| Setting | Status | Recommendation | Impact | Risk |
|---|---|---|---|---|
| MX Records | ✓ Good All 4 records → SpamHero |
No change needed | Mail is flowing through SpamHero properly | — |
| SPF Record | ✓ Good Includes SpamHero + O365, hard fail |
No change needed | Sender authentication is solid | — |
| DMARC Enforcement | ✓ Good Enabled, quarantine on failure |
No change needed | Spoofed messages are caught | — |
| Impersonation Protection (Local) | ✓ Good Enabled for milconconstruction.com |
No change needed | Protects against domain spoofing | — |
| Attachment Filter | ✓ Good 193 dangerous file types blocked |
No change needed | Malicious attachments are caught | — |
| IP-Restricted Delivery | ✓ Good Only SpamHero IPs can deliver to M365 |
No change needed | Prevents SpamHero bypass | — |
| Message Re-Delivery Workaround | ✓ Good Enabled for M365 compatibility |
No change needed | Fixes M365 Message-ID header issue | — |
| Invalid Sender Domain Filter | ✓ Good Enabled |
No change needed | Blocks mail from fake domains | — |
| Auto-Block from Missed Spam | ✓ Good Enabled |
No change needed | Users can report spam and senders get auto-blocked | — |
| Corrupt/Password-Protected Archives | ✓ Good Quarantined |
No change needed | Suspicious archives are caught | — |
| Geographic Policies | ✓ Acceptable Using defaults |
No change needed for now | 94% of clean mail comes from US. Defaults are appropriate. | — |
| Non-English Character Filter | ✓ Correct Disabled — diverse workforce |
Keep disabled — construction has diverse workforce | Would block legitimate mail from subcontractors | — |
| Deep Filter High Spam Networks | ✓ Correct Disabled per SpamHero docs |
Keep disabled — too aggressive per SpamHero's own docs | Causes frequent delays of clean mail. Not worth the trade-off. | — |
| Global Impersonation Protection | ✓ Correct Disabled — overly aggressive |
Keep disabled — quarantines too much clean mail | SpamHero warns this is overly aggressive | — |
Overall Security Score
42 / 100
Neither system is properly configured to work together
SpamHero Filtering
99.96%
Spam detection is excellent — front-line filter is doing its job
M365 Defender Status
Misconfigured
Active but fighting SpamHero — no connector, no enhanced filtering
Critical Actions Needed
7
Foundational changes needed before anything else
Architecture Overview
How mail flows today vs. how it should flow
Current State
🌐 Internet
→
SpamHero
→
M365
Problem: M365 doesn't know SpamHero exists. No inbound connector, no enhanced filtering. M365 sees SpamHero's IP as the sender and re-evaluates everything incorrectly — causing false positives, broken SPF/DKIM checks, and duplicate filtering that works against itself.
Target State
🌐 Internet
→
SpamHero
→
M365 + Connector
Partner Connector
Enhanced Filtering
Transport Rule
Result: SpamHero handles front-line filtering. M365 trusts SpamHero via an inbound partner connector, sees real sender IPs through Enhanced Filtering, and a transport rule blocks any mail that bypasses SpamHero. Both systems work as cooperative layers.
