Portal
M365 SMTP Security Audit
M365 SMTP Remediation Guide
Security Capability Showcase

M365 SMTP Security Remediation Guide

Best practice hardening for Microsoft 365 email security
Prepared by Netier Confidential 6 remediation areas
Netier
🛡
DMARC
Domain protection
🔐
SPF
Sender validation
🔑
DKIM
Crypto signatures
🔌
Connectors
Relay hardening
🚫
Anti-Spoof
Transport rules
🤖
Impersonation
AI protection

1 DMARC Configuration Critical

DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receiving mail servers what to do when SPF and DKIM checks fail. Without DMARC, anyone can send email pretending to be from your domain.

Key Finding: Over 80 customer domains have no DMARC record at all. These domains have zero protection against spoofing and phishing attacks.

Why This Matters

  • Prevents domain spoofing and phishing attacks using your domain
  • Provides visibility into who is sending email on your behalf
  • Required for brand indicators (BIMI) and improved email deliverability
  • Many cyber insurance policies now require DMARC enforcement

Phased Rollout

DMARC should be deployed in phases to avoid blocking legitimate email:

1 Monitor Mode (p=none)

Collect reports without affecting delivery. Run for 2-4 weeks.

; DNS TXT record for _dmarc.yourdomain.com.au v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com.au; pct=100
2 Quarantine Mode (p=quarantine)

Failed messages go to spam/junk. Run for 2-4 weeks, monitor for false positives.

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com.au; pct=100
3 Reject Mode (p=reject)

Failed messages are rejected outright. This is the target state.

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com.au; pct=100

How to Create the DNS Record

  1. Log into your DNS provider (e.g., Cloudflare, GoDaddy, Azure DNS)
  2. Create a new TXT record
  3. Name/Host: _dmarc (some providers need _dmarc.yourdomain.com.au)
  4. Value: The DMARC policy string above
  5. TTL: 3600 (1 hour)

Verification

# PowerShell - check DMARC record Resolve-DnsName -Name "_dmarc.yourdomain.com.au" -Type TXT
Warning: Do NOT jump straight to p=reject without monitoring first. Legitimate email from third-party services (marketing platforms, CRMs, etc.) may fail DMARC and get rejected.

2 SPF Hardening High

SPF (Sender Policy Framework) specifies which mail servers are authorised to send email for your domain. A weak SPF record (soft fail or missing) allows spoofed emails to pass through.

Current vs Target

ConfigSPF SuffixMeaningSecurity
Weak (common)~allMark as suspicious but still deliverSoft Fail
Strong (target)-allReject mail from unauthorised serversHard Fail
Neutral?allNo opinionUseless
Dangerous+allAccept from anyoneNo protection

Steps to Harden

1 Audit current SPF record
# Check current SPF Resolve-DnsName -Name "yourdomain.com.au" -Type TXT | Where-Object { $_.Strings -match "spf" }
2 Identify all legitimate senders

Common includes for M365 customers:

ServiceSPF Include
Microsoft 365include:spf.protection.outlook.com
Google Workspaceinclude:_spf.google.com
Mailchimpinclude:servers.mcsv.net
SendGridinclude:sendgrid.net

Remove any includes you don't actively use.

3 Update the TXT record
; Minimal M365-only SPF (recommended) v=spf1 include:spf.protection.outlook.com -all
10 DNS Lookup Limit: SPF records are limited to 10 DNS lookups (includes, a, mx mechanisms). Exceeding this causes SPF to fail entirely. Use include: sparingly and remove unused entries. Use an SPF flattening service if you need more than 10.

3 DKIM Setup in M365 High

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails, proving they haven't been tampered with and truly originate from your domain.

