Microsoft Solutions Partner|Modern Work · Azure · Security · Business Apps
hello@rhcsolutions.com·+1 (212) 555-0142
Modern Work

Exchange Online: flawless mail flow and anti-spam

Configure mail flow, SPF, DKIM, DMARC and anti-spam in Exchange Online for maximum deliverability and protection against phishing and spoofing.

·10 min
Microsoft 365
R
Good afternoon, RHC
O
T
W
X
P
S
Recommended
P
Migration_Proposal.pptx
You edited · 2h ago
X
License_Inventory.xlsx
Shared · yesterday

Email remains the top attack vector against companies and, at the same time, the most business-critical channel. Configuring Exchange Online correctly is what separates a trustworthy inbox from one that delivers phishing to the user's face — or drops legitimate invoices into junk. This guide covers mail flow, authentication and anti-spam end to end.

How mail flows in Exchange Online

Every inbound message passes through Exchange Online Protection (EOP), the security layer included in all plans with Exchange Online. EOP runs, in sequence:

  1. Connection filtering — blocks senders on bad-reputation lists.
  2. Anti-malware — inspects attachments.
  3. Policy filtering — applies the organization's mail flow rules.
  4. Content filtering — evaluates spam, phishing and spoofing.

On plans with Defender for Office 365, additional layers come in: Safe Attachments (sandbox detonation of attachments) and Safe Links (URL rewriting and time-of-click verification).

The foundation: SPF, DKIM and DMARC

If you configure one thing correctly, make it email authentication. It stops fraudsters from impersonating your domain and protects your sending reputation.

Record What it does Where to configure
SPF Lists which servers may send for the domain TXT record in DNS
DKIM Digitally signs messages, proving integrity DNS + enable in Exchange
DMARC Tells receivers what to do with SPF/DKIM failures and sends reports TXT record in DNS

The practical recommendation:

  • SPF with all legitimate senders (including third-party services that send on your behalf).
  • DKIM enabled and signing for the domain.
  • DMARC starting in monitoring mode (p=none) to collect reports, evolving to quarantine and finally reject (p=reject) once you are confident nothing legitimate will be blocked.

Skipping the DMARC monitoring phase is the recipe for blocking your own marketing and system emails.

Mail flow rules

Mail flow rules (transport rules) are the administrator's Swiss Army knife. With them you can:

  • Add a visual banner to emails from external senders.
  • Block or quarantine messages matching certain patterns.
  • Force encryption for messages with sensitive data.
  • Redirect or copy messages for archiving.

The "external email" banner is simple and effective: it helps users distrust messages that pose as internal.

Configuring anti-spam and anti-phishing

The EOP anti-spam policies control what to do with spam, high-confidence spam, phishing and bulk messages. Best practices:

  • Tune the bulk complaint level (BCL) to balance blocking excess against losing legitimate newsletters.
  • Send spam to quarantine rather than the junk folder, with periodic user notifications.
  • Enable anti-phishing protection with spoof detection and, in Defender, user- and domain-impersonation protection.

Impersonation protection is especially valuable against "CEO fraud," where an attacker imitates an executive's name to request transfers.

Quarantine and release

Quarantine centralizes held messages. Configure:

  • Notifications so users see what was held.
  • Quarantine policies defining what the user can do alone (release, request release) versus what requires an admin.
  • Periodic review of false positives to calibrate policies.

Email hygiene checklist

  • SPF, DKIM and DMARC configured and validated.
  • DMARC evolving from monitoring to reject.
  • External-sender banner active.
  • Anti-phishing with impersonation protection enabled.
  • Spam going to quarantine with notifications.
  • Safe Links and Safe Attachments active (Defender plans).
  • Monthly review of false positives and DMARC reports.

Key takeaways

  • Every email passes through EOP; Defender plans add Safe Links and Safe Attachments.
  • SPF, DKIM and DMARC are the foundation against spoofing and for deliverability.
  • Evolve DMARC gradually, starting in monitoring.
  • Mail flow rules enable tailored banners, blocks and encryption.
  • Use quarantine with notifications and review false positives regularly.

RHC configures Exchange Online and Defender for Office 365 as a Microsoft Solutions Partner, addressing domain authentication, anti-spam, anti-phishing and flow rules for maximum security and deliverability.

#Exchange Online#anti-spam#SPF DKIM DMARC#e-mail

Frequently asked questions

Most often it is an authentication failure. Without correct SPF, DKIM and DMARC, receiving servers distrust the sender. Setting up all three records and monitoring DMARC reports resolves most cases.

Ready to do more with Microsoft?

Talk to an expert and discover how to optimize licensing, security and productivity.