Stop Email Spoofing in Microsoft 365: Complete Fix Guide

DMARC, SPF, and DKIM for Law and Finance SMBs: How to Stop Email Spoofing in Microsoft 365

If an attacker can send an email that looks like it’s from your managing partner or CFO, they don’t need malware—they have your trust. That’s why email authentication standards—DMARC, SPF, and DKIM—are now non‑negotiable for law firms and finance SMBs running Microsoft 365. In plain terms: these records tell the world which systems can send your mail, sign your messages so they can’t be tampered with, and instruct receiving mail servers to quarantine or reject fakes. Done right, you reduce wire‑fraud risk, protect client communications, and improve deliverability.

DMARC, SPF, and DKIM in plain English

• SPF (Sender Policy Framework): A DNS allow‑list for your domain’s mail senders. Think of it as the guest list at your building’s front desk—unknown senders don’t get in.
• DKIM (DomainKeys Identified Mail): A cryptographic signature added to each message—like a tamper‑evident seal on an evidence bag. If altered, it’s obvious.
• DMARC (Domain‑based Message Authentication, Reporting & Conformance): The policy that says, “If SPF or DKIM don’t match the visible From: domain, here’s what to do—monitor, quarantine, or reject.” It also sends you reports so you can see who’s trying to spoof you.

For Microsoft 365, enable all three. That’s the combination that stops impersonation and keeps legitimate mail flowing.

Why leaders in law and finance should care

• Wire fraud and invoice redirection: Spoofed attorney/CFO emails still drive seven‑figure losses. DMARC enforcement dramatically reduces successful impersonation attempts.
• Client confidentiality and brand trust: One fake settlement instruction can undo years of credibility with a key client or lender.
• Compliance and due diligence: Email authentication supports security controls your auditors, clients, and cyber insurers increasingly expect.
• Deliverability: Major mailbox providers increasingly distrust unauthenticated mail—proper SPF/DKIM/DMARC improves inbox placement for newsletters, client alerts, and invoices.

Microsoft 365: the fastest path to protection

Microsoft 365 already includes what you need. You’ll switch on DKIM for each domain in your tenant, publish DNS records at your DNS host, and add a DMARC policy. Here are battle‑tested starting points:

Sample DNS records you can adapt

SPF (TXT at your root domain)

v=spf1 include:spf.protection.outlook.com -all

Only use Microsoft 365 to send? The record above works. Add other authorized senders (e.g., marketing platforms, scanners, or case‑management alerts) by including their mechanisms—while keeping total SPF DNS lookups at or under 10 to avoid failures.

DKIM (two CNAMEs per domain)

selector1._domainkey.yourfirm.com CNAME selector1-yourfirm-com._domainkey.yourfirm.onmicrosoft.com
selector2._domainkey.yourfirm.com CNAME selector2-yourfirm-com._domainkey.yourfirm.onmicrosoft.com

Turn on DKIM for each custom domain in Microsoft 365 Defender, then publish the matching CNAMEs. DKIM is not automatic—you must enable it per domain.

DMARC (TXT at _dmarc.yourfirm.com)

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1; aspf=s; adkim=s; pct=100

Start with p=none (monitoring), review reports to find all legit senders, then step up to p=quarantine and finally p=reject. In law and finance, strict alignment (aspf=s; adkim=s) is a smart default.

A phased rollout for busy teams (4–12 weeks)

1. Inventory senders (Weeks 1–2): List every system that sends as your domain—Microsoft 365, marketing tools, copiers/scanners, e‑signature, billing/ERP, and legal tech (e.g., case‑management notifications). Enable DKIM per domain and publish selectors.
2. Fix SPF (Week 3): Merge into one SPF record. Remove stale includes. Keep lookups ≤10.
3. Monitor DMARC (Weeks 4–6): Publish p=none and review aggregate reports weekly. Add missing senders or reconfigure services to use a subdomain.
4. Enforce gradually (Weeks 7–9): Move to p=quarantine, then p=reject when clean. Optionally ramp with pct= (e.g., 25% → 50% → 100%).
5. Lock it down (Weeks 10–12): Add an explicit reject policy for unused subdomains. Document a monthly review of DMARC reports and a quarterly SPF audit.

Bonus hygiene that pays off: disable legacy authentication and enforce MFA—simple steps that slash account‑takeover risk alongside DMARC.

Role‑based quick actions

• CEO/CFO: Approve a phased DMARC enforcement plan and require out‑of‑band verification for wire changes. Treat DMARC reports as an executive risk KPI.
• CIO/CTO: Set milestones for DKIM enablement and DMARC enforcement. Budget time for report parsing and SPF cleanup.
• CISO/IT Director: Add DMARC trends to your security reporting. Alert when new IPs attempt to send as your domain. Update incident response to include spoofing scenarios.
• Managing Partner: Standardize “no email‑only approvals” for funds flow. Communicate to clients that your firm enforces email authentication to protect them.

Common pitfalls (and how to avoid them)

• Multiple SPF records: You get unreliable results. Combine everything into one TXT record.
• SPF lookup limit exceeded: Going over 10 DNS lookups causes SPF to fail. Collapse includes or route some senders through Microsoft 365.
• Forgot DKIM: DMARC needs SPF or DKIM to align with the From: domain. DKIM is the most reliable, especially when mail is forwarded.
• Subdomain blind spots: If marketing or alerts use subdomains, give them their own SPF/DKIM—or explicitly reject on unused subdomains.
• Line‑of‑business apps: Legal and finance stacks (e.g., case management, billing, e‑signature) often send from shared cloud IPs. Either add their approved includes or have them send from a dedicated subdomain.

