Five Email Settings Microsoft Leaves Off, and 70 Secure Score Points for Turning Them On
TL;DR
- Over 90% of all cyberattacks begin with phishing, and Microsoft 365 email settings are not secure by default.
- Configuring the five recommended protections can raise a tenant's Microsoft Secure Score by more than 70 points.
- Exchange Online Protection's baseline anti-spam, anti-malware, and anti-phishing policies are not enough on their own; impersonation and spoofing protections require Defender for Office 365 or a third-party product.
- SPF, DKIM, and DMARC records should exist on every custom domain in the tenant so spoofed mail gets rejected or quarantined before delivery.
- External sender warnings and keyword-based mail flow rules target the human layer, which technology alone cannot patch.
A tenant fresh out of the box will happily deliver a fake invoice from a spoofed domain straight to the CFO. That is not a knock on Microsoft so much as a fact about defaults: Microsoft email settings are not secure by default, and over 90% of all cyberattacks begin with phishing. The Nigerian prince scam may be the meme, but the wire-fraud email impersonating the CEO is the reality we see in small business environments.
This guide walks through the five settings we recommend turning on for maximum email security in Microsoft 365. Configured together, they will boost the tenant's Microsoft Secure Score by more than 70 points.
Why does phishing still work in 2024?
Because it cannot be stopped with technology alone. Phishing plays on human psychology to trick people into taking an action, and four traits show up in attack after attack:

- Impersonation. Attackers disguise the from address or the body of the email to pose as another person or organization. The example above mimics Chase Bank; it could just as easily mimic the company CEO or someone in finance.
- Sense of urgency. "The ATM withdrawal or debit card purchase exceeds the amount you have chosen" is engineered to incite fear and provoke immediate action.
- Request for sensitive information. Here the attacker wants a click through to a fake Chase lookalike site that harvests the username and password.
- Links or attachments. Malicious links hide in the email to deliver payloads to the device or route the user to a credential-harvesting page.

In the small business world, the common pattern is attackers posing as high-profile users or HR to push someone into action, very often wiring or sending money to a new entity. We have talked with multiple organizations that wired hundreds of thousands of dollars to a malicious bank account this way.
EOP or Defender for Office 365: which license does this need?
Exchange Online Protection ships with baseline policies for:
- Anti-spam
- Anti-malware
- Anti-phishing
Some of the configurations below work on a base-level license without Defender for Office 365. But our view is plain: if you care about security, Exchange Online Protection is not enough. You need an advanced email security layer, either Defender for Office 365 or a third party. Defender for Office 365 adds the advanced phishing protections for impersonation and spoofing, plus the secure scanning policies for links and attachments.
One framing to carry through everything below: email security is a dial, not a switch. The goal is protecting users without strangling productivity. Microsoft email security is notorious for swinging both ways, either catching piles of legitimate mail as false positives:

Or waving blatant phishing straight through:

So expect these settings to vary somewhat per environment and per the attack patterns you observe over time. The reporting section at the end covers the feedback loop.
Setting 1: Publish SPF, DKIM, and DMARC on every domain
Think of the email system as a postal service, with SPF, DKIM, and DMARC as three different security checks at the post office verifying the mail really came from who it claims:
- SPF checks the return address on the envelope: is this mail server authorized to send for that domain?
- DKIM seals the envelope with a unique stamp, proving the message was not tampered with in transit.
- DMARC is the postmaster who decides what happens when SPF or DKIM checks fail: reject, quarantine, or deliver anyway.
These records should be added to every custom domain in your Microsoft 365 environment. Back to the spoofed-domain example: with SPF, DKIM, and DMARC in place, the impersonating mail can be rejected or quarantined instead of delivered at all.
How to configure:
- Sender Policy Framework SHALL Be Enabled, Tminus365 Docs (opens in new tab)
- DomainKeys Identified Mail SHOULD Be Enabled, Tminus365 Docs (opens in new tab)
- DMARC SHALL Be Enabled, Tminus365 Docs (opens in new tab)
Setting 2: Tune the default anti-phishing policy
We usually modify the default policy in the environment, though creating a new one works too. As a general principle we do not use the Strict or Standard preset policies; they come with a lack of control we do not care for. Here is what to change in the default anti-phishing policy in the Defender admin center:
- Set the phishing email level threshold at 2 or higher
- Enable impersonated user protection
- Enable impersonated domain protection
- Ensure mailbox intelligence for impersonation protection is enabled
- Move messages detected as impersonated users by mailbox intelligence
- Quarantine messages detected from impersonated domains
- Quarantine messages detected from impersonated users
- Enable the user impersonation safety tip
- Enable the domain impersonation safety tip
- Enable the user impersonation unusual characters safety tip
How to configure:
- Anti-phishing policies in Microsoft Defender for Office 365 (opens in new tab)
- Configure anti-phishing policies in Microsoft Defender for Office 365 (opens in new tab)


