Email is still the front door criminals use to get into businesses. Phishing, spoofing and business email compromise cost UK companies dearly every year, and Microsoft 365 mailboxes are a prime target. The good news: with the right configuration, you can shut most of these attacks down. Here is how to secure your email properly.
The three attacks you're defending against
- Phishing - emails that trick staff into revealing passwords or clicking malicious links.
- Spoofing - emails that appear to come from your domain (or your boss), used for fraud like fake invoice requests.
- Business email compromise - an attacker gets into a mailbox and uses it to defraud customers or colleagues.
Lock down spoofing with SPF, DKIM and DMARC
These three DNS records are your domain's anti-impersonation defences. In plain terms:
- SPF says which servers are allowed to send email for your domain.
- DKIM adds a tamper-proof signature proving an email really came from you.
- DMARC tells receiving servers what to do with email that fails those checks - and reports impersonation attempts to you.
Configured together, they make it far harder for criminals to send convincing fake emails as your business - protecting your customers and your reputation. Many businesses have these missing or misconfigured, leaving the door wide open.
Turn on Microsoft 365's anti-phishing protection
Microsoft 365 includes anti-phishing, anti-spam and anti-malware tools - but the default settings can be strengthened. On higher plans, features like Safe Links and Safe Attachments scan links and files at the moment they're clicked or opened. Make sure these are configured, not left dormant.
MFA is your safety net
Even the best filters can't catch everything, so assume a password will eventually be phished. Multi-factor authentication ensures that a stolen password alone can't open the mailbox - it is the most important backstop you have.
Don't forget the humans
Technology stops most attacks; trained staff stop the rest. The most convincing phishing emails are designed to slip past filters and fool a busy person. Regular, practical awareness training - covered in protecting your business from phishing - is essential. The same vigilance applies on mobile devices.
Have a recovery plan too
If an account is compromised, you need to act fast and restore cleanly. That depends on having proper backup and a security checklist in place.
Secure your email end to end
Email security is part configuration, part vigilance - and both need doing well. Our IT Support service sets up SPF, DKIM, DMARC and Microsoft 365's defences, and trains your team. Request a callback to shut the front door on attackers.
Frequently asked questions
How do I secure Microsoft 365 email?
Configure SPF, DKIM and DMARC to stop spoofing, enable the built-in anti-phishing protection, turn on multi-factor authentication and train staff to spot scams.
What are SPF, DKIM and DMARC?
They are DNS records that prove your email is genuine and stop criminals sending convincing fakes from your domain, protecting your customers and reputation.
Can Microsoft 365 stop all phishing emails?
No filter catches everything, so combine technical protection with multi-factor authentication and staff awareness to handle the messages that slip through.
