Best practices for M365 licences, DMARC, SPF and DKIM

Microsoft 365 is at the heart of how most businesses work day to day. Email, files, collaboration, Teams – it’s all there. Which also makes it a prime target for cyber attacks.

The good news? You don’t need enterprise-level complexity to dramatically improve your security posture. Getting the right licences and setting up a few key email security controls goes a long way.

In this blog, we’ll walk through the practical, real‑world best practices for:

• Choosing the right Microsoft 365 licences

• Locking down email with SPF, DKIM and DMARC

No fluff, no scare tactics – just sensible steps that actually make a difference.

 

Start with the right Microsoft 365 licences

Security in Microsoft 365 is heavily licence‑dependent. A lot of businesses assume they’re protected because they’re “on 365”, but the default plans leave some big gaps.

 

Business Standard vs Business Premium

If you’re using Microsoft 365 Business Standard, you get:

• Email and calendar

• Office apps

• Basic security features

What you don’t get is where the risk creeps in.

Microsoft 365 Business Premium adds:

• Entra ID (Azure AD) Conditional Access

• Microsoft Defender for Business

• Intune device management

• Better visibility and control over users and devices

If security matters (and it should), Business Premium is usually the minimum we recommend for most SMEs.

 

Why Conditional Access is a game changer

Conditional Access lets you control how and where users sign in. For example:

• Blocking sign-ins from high‑risk countries

• Requiring MFA for all users

• Allowing access only from compliant devices

Without it, you’re relying on passwords alone – and that’s a gamble nowadays.

 

Don’t forget about add-ons

Depending on your risk profile, it may also be worth considering:

• Defender for Office 365 (Plan 1 or 2) for advanced phishing protection

• Entra ID P1 for identity protection insights

Licensing doesn’t have to be overkill, but it does need to be intentional.

 

Lock down email with SPF, DKIM and DMARC

Email is still the number one way attackers get into businesses. SPF, DKIM and DMARC are three standards that help stop spoofing, phishing and domain impersonation.

They work best together – think of them as a team, not individual settings.

 

SPF: who is allowed to send email for your domain

SPF (Sender Policy Framework) tells the world which servers are allowed to send email on behalf of your domain.

In simple terms: if an email claims to be from you but isn’t sent from an approved server, it should be treated with suspicion.

Best practices for SPF:

• Only have one SPF record per domain

• Include Microsoft 365 correctly (include:spf.protection.outlook.com)

• Remove old or unused services (marketing tools, legacy systems)

• Keep DNS lookups under the limit (10 max)

A messy SPF record is one of the most common issues we see.

 

DKIM: proving the email hasn’t been tampered with

DKIM (DomainKeys Identified Mail) adds a digital signature to your emails. This proves that the message hasn’t been altered after it was sent.

With Microsoft 365:

• DKIM isn’t fully enabled by default

• You need to add DKIM records to DNS

• Then enable DKIM in the Defender portal

Best practices for DKIM:

• Enable it for every custom domain, not just the primary one

• Check it stays enabled after tenant or domain changes

• Make sure third‑party senders also support DKIM

DKIM is essential for DMARC to work properly – skipping it weakens the whole setup.

 

DMARC: telling the internet what to do when checks fail

DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together and tells receiving mail servers what action to take if an email fails checks.

This is where real protection kicks in.

DMARC policies explained:

• p=none – monitoring only, no enforcement

• p=quarantine – suspicious emails go to spam

• p=reject – unauthorised emails are blocked entirely

Best practice is to:

1. Start with p=none

2. Review DMARC reports

3. Fix any legitimate senders that fail

4. Gradually move to quarantine or reject

Jumping straight to reject without checking can break legitimate email, so take it step by step.

 

Monitor and maintain (this isn’t set-and-forget)

One of the biggest mistakes with Microsoft 365 security is assuming it’s done once it’s configured.

You should regularly:

• Review sign‑in logs and risky sign‑ins

• Check SPF, DKIM and DMARC after adding new tools

• Monitor DMARC reports for spoofing attempts

• Audit licences to make sure users are correctly covered

Even small changes, like adding a new email marketing platform, can weaken your setup if DNS isn’t updated.

 

 

Securing Microsoft 365 doesn’t have to be complicated, but it does have to be deliberate.

If you focus on:

• The right licences (not just the cheapest)

• Strong identity controls like MFA and Conditional Access

• Properly configured SPF, DKIM and DMARC

You’ll dramatically reduce your risk of phishing, account compromise and email impersonation.

And if you’re not 100% confident your tenant is set up properly, getting it reviewed is usually far cheaper than dealing with the fallout of a breach later on.

Book a Microsoft 365 Audit to understand your M365 security gaps