SpamHero Assessment
Third-party email filter — 25 settings reviewed
| Setting | Status | Recommendation | Impact | Risk |
|---|---|---|---|---|
| Self-Domain Whitelist | 🔴 Critical milconconstruction.com on Approved Senders |
Remove immediately — defeats all spoofing protection | Spoofed emails from "milconconstruction.com" bypass ALL filtering. Critical security risk. | Low |
| Quarantine Reports | 🔴 Critical Set to "Never" |
Enable daily reports for all users | Without reports, quarantined legitimate mail goes unseen. Users need visibility. | Low |
| Microsoft Office Macros Filter | ⚠ Disabled | Enable — #1 ransomware vector for construction companies | Blocks weaponized Office docs with macros. Very low disruption risk. | Low |
| Quarantine When SPF+DKIM Both Fail | ⚠ Disabled | Enable — messages failing both checks are almost certainly spoofed | Catches spoofed emails that slip through. Low disruption risk. | Low |
| Invalid Headers Policy | ⚠ Disabled | Enable — legitimate mail always has From/To headers | Blocks automated spam/malware missing basic headers. Very low risk. | Low |
| Bulk Mail Filter | ⚠ Disabled | Enable — reduces marketing noise, users can release from quarantine | Filters bulk/marketing email. Moderate disruption risk — monitor first week. | Med |
| Catch-All | ⚠ Enabled | Disable — 77 known recipients already imported | Stops spam sent to guessed/random addresses. Low risk since recipients are listed. | Low |
| Auto-Login from Quarantine Reports | ⚠ Enabled | Disable — anyone intercepting report can access quarantine | Improves security. No disruption to end users. | Low |
| Butler Construction Whitelist | ⚠ Whitelisted butlerconstructiongroup.com |
Remove — if their email is compromised, all spam passes through | Better to let SpamHero filter normally and address specific false positives. | Low |
| External Domain Impersonation | ⚠ Not configured | Add 5–10 critical vendor/partner domains (bank, insurance, key clients) | Prevents "wire $50K to this new account" attacks spoofing trusted partners. | Low |
| Outbound Filtering | ⚠ Not configured Not configured as relay |
Investigate configuring M365 to relay outbound through SpamHero | Protects domain reputation if an account is compromised. | Med |
Microsoft 365 Defender Assessment
Built-in M365 security — 18 settings reviewed
| Setting | Status | Recommendation | Impact | Risk |
|---|---|---|---|---|
| Anti-Spam Inbound (Bulk) | ✓ Good Threshold set to 6 |
Acceptable — will complement SpamHero's bulk filter | Standard threshold. Works as second layer. | — |
| Anti-Spam Inbound (Actions) | ✓ Good Spam→Junk, Phishing→Quarantine |
Acceptable | Standard actions for a second-layer filter. | — |
| Anti-Phishing ("default" policy) | ✓ Good Threshold 2 (Aggressive), 55 protected users |
Good — strong second layer | User impersonation protection adds defense beyond what SpamHero offers. | — |
| Anti-Malware | ✓ Good Common attachments filter on, ZAP enabled |
Acceptable | Good second-layer malware protection. | — |
| Safe Attachments — "default" | ✓ Good Dynamic Delivery, redirects to admin |
Good | Delivers message immediately, rescans attachments in sandbox. | — |
| Safe Links — CIPP Default | ✓ Good URL scanning on, Teams protection on |
Good | Time-of-click URL protection that SpamHero cannot provide. | — |
| DKIM — milconconstruction.com | ✓ Good Enabled and valid |
No change needed | Outbound email is properly signed. | — |
| Outbound Anti-Spam | ✓ Good 500 external/hr, 1000 internal/hr |
Acceptable | Standard outbound rate limiting. | — |
| Quarantine Policies | ✓ Good NotificationEnabledPolicy active |
Acceptable | Users get notified about quarantined messages. | — |
| Setting | Status | Recommendation | Impact | Risk |
|---|---|---|---|---|
| Inbound Mail Flow Connector | 🔴 Missing Does NOT exist |
Create Partner connector restricted to SpamHero IPs | FOUNDATIONAL — without this, M365 can't trust or properly evaluate mail from SpamHero. Everything else depends on this. | Low |
| Enhanced Filtering for Connectors | 🔴 Missing Not configured |
Enable on inbound connector with SpamHero IPs as skip list | Lets M365 see the real sender IP instead of SpamHero's. Restores accurate SPF/DKIM/DMARC checks inside Defender. | Low |
| Transport Rules | 🔴 Missing None exist |
Create rule rejecting inbound internet mail not from SpamHero IPs | Prevents attackers from bypassing SpamHero by sending directly to M365's MX. | Low |
