SMTP Security Audit
Comprehensive analysis of email authentication, open relay exposure, and spoofing vulnerabilities across the Microsoft 365 tenant infrastructure.
Assessment Reports
Completed security assessments across email, domain, and endpoint attack surfaces.
M365 SMTP Security Audit
M365 SMTP Remediation Guide
Security Capability Showcase
MITRE ATT&CK Endpoint Scan
houstons.tech
autographman.co.uk
sunshinesupportingservices.com
cscc.com.au
SMTP Domain Analysis
Email authentication and open relay status across 236 audited M365 domains.
| Company ▲ | Domain ▲ | Risk ▲ | SPF ▲ | DMARC ▲ | DKIM ▲ | Relay ▲ |
|---|
Spoof Demonstration
Live SMTP spoofing demonstration against vulnerable open relays. This sends a real email to prove the vulnerability.
Remediation Guide
Prioritised remediation steps to close the identified SMTP security gaps.
DMARC Enforcement
CriticalMove DMARC policy from p=none to p=quarantine then p=reject. Single most impactful change to prevent spoofing.
- Publish
_dmarc.domain TXT "v=DMARC1; p=reject; rua=mailto:dmarc@domain" - Monitor aggregate reports for 2 weeks before enforcement
- Start with quarantine, escalate to reject after validation
SPF Hardening
CriticalChange SPF from ~all (soft fail) to -all (hard fail). Domains with soft fail allow spoofed emails to still be delivered.
- Audit all legitimate sending sources first
- Include only required IP ranges and services
- Keep under 10 DNS lookups (SPF recursion limit)
DKIM Signing
HighEnable DKIM signing for all outbound email. Without DKIM, DMARC alignment relies solely on SPF, easily bypassed via forwarding.
- Generate DKIM keys in Exchange Online admin
- Publish CNAME records for selector1 and selector2
- Enable signing in M365 Security & Compliance
Connector Lockdown
CriticalRestrict or remove open inbound connectors allowing unauthenticated SMTP relay. Root cause of the open relay vulnerability.
- Review all inbound connectors in Exchange admin
- Remove connectors with wildcard sender domains
- Require TLS and certificate validation
- Restrict to known partner IP ranges
Anti-Spoof Transport Rules
HighCreate Exchange transport rules to reject emails where sender domain matches internal but originates externally.
- Rule: internal domain + external origin = quarantine
- Whitelist legitimate external senders (CRM, marketing)
- Enable external sender tagging in Outlook
Advanced Threat Protection
MediumEnable M365 Defender anti-phishing policies with impersonation protection for key executives and domains.
- Enable first-contact safety tips
- Add executives to impersonation protection list
- Configure mailbox intelligence for BEC detection
- Enable spoof intelligence insight dashboard