Email authentication
SPF mechanism count & soft/hard-fail, DKIM selectors signing on every sender (M365, marketing, transactional), DMARC policy strength, MTA-STS & TLS-RPT presence, BIMI eligibility.
Microsoft 365 Email Security Audit · Ireland & UK
Is your Microsoft 365 tenant spoofable today?
Most Irish & UK SMEs running Microsoft 365 have one or more of: SPF on softfail, DKIM unsigned on a transactional sender, DMARC at p=none, no anti-impersonation policy on the finance team and at least one privileged account without phishing-resistant MFA. Each is a working ingredient for Business Email Compromise. We find them — calmly, without disrupting anyone — and fix them.
What we audit
Six audit layers. All Microsoft 365.
We audit the surfaces that actually get exploited in Business Email Compromise cases — not a 200-page generic CSV of CVEs. Every finding ships with the exact PowerShell / admin-centre path your IT lead (or M365 partner) needs to remediate.
Anti-impersonation
Defender for Office 365 user-impersonation policy on board / finance / IT leadership, protected-domain configuration, external-sender banner enabled, internal-spoof detection.
Identity & MFA
MFA coverage across all admin and end-user accounts, phishing-resistant methods for privileged roles, legacy-auth block status, conditional-access policy review.
Privileged access
Global admin count, role-assignable group hygiene, just-in-time admin readiness (PIM), break-glass account configuration, audit-log review status.
Tenant hardening
Mailbox forwarding rules audit, OAuth app consent policy, anonymous sharing, Teams external-access scope, sensitivity-label readiness.
BEC playbook readiness
Wire-transfer change-of-bank-details SOP, finance-team awareness training evidence, incident-response runbook for confirmed BEC, abuse-report templates pre-drafted.
How we run it
External signals first. Tenant access only if you want us to remediate.
We start every engagement from the outside — DNS, public auth records, exposed surface. That's already enough to flag 70% of BEC-relevant issues without ever touching your tenant. Tenant-level review is only needed when you want us to fix things, not just identify them.
01
Free 48-hour external review
DNS, SPF, DKIM, DMARC, MTA-STS, headers, application surface. PDF brief to your inbox. No tenant access required.
02
Deep-dive paid report · €1,500–€3,500
Add tenant configuration review — Defender, conditional access, MFA coverage, mailbox-forwarding rules, OAuth app consent — with prioritised remediation roadmap.
03
Remediation + retest
We close the findings ourselves (or coordinate with your M365 partner), then retest. Final signed evidence pack for your insurer / board / DPO.
Common questions
Microsoft 365 + email-security FAQs.
What's the difference between SPF, DKIM and DMARC?+
SPF lists the servers allowed to send mail on behalf of your domain. DKIM cryptographically signs each outgoing message so receivers can verify it. DMARC tells receivers what to do when SPF or DKIM fails (quarantine, reject) AND sends you forensic reports. All three together protect against spoofing and impersonation. We configure all three correctly, then walk DMARC from p=none → quarantine → reject without breaking legitimate senders.
Will moving DMARC to p=reject break our marketing emails?+
Only if your marketing tool isn't signing DKIM with your domain. That's why we start by listing every sending service (M365, Mailchimp, Stripe, your CRM, your invoicing tool), confirming SPF and DKIM alignment on each, fixing gaps, then graduating DMARC policy. Most clients reach p=reject in 4–8 weeks with zero deliverability impact.
What is Business Email Compromise (BEC) and how do you prevent it?+
BEC is the fraud pattern where an attacker impersonates a senior executive, supplier or customer over email — often asking finance to change bank details on an outgoing payment. Prevention is layered: strong email authentication (so a lookalike domain doesn't land in the inbox), Defender impersonation policies on key staff, phishing-resistant MFA on every account, mailbox-forwarding-rule monitoring, and a documented out-of-band verification SOP for any bank-detail change. We audit all five.
Are you a Microsoft Partner?+
We work with your existing Microsoft 365 partner — we're not trying to displace them. Our job is to identify what needs fixing and either help your partner close it or close it ourselves with their cooperation. Most M365 partners are happy to have a second pair of eyes.
How quickly can you start?+
Free external review: same week. Deep-dive paid report: 2-week scheduling window. Full remediation with retest: 3–4 weeks from engagement letter. Urgent post-incident response: typically same/next business day for an initial triage call.
Does this map to NIS2 and Cyber Essentials?+
Yes. Email-authentication and anti-impersonation map directly to NIS2 Article 21 (cryptography, access control, incident handling) and to Cyber Essentials boundary controls. Our Deep-dive Report cross-references every finding against GDPR Art. 32, NIS2 and Cyber Essentials so compliance teams don't need to do the mapping twice.
Is your tenant spoofable right now?
Free 48-hour external review of your M365 email-authentication posture. No tenant access required. PDF brief to your inbox.
Request the free reviewWe use only strictly necessary cookies to keep this site working (e.g. your admin session, your consent choice). We do not run analytics or advertising trackers without your permission. See our privacy notice.