| Connection Filter IP Allow List | ⚠ Incomplete Missing 1 of 7 SpamHero IPs (208.53.48.64) |
Add missing IP | Ensures all SpamHero servers are trusted by M365. | Low |
| Safe Attachments — CIPP Default | ⚠ Monitor mode Detects but still delivers malware |
Change to "Dynamic Delivery" or "Block" | Monitor mode defeats the purpose — malware gets delivered even when detected. | Low |
| Safe Links — "default" policy | ⚠ Incomplete "Wait for URL scanning" is OFF |
Enable "Wait for URL scanning before delivering" | Currently delivers message before URL scan completes. Adds a few seconds but catches weaponized URLs. | Low |
| DKIM — watskyassociates.com | ⚠ Disabled CNAME missing |
Publish DKIM CNAME records in DNS if this domain sends mail | Without DKIM, mail from this domain may be flagged by recipients. | Low |
| Allowed Senders (25 entries) | ⚠ Risky entries | Review and trim — remove smiller@milconconstruction.com (self-domain bypass) | Self-domain whitelisting defeats spoofing protection. Each allowed sender bypasses spam filtering entirely. | Med |
| Allowed Domains (9 entries) | ⚠ Dangerous indeed.com, docusign.net + 3 Indeed variants |
Remove heavily-spoofed domains (Indeed, DocuSign). Handle false positives individually. | These are among the most impersonated domains on the internet. Blanket whitelisting is dangerous. | Med |
| Blocked Senders/Domains Conflict | ⚠ Conflict docusign.net is both allowed AND blocked |
Resolve conflict — allowed domain overrides blocked sender | Contradicting rules create unpredictable filtering behavior. | Low |
| First Contact Safety Tip | ⚠ Off | Enable — shows banner when user gets email from someone for the first time | Simple but effective phishing awareness for end users. Zero disruption. | Low |
Priority Action Plan
26 actions across 4 phases — ordered by urgency and dependency
Phase 1
Critical — Do First, Same Day
5 actions
- 1 Create inbound Partner connector in M365 restricted to SpamHero IPs — this is the foundation everything else depends on
- 2 Enable Enhanced Filtering for Connectors with SpamHero IP skip list — restores accurate sender IP evaluation
- 3 Create transport rule to reject non-SpamHero inbound mail — closes the bypass gap
- 4 Remove milconconstruction.com from SpamHero Approved Senders — currently defeats all spoofing protection
- 5 Remove smiller@milconconstruction.com from M365 Allowed Senders — self-domain bypass in Defender
Phase 2
High Priority — Within 1 Week
10 actions
- 6 Enable macro attachment blocking in SpamHero — #1 ransomware vector for construction
- 7 Enable "Quarantine when SPF+DKIM both fail" in SpamHero — catches spoofed mail
- 8 Enable Invalid Headers policy in SpamHero — blocks malformed spam/malware
- 9 Disable catch-all in SpamHero — 77 known recipients already imported
- 10 Enable daily quarantine reports in SpamHero — users need visibility into quarantined mail
- 11 Disable auto-login from quarantine reports in SpamHero — improves quarantine security
- 12 Add missing SpamHero IP (208.53.48.64) to M365 connection filter allow list
- 13 Fix Safe Attachments CIPP Default from Monitor → Dynamic Delivery — monitor mode delivers detected malware
- 14 Enable "Wait for URL scanning" on Safe Links default policy — scan before delivery
- 15 Enable first contact safety tip — warns users about emails from new contacts
Phase 3
Medium Priority — Within 2 Weeks
8 actions
- 16 Enable bulk mail filter in SpamHero — monitor for false positives during first week
- 17 Remove Butler Construction from SpamHero whitelist — let normal filtering handle it
- 18 Add 5–10 critical vendor domains to SpamHero impersonation protection (bank, insurance, key clients)
- 19 Clean up M365 allowed senders list — review all 25 entries, remove unnecessary bypasses
- 20 Remove Indeed/DocuSign from M365 allowed domains — among the most impersonated domains online
- 21 Resolve docusign.net conflict — currently both allowed and blocked, creating unpredictable behavior
- 22 Publish DKIM CNAMEs for watskyassociates.com if this domain sends mail
- 23 Consolidate duplicate policies — merge Safe Attachments and Safe Links policies into single, coherent configs
Phase 4
Low Priority / Ongoing
3 actions
- 24 Investigate outbound relay through SpamHero — protects domain reputation if an account is compromised
- 25 Review blocked senders quarterly — keep the block list current and effective
- 26 Confirm blocked Microsoft services (Cortana, Viva, Dropbox) are intentional — not accidental blocks