedback loop where reported messages improve your filtering and give your security team visibility into what is reaching inboxes. Conduct phishing simulations at least quarterly to test employee awareness and track improvement over time. Establish a clear internal process for what happens when someone reports a suspicious email and communicate that process to all staff. The goal is to make reporting easy and encouraged rather than punished.

When to Add a Dedicated Email Security Layer

Completing this checklist significantly improves your M365 email security. However, native M365 controls still have blind spots around AI-generated BEC attacks, account takeover from vendor domains, post-delivery threat remediation, and internal email monitoring. If your business handles sensitive data, operates in a regulated industry, or has experienced phishing that bypassed M365 filters, adding a dedicated managed email security layer on top of these configurations provides the defense-in-depth approach that modern threats require.

Need help implementing this checklist or want to add managed email security on top of your M365 environment? cAIberOps provides email security assessments and managed protection for businesses across Northern Virginia, DC, and Maryland. Contact team@caiberops.com.