SMTP Security Audit
Comprehensive analysis of email authentication, open relay exposure, and spoofing vulnerabilities across the Microsoft 365 tenant infrastructure.
Executive Risk Summary
Aggregate security posture across all audited domains and authentication controls.
Risk Quantification
Security scores are calculated by assessing each domain across four key controls aligned to industry frameworks: SPF (sender validation), DMARC (policy enforcement), DKIM (message integrity), and Relay Security (access control). Each control is scored 0–100 and weighted equally to produce an aggregate compliance percentage.
Letter Grades
Grades follow standard thresholds: A = 80%+, B = 60–79%, C = 40–59%, D = 20–39%, F = below 20%. These map directly to risk levels used across Essential Eight, ISO 27001, and DISP compliance frameworks.
Data Sources
All assessments use publicly available data: DNS records (SPF, DMARC, DKIM via TXT/CNAME lookups), HTTP security headers, SMTP banner probing for open relay detection, and TLS certificate inspection. This represents an external attacker’s view — no internal systems are accessed.
Frameworks
Controls are mapped to Essential Eight (Maturity Level 1 & 2), ISO 27001 (Annex A controls), and DISP (ICT Security). These are standard requirements for Australian organisations, government contractors, and defence industry participants.
Assessment Reports
Completed security assessments across email, domain, and endpoint attack surfaces.
M365 SMTP Security Audit
M365 SMTP Remediation Guide
Security Capability Showcase
MITRE ATT&CK Endpoint Scan
houstons.tech
autographman.co.uk
sunshinesupportingservices.com
cscc.com.au
meridiandefence.com.au
Meridian Defence — Feb 2026
MITRE ATT&CK Assessment
Interactive technique coverage map from endpoint security assessment. Click any technique for details.
SMTP Domain Analysis
Email authentication and open relay status across 240 audited M365 domains. Click any row for audit details.
| Company ▲ | Domain ▲ | Risk ▲ | SPF ▲ | DMARC ▲ | DKIM ▲ | Relay ▲ |
|---|
Domain Comparison
Spoof Demonstration
Live SMTP spoofing demonstration against vulnerable open relays. This sends a real email to prove the vulnerability.
Remediation Impact
Projected security posture improvement after implementing the recommended remediation steps.
35% compliance
65% compliance
85% compliance
100% compliance
Remediation Guide
Prioritised remediation steps to close the identified SMTP security gaps.
DMARC Enforcement
CriticalMove DMARC policy from p=none to p=quarantine then p=reject. Single most impactful change to prevent spoofing.
- Publish
_dmarc.domain TXT "v=DMARC1; p=reject; rua=mailto:dmarc@domain" - Monitor aggregate reports for 2 weeks before enforcement
- Start with quarantine, escalate to reject after validation
SPF Hardening
CriticalChange SPF from ~all (soft fail) to -all (hard fail). Domains with soft fail allow spoofed emails to still be delivered.
- Audit all legitimate sending sources first
- Include only required IP ranges and services
- Keep under 10 DNS lookups (SPF recursion limit)
DKIM Signing
HighEnable DKIM signing for all outbound email. Without DKIM, DMARC alignment relies solely on SPF, easily bypassed via forwarding.
- Generate DKIM keys in Exchange Online admin
- Publish CNAME records for selector1 and selector2
- Enable signing in M365 Security & Compliance
Connector Lockdown
CriticalRestrict or remove open inbound connectors allowing unauthenticated SMTP relay. Root cause of the open relay vulnerability.
- Review all inbound connectors in Exchange admin
- Remove connectors with wildcard sender domains
- Require TLS and certificate validation
- Restrict to known partner IP ranges
Anti-Spoof Transport Rules
HighCreate Exchange transport rules to reject emails where sender domain matches internal but originates externally.
- Rule: internal domain + external origin = quarantine
- Whitelist legitimate external senders (CRM, marketing)
- Enable external sender tagging in Outlook
Advanced Threat Protection
MediumEnable M365 Defender anti-phishing policies with impersonation protection for key executives and domains.
- Enable first-contact safety tips
- Add executives to impersonation protection list
- Configure mailbox intelligence for BEC detection
- Enable spoof intelligence insight dashboard