Why Email Security Is Non-Negotiable for Berlin SMBs

Attackers do not need to breach your firewall. They send one convincing email to one employee, and the damage is done. For small businesses in Berlin, the average cost of a successful phishing incident — factoring in downtime, forensic work, and reputational damage — routinely exceeds €25,000. Large enterprises absorb this; most SMBs cannot.

Microsoft 365 ships with baseline spam and malware filtering, but the default settings are deliberately conservative to avoid false positives. Left unconfigured, M365 will miss sophisticated spear-phishing campaigns, malicious Office macros, and impersonation attacks that bypass simple signature-based detection. The controls to stop these threats exist in the platform — they simply need to be switched on and tuned.

The Microsoft 365 Email Security Stack

Email protection in Microsoft 365 is layered. Understanding what each layer does helps you close gaps systematically.

Step 1: Deploy SPF, DKIM, and DMARC

These three DNS records are the foundation of email authentication. Without them, anyone can send email that appears to come from your domain — a trivial attack that costs attackers nothing and devastates your brand.

SPF (Sender Policy Framework)

SPF publishes a list of authorized sending IP addresses for your domain. If an email arrives claiming to be from your domain but originates from an unlisted IP, receiving mail servers can reject it. For a pure Microsoft 365 tenant with no third-party senders, the correct SPF record is:

If you use additional services (Mailchimp, DocuSign, a third-party ticketing system), add their SPF includes. Keep the total DNS lookup count below 10 or delivery will break. Use an SPF flattening tool like dmarcian or MXToolbox to verify your final record.

DKIM (DomainKeys Identified Mail)

DKIM cryptographically signs outbound messages. Receivers verify the signature against the public key published in your DNS. Even if an attacker intercepts and modifies a message in transit, the signature breaks. In Microsoft 365 Admin Center, navigate to Security > Email & Collaboration > Policies & Rules > Threat Policies > DKIM, select your domain, and enable signing. Microsoft generates the key pair and publishes the CNAME records — you simply add the two CNAME entries to your DNS provider.

DMARC (Domain-based Message Authentication)

DMARC ties SPF and DKIM together and tells receivers what to do when authentication fails. Start with a monitoring policy, collect data, then enforce:

Do not rush to p=reject. DMARC failures on legitimate mail flows (invoicing systems, calendar apps, CRM tools) will silently drop business-critical emails. Spend at least 30 days analyzing aggregate reports before moving to quarantine, another 30 before enforcing reject.

Step 2: Harden Exchange Online Protection Policies

EOP ships with a “Default” policy that tolerates a high false-positive threshold. For a Berlin SMB, the Standard or Strict preset security policies are significantly more protective. Navigate to Microsoft Defender Portal > Email & Collaboration > Policies & Rules > Threat Policies > Preset Security Policies and apply Standard Protection to all users. This single action tightens anti-spam thresholds, enables bulk complaint level filtering, and enables additional malware scanning without requiring manual policy construction.

Step 3: Enable Defender for Office 365 — Safe Attachments and Safe Links

Exchange Online Protection catches known-bad signatures. Defender for Office 365 (included in M365 Business Premium) catches zero-day threats by detonating suspicious attachments in a sandboxed virtual machine and re-writing URLs to route through Microsoft’s real-time reputation engine at click time.

Safe Attachments

Enable the “Dynamic Delivery” setting so users receive the email body immediately while the attachment is being scanned, reducing productivity impact. Set the unknown malware response to “Block” rather than “Monitor” — monitor mode does not prevent delivery, it only alerts. Apply the policy to all recipients. In high-risk environments (law firms, financial advisors, medical practices), enable scanning of internal email as well.

Safe Links

Safe Links re-writes all URLs in email and Office documents so they are checked against Microsoft’s threat intelligence at click time, not delivery time. This catches URLs that are benign at delivery but weaponized hours later — a common technique called time-of-click phishing. Enable “Do not allow users to click through to the original URL” and “Track user clicks” for forensic visibility. Apply to Office apps as well as email.

Step 4: Configure Anti-Phishing Policies for Impersonation Protection

Business email compromise (BEC) attacks typically involve an attacker impersonating your CEO, CFO, or a trusted supplier to authorize a fraudulent wire transfer or credential change. EOP’s standard anti-spam does not stop this because BEC emails contain no malware and no malicious links — they are just convincing text from a lookalike domain.

Defender for Office 365’s anti-phishing policy adds targeted protection. In Threat Policies > Anti-phishing > Office365 AntiPhish Default, configure:

• User impersonation protection: Add your CEO, CFO, and any executives who initiate financial transactions. The engine detects emails that claim to be from these individuals but originate from external domains.
• Domain impersonation protection: Add your primary domain and any domain you exchange invoices with regularly. Catches lookalikes like “itexperts-berlın.de” (Cyrillic ı) or “itexpert5-berlin.de”.
• Mailbox intelligence: Enable this to build a communication graph. If your CFO has never emailed your IT admin before, an impersonation attempt stands out statistically.
• Action on detected impersonation: Set to “Quarantine the message” rather than “Move to Junk” — junk folders are checked by users and attackers know this.

Step 5: Protect Against Outbound Spam

A compromised mailbox used to send spam causes your domain’s reputation to drop with major mail providers, resulting in your legitimate business email being blocked. Configure outbound spam policies to alert you when any mailbox exceeds unusual sending thresholds. Navigate to Threat Policies > Anti-spam > Anti-spam outbound policy and set notification recipients for when a user is restricted from sending. This is often the first signal that an account has been compromised.

Step 6: Enable Multi-Factor Authentication — The Single Most Effective Email Control

No email security control matters if an attacker can simply authenticate to your tenant with a stolen password and read or redirect your mail. MFA with Conditional Access policies blocks credential-stuffing attacks entirely. In combination with Entra ID’s sign-in risk policies, even phished credentials become worthless without the second factor. This is the one control that stops almost all account takeover scenarios.

Step 7: Ongoing Monitoring — Attack Simulation and Reporting

Microsoft 365 Business Premium includes Attack Simulator (under Microsoft Defender Portal > Email & Collaboration > Attack Simulation Training). Run a phishing simulation quarterly: send a credential-harvesting campaign to all staff and measure click rate. Users who click receive targeted training automatically. This loop — simulate, catch, train — demonstrably reduces click rates over time and is far cheaper than a single incident.

Monitor the Threat Protection Status Report in the Defender Portal weekly. Track malware blocked, phishing detected, and quarantine volume. Sudden spikes indicate either a live attack against your domain or a configuration gap letting more mail through than expected. The report is free, requires no additional tooling, and takes five minutes to review.

Quick Reference: Email Security Hardening Checklist

How IT Experts Berlin Implements This for Clients

We deliver email security hardening as part of our Microsoft 365 managed service for Berlin SMBs. A typical engagement runs three phases over four weeks: DNS authentication records (SPF/DKIM/DMARC) in week one; EOP and Defender for Office 365 policy hardening in week two; impersonation protection and attack simulation baseline in weeks three and four. After go-live, we monitor the Threat Protection Status Report weekly and run quarterly phishing simulations included in the service.

Most clients see a measurable reduction in end-user-reported phishing emails within the first 30 days and use the attack simulation reports in their cyber insurance renewal documentation to demonstrate proactive controls. Contact us for a free email security assessment of your current M365 configuration.