Step 1: Create DNS CNAME Records

Add two CNAME records to your domain's DNS:

; DKIM Selector 1 Host: selector1._domainkey Type: CNAME Value: selector1-yourdomain-com-au._domainkey.yourtenant.onmicrosoft.com ; DKIM Selector 2 Host: selector2._domainkey Type: CNAME Value: selector2-yourdomain-com-au._domainkey.yourtenant.onmicrosoft.com
Note: Replace yourdomain-com-au with your domain using dashes instead of dots, and yourtenant with your Microsoft 365 tenant name.

Step 2: Enable DKIM in Exchange Admin

  1. Go to Exchange Admin CenterMail flowDKIM
  2. Or: Microsoft 365 Defender → Email & collaborationPoliciesDKIM
  3. Select your domain
  4. Toggle Sign messages for this domain with DKIM signatures to Enabled

Step 3: Verify

# Check DKIM CNAME records Resolve-DnsName -Name "selector1._domainkey.yourdomain.com.au" -Type CNAME Resolve-DnsName -Name "selector2._domainkey.yourdomain.com.au" -Type CNAME

PowerShell (Exchange Online)

# Connect to Exchange Online Connect-ExchangeOnline # Check DKIM status Get-DkimSigningConfig -Identity "yourdomain.com.au" | Format-List # Enable DKIM Set-DkimSigningConfig -Identity "yourdomain.com.au" -Enabled $true

4 M365 Inbound Connector Hardening Critical

Inbound connectors in Exchange Online accept mail from external sources. Misconfigured connectors can allow unauthenticated relay, enabling anyone to send email as your organisation.

🚨
This is the #1 finding in SMTP audits. 132 out of 141 M365 domains (93.6%) accept unauthenticated SMTP relay. An attacker can send emails from your domain without any credentials. This bypasses SPF because the email comes from Microsoft's own infrastructure.

Check Current Connectors

# List all inbound connectors Connect-ExchangeOnline Get-InboundConnector | Format-List Name, Enabled, SenderDomains, SenderIPAddresses, RequireTls, RestrictDomainsToIPAddresses

Hardening Options

Option A: Restrict by Source IP (Recommended for MFP/Scanner connectors)

Only allow mail from known IP addresses (e.g., your office MFPs, third-party scanners).

# Restrict connector to specific IPs Set-InboundConnector -Identity "Scanner Connector" ` -SenderIPAddresses @("203.0.113.10", "203.0.113.11") ` -RestrictDomainsToIPAddresses $true ` -RequireTls $true

Option B: Restrict by TLS Certificate

Require a specific TLS certificate subject name. More secure than IP-based restriction.

# Restrict connector by certificate Set-InboundConnector -Identity "Partner Connector" ` -TlsSenderCertificateName "mail.partner.com" ` -RequireTls $true

Option C: Remove the Connector

If the connector is no longer needed (legacy migration connector, old MFP setup), remove it entirely.

# Disable first, then remove after testing Set-InboundConnector -Identity "Old Connector" -Enabled $false # After confirming no impact (wait 1-2 weeks): Remove-InboundConnector -Identity "Old Connector"

Exchange Admin Center (GUI)

  1. Go to Exchange Admin CenterMail flowConnectors
  2. Select the inbound connector
  3. Under How to identify the partner organisation, add IP addresses or certificate restrictions
  4. Enable Reject email messages if they aren't sent over TLS
Verification: After hardening, re-run the SMTP audit to confirm the relay test now returns "Blocked" instead of "OPEN".

5 Anti-Spoofing Mail Flow Rules High

Create Exchange transport rules to reject emails from external senders that use your internal domain in the FROM address. This prevents attackers from impersonating your staff.

Transport Rule: Block External Senders Using Internal Domain

# Create anti-spoofing transport rule New-TransportRule -Name "Block External Domain Spoofing" ` -FromScope "NotInOrganization" ` -SenderDomainIs "yourdomain.com.au" ` -RejectMessageReasonText "Rejected: External sender spoofing internal domain" ` -RejectMessageEnhancedStatusCode "5.7.1" ` -Mode "Enforce"
Caution: Before enforcing, run in audit mode first to check for legitimate external senders using your domain (e.g., forwarded emails, shared mailboxes with external partners).

