Email & Collaboration Threat Protection

Tier 1 Checks

#	Check	License
E01	SPF records are published for all accepted domains	—
E02	DKIM signing is enabled for all custom domains	—
E03	DMARC is published and set to enforce (p=quarantine or p=reject)	—
E04	Inbound and outbound TLS is enforced for mail transport	—
E05	Safe Attachments protection is applied to all recipients	MDO P1
E06	Anti-malware common attachments filter blocks dangerous file types	—
E07	Safe Links protection is applied to email, Teams, and Office apps	MDO P1
E08	Anti-phishing spoof and impersonation protection is configured	MDO P1
E09	External sender tagging is enabled	—
E10	POP and IMAP are disabled at the organization and per mailbox	—
E11	A transport rule blocks executable attachments	—
E12	A transport rule blocks oversized attachments	—

Tier 2 / Tier 3 coverage

Tier 1 covers the highest-impact email-authentication and Defender for Office 365 controls. Tier 2 and Tier 3 add depth on Strict-preset tuning, custom anti-phishing impersonation lists and trusted senders, quarantine policies and end-user release, Safe Attachments for SharePoint/OneDrive/Teams, Zero-hour Auto Purge configuration, Attack Simulation Training, mailbox audit baselines, and Defender for Office 365 Plan 2 investigation/automation (Threat Explorer, Automated Investigation and Response).