Setting 3: Turn on Safe Links and Safe Attachments
Defense in depth means assuming some malicious mail still gets delivered. Safe Links and Safe Attachments, both part of Defender for Office 365, add URL scanning and attachment scanning on top of delivery, catching malicious or suspicious activity in mail that made it through.

How to configure:
- Set up Safe Attachments policies in Microsoft Defender for Office 365 (opens in new tab)
- Set up Safe Links policies in Microsoft Defender for Office 365 (opens in new tab)
Settings to verify:
- The Safe Attachments policy is set to Block
- Safe Attachments is turned on in the Global Settings for SharePoint, OneDrive, and Teams
- The Safe Links policy is unchecked for "Do not rewrite URLs"
- The Safe Links policy is unchecked for "Let users click through to the original URL"




Setting 4: Tag external senders in Outlook
The first three settings prevent and detect. The last two work the human layer, because phishing is ultimately a psychology problem. External sender warnings add a tag to email messages and a banner in the email body, which helps users spot potential spoofing or impersonation before they act on it.

To set it up, an Exchange Online tenant admin runs the Set-ExternalInOutlook (opens in new tab) cmdlet to enable the interface tenant-wide. Specific emails and domains can be added to the allow list through the same cmdlet:
Set-ExternalInOutlook -Enabled $trueSetting 5: Flag sensitive keywords with mail flow rules
The final setting also gives users helpful warnings based on message content. Because so many attacks involve altered bank account information, mail flow rules can watch for text in the subject or body and stamp extra context on the message before the user acts on it.

How to configure: Manage mail flow rules in Exchange Online (opens in new tab)

Close the loop with reporting
Tenant mail traffic, plus everything captured in junk and quarantine, is visible in the Security admin center:
- Go to Security & Compliance (opens in new tab)
- Click Reports at the bottom of the navigation
- Scroll to Email and Collaboration Reports
Review healthy versus unhealthy mail, spoof detections, URL clicks, and more, then feed what you learn back into the policy dials above.

Tools that watch these settings for you
CloudCapsule
CloudCapsule automates Microsoft 365 security assessments and specifically looks for many of the settings covered here as compliance checks, so you can confirm they exist across the tenants you manage instead of trusting that they were set once.


CIPP
The CyberDrain Improved Partner Portal (CIPP) is an open source tool with strong multi-tenant management capabilities for administering Microsoft 365 across customers, including reporting and policy configuration for these same email security settings at the multi-tenant layer. Check it out at cipp.app (opens in new tab).


Frequently asked questions
Is Exchange Online Protection enough without Defender for Office 365?
Not if you take security seriously. EOP ships baseline anti-spam, anti-malware, and anti-phishing policies, but the advanced impersonation, spoofing, link scanning, and attachment detonation protections come from Defender for Office 365 or an equivalent third-party email security product.
Should you use Microsoft's Standard or Strict preset security policies?
We prefer modifying the default anti-phishing policy instead. The presets come with a lack of granular control, and email security needs tuning per environment because filtering that is too aggressive floods quarantine with false positives while filtering that is too loose lets blatant phishing through.
Where do you monitor whether these settings are working?
In the Security admin center under Reports, scroll to Email and Collaboration Reports. You can review healthy versus unhealthy mail volume, spoof detections, URL clicks, and what landed in junk or quarantine, then tune your policies from there.
Verify these five settings across every tenant in minutes
Each protection in this post is a check CloudCapsule runs automatically. Scan a tenant against 250+ CIS-mapped controls in about 60 seconds and see which email defenses are actually configured, not just assumed.
Run a free scan
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