Audit Mode First

# Run in audit mode first (generates reports without blocking) New-TransportRule -Name "Audit External Domain Spoofing" ` -FromScope "NotInOrganization" ` -SenderDomainIs "yourdomain.com.au" ` -GenerateIncidentReport "admin@yourdomain.com.au" ` -IncidentReportContent "Sender", "Recipients", "Subject", "MessageId" ` -Mode "Audit"

Exchange Admin Center (GUI)

  1. Go to Exchange Admin CenterMail flowRules
  2. Click + Add a ruleCreate a new rule
  3. Condition: The sender is located = Outside the organisation
  4. Condition: The sender's domain is = yourdomain.com.au
  5. Action: Reject the message with the explanation
  6. Set to Audit mode first, switch to Enforce after 2 weeks

6 Impersonation Protection Medium

Microsoft Defender for Office 365 includes advanced anti-phishing policies with impersonation protection. This catches sophisticated attacks where the sender name looks similar to a trusted person (e.g., "J0hn Smith" instead of "John Smith").

Requires: Microsoft Defender for Office 365 Plan 1 or Plan 2 (included in Microsoft 365 Business Premium, E5, or as an add-on).

Configure Anti-Phishing Policy

  1. Go to Microsoft 365 DefenderEmail & collaborationPolicies & rules
  2. Click Threat policiesAnti-phishing
  3. Edit the default policy or create a new one

User Impersonation Protection

Protect high-value targets (CEO, CFO, Managing Director, Finance team):

  1. Under Impersonation, enable Enable users to protect
  2. Add users: CEO, CFO, Managing Director, Finance Manager
  3. Action: Quarantine the message

Domain Impersonation Protection

  1. Enable Enable domains to protect
  2. Select Include domains I own
  3. Optionally add partner/supplier domains
  4. Action: Quarantine the message

Mailbox Intelligence

  1. Enable Enable mailbox intelligence
  2. Enable Enable intelligence for impersonation protection
  3. This uses AI to learn communication patterns and flag anomalies

PowerShell Configuration

# Create anti-phishing policy with impersonation protection New-AntiPhishPolicy -Name "Netier Standard Protection" ` -EnableMailboxIntelligence $true ` -EnableMailboxIntelligenceProtection $true ` -MailboxIntelligenceProtectionAction Quarantine ` -EnableOrganizationDomainsProtection $true ` -EnableTargetedUserProtection $true ` -TargetedUsersToProtect @( "CEO;ceo@yourdomain.com.au", "CFO;cfo@yourdomain.com.au" ) ` -TargetedUserProtectionAction Quarantine ` -TargetedDomainProtectionAction Quarantine

Remediation Checklist

Use this checklist to track progress. Click items to mark them complete.

Priority 1 - Critical (Do Now)

  • Audit all inbound connectors in Exchange Admin Center
  • Remove or restrict any connectors allowing unauthenticated relay
  • Create DMARC record in monitor mode (p=none) for all domains
  • Verify DMARC records resolve correctly with Resolve-DnsName

Priority 2 - High (This Week)

  • Harden SPF records from ~all to -all
  • Remove unused SPF includes to stay under 10-lookup limit
  • Create DKIM CNAME records for selector1 and selector2
  • Enable DKIM signing in Exchange Admin Center
  • Create anti-spoofing transport rule in audit mode

Priority 3 - Medium (This Month)

  • Review DMARC aggregate reports after 2-4 weeks
  • Upgrade DMARC from p=none to p=quarantine
  • Configure impersonation protection for key personnel
  • Enable mailbox intelligence
  • Switch anti-spoofing rule from audit to enforce
  • Upgrade DMARC from p=quarantine to p=reject
  • Re-run SMTP security audit to verify all fixes

Netier SMTP Security Remediation Guide

Confidential — For authorised recipients only

Contact: thouston@netier.com.au