What “good” looks like

• DKIM enabled for every sending domain; selectors rotate on a schedule.
• One clean SPF record per domain with ≤10 lookups.
• DMARC policy at p=reject for primary domains; explicit policies for subdomains.
• Weekly review of aggregate DMARC reports; alerts on new sources sending as your domain.
• Documented process controls: dual authorization for payment changes and voice verification for new wire instructions.

How we help (without the hard sell)

At Bonelli Systems, we live in Microsoft 365 and regulated SMB environments every day. As a Microsoft Solutions Partner, we’ve built repeatable playbooks for SPF/DKIM/DMARC rollout, monitoring, and executive reporting tailored to law firms and finance teams. If you want a partner to accelerate the journey and avoid the usual snags, we’re here.

• Staged enforcement (none → quarantine → reject) with reporting built into your cadence.
• Sender inventory and SPF consolidation across marketing tools, scanners, and line‑of‑business apps.
• Hardened Microsoft 365 configuration alongside email authentication (e.g., legacy auth off, MFA on).

Explore our approach to cybersecurity and Microsoft 365, or see our Microsoft recognition: Microsoft Solutions Security Partner status.

30‑minute action checklist

• Enable DKIM for each custom domain in Microsoft 365 and publish the two selector CNAMEs.
• Publish SPF: v=spf1 include:spf.protection.outlook.com -all, then add legitimate senders without exceeding 10 lookups.
• Add a DMARC record at _dmarc with p=none, strict alignment (aspf=s; adkim=s), and reporting addresses.
• Disable legacy authentication and enforce MFA for all admins and users.
• Schedule a weekly 15‑minute DMARC report review and a quarterly SPF cleanup.

Next step

If you’d like a quick sanity check on your domain’s posture—or a turnkey rollout to enforcement—request a no‑pressure review. Start here: free cybersecurity assessment or contact us.

Note: Guidance aligns with widely accepted best practices for Microsoft 365 deployments and industry frameworks (e.g., NIST recommendations on email security). Always validate DNS changes in a staging or low‑risk window.

Testing Your Email Authentication Setup

After configuring SPF, DKIM, and DMARC, verify everything is working correctly. Here are the exact steps:

Step 1: Check SPF Record

Use a DNS lookup tool or run this command: nslookup -type=txt yourdomain.com. Your SPF record should look like:

v=spf1 include:spf.protection.outlook.com -all

The -all (hard fail) is important — ~all (soft fail) doesn’t prevent spoofing.

Step 2: Verify DKIM Signing

In Microsoft 365 Admin Center, go to Settings → Email authentication → DKIM. Both CNAME records should show as verified. Send a test email to a Gmail account and click “Show Original” — look for dkim=pass in the authentication results.

Step 3: DMARC Progression

Don’t jump straight to p=reject. Follow this 90-day progression:

1. Weeks 1-4: v=DMARC1; p=none; rua=mailto:[email protected] — Monitor only, collect reports
2. Weeks 5-8: v=DMARC1; p=quarantine; pct=25 — Quarantine 25% of failures
3. Weeks 9-12: v=DMARC1; p=reject — Full enforcement, reject all spoofed emails

Advanced Microsoft 365 Anti-Phishing Policies

Beyond SPF/DKIM/DMARC, configure these in the Microsoft 365 Security portal:

• Anti-phishing policy: Enable impersonation protection for your executives and critical vendors. Microsoft uses AI to detect when attackers mimic display names or domains.
• Safe Attachments: Sandboxes every attachment in a virtual machine before delivery. Enable “Dynamic Delivery” to let the email arrive immediately while attachments are scanned.
• Safe Links: Rewrites URLs in emails to route through Microsoft’s protection layer. Even if a legitimate URL is later compromised, Safe Links blocks it at click time.
• Mailbox Intelligence: Learns each user’s normal communication patterns and flags anomalies — like an email “from” the CEO that doesn’t match their usual sending behavior.

Frequently Asked Questions

How do I stop email spoofing in Office 365?

Configure three DNS records: SPF (Sender Policy Framework) to authorize which servers can send email for your domain, DKIM (DomainKeys Identified Mail) to cryptographically sign outgoing emails, and DMARC (Domain-based Message Authentication) to tell receiving servers how to handle failed authentication. In Microsoft 365 Admin Center, enable these under Settings > Domains > DNS Records.

What is DMARC and why does my business need it?

DMARC is an email authentication protocol that prevents attackers from sending emails that appear to come from your domain. Without DMARC, anyone can spoof your company’s email address to send phishing attacks to your clients, partners, and employees. DMARC policies tell receiving email servers to reject or quarantine unauthenticated messages.

Can Microsoft 365 prevent phishing emails?

Yes, but not with default settings alone. You need to enable Advanced Threat Protection (ATP), configure anti-phishing policies, set up Safe Links and Safe Attachments, implement SPF/DKIM/DMARC, and train users to recognize phishing attempts. A layered approach combining technology and training provides the strongest protection.