Microsoft 365 Email Security Checklist for Small and Medium Businesses

Microsoft 365 powers email for most small and medium-sized businesses. It offers convenience and integration but is not secure by default. Many important security settings are off or need manual setup. Without these, your business risks phishing, account takeover, and data loss.

I created this checklist to help you strengthen your Microsoft 365 email security. It covers every key control, organized by priority. Follow it closely, and your email security will be stronger than most SMBs.

Microsoft 365 email security settings dashboard

Priority 1: Authentication and Access Controls

The first and most important step is to lock down who can access your email accounts and how.

• Enable multi-factor authentication (MFA) on every account.

MFA is the single best way to stop attackers. It should cover all user, admin, and service accounts that support it. Use the Microsoft Authenticator app or hardware security keys. Avoid SMS-based MFA because it can be bypassed by SIM swapping.

• Set conditional access policies to require MFA for all sign-ins.

Don’t rely on Microsoft’s risk-based prompts alone. Require MFA every time to block stolen credentials.

• Disable legacy authentication protocols.

Older protocols like POP3, IMAP with basic auth, and SMTP AUTH don’t support MFA. They create a backdoor for attackers. Turn them off unless a specific app needs them. If needed, restrict them to specific accounts with limited permissions.

• Use dedicated admin accounts.

Admins should have separate accounts for daily email and admin tasks. Never use admin accounts for regular email or web browsing. Label these accounts clearly. Enforce MFA and conditional access that limits admin sign-ins to trusted devices and locations.

These steps close the biggest gaps attackers use to break in.

Priority 2: Email Authentication Records

Next, make sure your email can prove it’s really from you. This stops spoofing and phishing.

• Publish an SPF record for every domain you send email from.

SPF tells other mail servers which systems can send email for your domain. Set the policy to `-all` (hard fail) so unauthorized email is rejected. Avoid `~all` (soft fail) because it offers weak protection.

• Enable DKIM signing on all sending domains.

DKIM adds a cryptographic signature to your emails. It proves the message wasn’t changed and came from your domain. Microsoft 365 supports 2048-bit RSA keys. Enable both selector1 and selector2 for key rotation. Check outbound email headers to confirm DKIM is active.

• Configure DMARC with at least a quarantine policy.

DMARC links SPF and DKIM and tells receivers what to do if authentication fails. Start with `p=none` to monitor. Then move to `p=quarantine` once you’re sure legitimate email passes. The goal is `p=reject` to block fake email outright. Enable DMARC reporting with an `rua` tag to get reports on who sends email as your domain.

These records build trust in your email and reduce phishing risks.

Setting up SPF, DKIM, and DMARC records in DNS

Priority 3: Anti-Phishing and Anti-Malware Configuration

Microsoft 365 includes tools to detect and block phishing and malware. You need to configure them properly.

• Review and tighten anti-phishing policies in the Security and Compliance center.

Turn on impersonation protection for executives and key staff. Add your important domains to the domain impersonation list. Set detected impersonation to quarantine emails, not just add a warning. Enable mailbox intelligence to spot impersonation based on user communication patterns.

• If you have Defender for Office 365, enable Safe Attachments and Safe Links.

Safe Attachments scans email attachments in a sandbox before delivery. Use dynamic delivery so users get the email body immediately while attachments scan. Safe Links rewrites URLs and scans them when clicked, not just on delivery. Apply Safe Links to internal email too, to catch threats from compromised accounts.

These settings catch phishing and malware before they reach users.

Priority 4: Mail Flow Rules and Data Loss Prevention

Attackers often create forwarding rules to steal email. You can stop this and protect sensitive data.

• Audit mail flow rules for unauthorized forwarding.

Check all mailboxes for rules forwarding email to external addresses. Block auto-forwarding to external recipients at the tenant level with a transport rule. Whitelist exceptions only if needed.

• Set up data loss prevention (DLP) policies.

If you handle sensitive data like Social Security numbers, credit cards, or health records, use DLP. It detects sensitive content in outbound email. You can warn senders, require approval, or block messages. Even basic DLP policies help prevent accidental leaks.

These controls protect your data and stop attackers from spying on your email.

Priority 5: Logging and Monitoring

You need visibility into what’s happening in your email environment.

• Enable unified audit logging in Microsoft 365.

Audit logs track sign-ins, mailbox access, admin actions, file access, and permission changes. Without logs, you have no trail if something goes wrong. Keep logs for at least 90 days. If your license allows, keep them for a year.

• Review sign-in logs regularly.

Look for impossible travel alerts, sign-ins from strange locations, and failed MFA attempts. These can show credential stuffing or account takeover attempts.

Logging and monitoring help you detect and respond to threats quickly.

Reviewing audit logs to detect suspicious activity

Priority 6: User Training and Reporting

Your users are the last line of defense. Make it easy for them to report threats and stay aware.

• Enable the Report Message add-in for Outlook.

This lets users flag suspicious emails with one click. It creates a feedback loop that improves filtering and alerts your security team.

• Run phishing simulations quarterly.

Test employee awareness and track progress. Use the results to focus training where it’s needed most.

• Set a clear process for handling reported emails.

Make sure everyone knows what happens after they report a suspicious message. Encourage reporting by making it easy and safe.

Training and reporting reduce the chance that phishing emails succeed.

When to Add a Dedicated Email Security Layer

Following this checklist will greatly improve your Microsoft 365 email security. But native controls have limits. They may miss AI-generated business email compromise (BEC) attacks, vendor domain takeovers, post-delivery threats, and insider risks.

If your business handles sensitive data or faces strict regulations, consider adding a dedicated email security solution. These tools provide extra layers of detection, response, and internal monitoring.

Microsoft 365 offers strong tools, but you must configure them carefully. This checklist covers the essentials to protect your email from common threats. If you want to go further, products like Microsoft Defender for Office 365 provide advanced protection features such as Safe Attachments and Safe Links, which I mentioned earlier. These tools integrate seamlessly with Microsoft 365 and help catch threats that slip past basic controls.

By following these steps, you build a strong defense for your email. That means fewer breaches, less downtime, and more time to focus on growing your business.

Take action today. Start with multi-factor authentication and move through the checklist. Your email security depends on it.

This post is informational and does not replace professional cybersecurity advice.