Office 365 basic and advanced e-mail Protection against SPAM, Phishing and CEO-Fraud

Derk van der Woude
5 min readAug 12, 2020


Spam (irrelevant or unsolicited messages), phishing (credential compromise) or CEO-fraud (impersonate C-level management for financial abuse) are harder to mitigate if they come from the customer e-mail domain.

E-mail authentication protocols protect against these kind of impersonation (domain or user) attacks. Via authentication, the e-mail infrastructure verifies it is authorized to send mail from the protected SMTP (Simple Mail Transfer Protocol) e-mail domain(s).

There are three basic (Microsoft 365 E3) and two advanced (Microsoft 365 E5 Security) e-mail spoofing / impersonation protection features:

- SPF (Sender Policy Framework)
- DKIM (DomainKeys Identified Mail)
- DMARC (Domain-based Messaging and Reporting Compliance)
- Anti-phishing (CEO Fraud)
- Spoof Intelligence

Sender Policy Framework (SPF)

Sender Policy Framework (SPF) prevents unauthorized e-mail systems to send e-mail with the company’s SMTP domain on the internet.

The receiving mail server uses DNS to validate the senders mail server(s) via the SPF-record (DNS TXT record) values like A- (host), ip4 and/or ip6 and MX (inbound)-records.

SPF checks the 5321.MailFrom value. The authorized e-mail system(s) are presented in a DNS TXT record.

Example DNS TXT Record

v=spf1 -all

-all is a hard fail so non-authorized mail is rejected
~all is a soft fail so non-authorized mail is marked as spam

DomainKeys Identified Mail (DKIM)

DomainKeys Identified Mail (DKIM) was initially designed as an (Asymmetric) public key encryption for e-mail security (mail send from is verified if the sender is, but lately, it is used for spam protection. DKIM permits the owner of the signing domain to claim responsibility for a message by associating the domain with the message.

The sender signs the message with the private Key in the message DKIM-Signature header, which the receiver verifies via the public key published in DNS.

Example DNS CNAME Record(s) (2 records to rotate the keys)

selector1._domainkey CNAME

selector1._domainkey CNAME

The DNS record is a CNAME record from selector1._domainkey to

The 2nd value is the actual TXT value which holds the Public key.

Domain-based Messaging and Reporting Compliance (DMARC)

Domain-based Messaging and Reporting Compliance (DMARC) protects users by evaluating both SPF and DKIM and then determines if either domain matches the domain in the 5322.From address (the address you see in Microsoft Outlook).

If the SPF or DKIM (or both) authenticated identifier is positive ( Pass) then the e-mail is compliant with DMARC and delivered to the mailbox.

(X Fail) then to Policy is applied (e.g. Quarantine or Reject) and an aggregate report is sent to the sender.

Example DNS Record

DNS v=DMARC1; p=none; rua=mailto:dmarc@example; ruf=mailto:dmarc@example; fo=1;

Office 365 ATP

Microsoft Office 365 ATP (Advanced Threat Protection) has great advanced e-mail protection features like safe links and safe attachments. Two extra features (less known) are anti-phishing and spoof intelligence to protect against spoofing (impersonation).


Microsoft Office 365 ATP — Anti-phishing (anti-impersonation) provides inbound protection for all users in the organization against C-level or finance impersonation (e.g. CEO Fraud) via detection algorithms (display- or domain name).

This setting has user impact, e.g. a person from the protected list cannot send e-mails from personal (e.g. or to a business address ( if the display name is the same. User adoption / communication is important for the user(s) included in the Policy

Anti-phishing checks incoming messages for indicators of phishing (e.g. identical display names, forged domains, etc.). If the user is covered by a policy (anti-phishing in this case) the incoming message is evaluated by machine learning models (e.g. impersonation attacks) that analyses the message and determine of action is required (suspicious e-mail is delivered in the Junk folder).

Spoof Intelligence

Microsoft Office 365 ATP — Spoof Intelligence provides protection, via machine learning techniques (sender reputation, sender/recipient history, behavioral analysis, etc.), against e-mail attack(s) against spoof, or unauthenticated, e-mail. Intra-org (Accepted Domains) and cross-domain (external) are protected via spoof intelligence.

The compauth value is added to the message header for extra anti-spoofing protection in the Authentication-Results header next to the SPF, DKIM & DMARC checks.

If you got any questions, please contact me or the InSpark Cybersecurity Team