Using Microsoft 365? There's a dashboard at security.microsoft.com/securescore that gives your Microsoft environment a security score out of 100. Most business owners have never seen it, and the ones who have often don't know what to do with it.
What Is Microsoft Secure Score?
Microsoft Secure Score is a built-in security measurement tool inside Microsoft 365. It audits your environment against a checklist of security best practices and assigns a score based on how many you've implemented. The higher your score, the harder your environment is to compromise.
You find it at security.microsoft.com/securescore, as long as you're an admin on your Microsoft 365 account. The score is broken into three categories: Identity (users and access), Data (files and emails), and Devices (laptops and phones). Each category has a set of recommended actions.
What the score tells you:
- How much of Microsoft's recommended security configuration you've actually applied
- What specific gaps exist, with plain-English explanations
- How your score compares to similar businesses (Microsoft shows an industry average)
- A prioritised action list for what to fix next
How Email Security Feeds into the Score
A significant portion of the Secure Score relates directly to email: both how you receive email (anti-phishing, safe links, attachment scanning) and how your domain is authenticated when you send email.
Specifically, Microsoft awards score points for:
- DMARC enforcement: Having DMARC in place, ideally set to
p=quarantineorp=reject - SPF configuration: Correctly specifying which servers can send on your behalf
- DKIM signing: Cryptographically signing outgoing email from your domain
- Anti-phishing policies: Defender for Office 365 anti-phishing rules
- Safe Attachments and Safe Links: Scanning incoming attachments and links in real time
- Multi-factor authentication (MFA): Requiring a second factor for admin accounts in particular
Important distinction: Microsoft Secure Score measures your Microsoft 365 configuration. It will flag whether DMARC exists on your domain, but it won't tell you whether your domain's email authentication is set up correctly end-to-end. A badly configured DMARC record can still get points.
What's a Good Score?
There's no universal benchmark, but Microsoft shows an industry average for your sector. Most UK small businesses sit somewhere between 30 and 55 out of 100 when they first look. That's not a failing grade. It reflects that many of the scored items require active configuration that's never been done rather than active failure.
Getting above 60-70 typically means the highest-impact items (MFA, anti-phishing policies, email authentication) are in place. The remaining points usually involve edge cases and advanced features that make meaningful difference only in highly targeted attack scenarios.
What a Low Score Actually Means
A low score doesn't mean you're being attacked right now. It means there are doors unlocked that an attacker could walk through if they targeted you. The most common gaps that drag scores down:
- MFA not enforced for all admin accounts (high risk, admin compromise is catastrophic)
- DMARC set to
p=none: monitoring only, no enforcement against spoofing - Safe Attachments not enabled for all users
- Legacy authentication protocols still allowed (older apps that bypass MFA)
- No anti-phishing policies configured for impersonation protection
The score Microsoft can't show you: Secure Score only measures what's inside Microsoft 365. It can't see whether your domain's DNS records are correctly configured, whether your emails are passing authentication checks at the receiving end, or whether your sending IP is on any blacklists. That's a separate check, and one many businesses skip entirely.
The False Confidence Trap
The pattern I encounter most often when talking to business owners about Microsoft 365 security: the Secure Score is sitting at 65-75 out of 100, the IT team has been active in the portal, and the owner reasonably concludes that email security is covered. It often isn't.
Here's the specific gap. Microsoft awards Secure Score points for having a DMARC record, but it doesn't fully distinguish between a DMARC record set to p=none (which monitors only and takes no action) and one set to p=quarantine or p=reject (which actually blocks fraudulent emails). A business can have a respectable Secure Score while their domain is still fully open to impersonation, because the enforcement policy hasn't been set.
The second gap: Secure Score reflects your Microsoft 365 configuration at a point in time. DKIM keys expire. SPF records get outdated when you change email platforms. These changes happen outside the Microsoft portal, on your DNS, and Secure Score won't prompt you when something drifts. I've seen businesses whose DKIM key expired months ago, emails started failing authentication checks silently, and no one knew because the Secure Score hadn't moved.
Use the Secure Score as a dashboard for your Microsoft environment. Then check your domain's actual DNS records separately to verify authentication is working end-to-end. They're measuring different things.
Email Authentication: The Gap Between Secure Score and Reality
Microsoft gives you points for having DMARC, SPF, and DKIM in place, but those points are tied to whether records are present in your DNS, not whether they're correctly configured and actively enforcing. A DMARC record set to p=none, which means monitoring only, no enforcement, provides zero spoofing protection, but it's still a DMARC record that can contribute to your score.
This is not a flaw in Secure Score. It's measuring what it's designed to measure, which is Microsoft-platform configuration. But it means you can have a score that looks healthy while your domain is still fully impersonatable. Criminals can send emails appearing to come from your domain, those emails will land in inboxes, and your Secure Score will remain unchanged.
The only way to confirm your email authentication is working end-to-end is to check your domain's DNS records directly, not just the Microsoft portal.
Check Your Domain's Email Security, Not Just the Microsoft Score
The free SecureMyEmails check reads your domain's DNS records directly (SPF, DKIM, DMARC) and tells you whether they're correctly configured for real-world protection, not just whether records exist. It takes 60 seconds.
Check My Domain Free Talk to us →Not sure what your Secure Score means for your specific situation? Book a free 20-minute call with our team. We'll look at both the Microsoft dashboard and your domain authentication together and give you a clear action list.
How to Improve Your Microsoft Secure Score
The Secure Score dashboard itself is the best guide. Each recommended action includes a description, estimated score improvement, and implementation notes. The highest-value items to tackle first:
- Enable MFA for all users: highest single impact on score and on actual risk
- Set DMARC to
p=quarantineorp=reject: stops domain impersonation - Enable Safe Attachments: scans incoming attachments in a sandbox before delivery
- Configure anti-phishing impersonation protection: flags emails that pretend to be your senior staff
- Block legacy authentication: closes the MFA bypass loophole used by older apps
Most of these are configuration changes inside the Microsoft 365 admin centre and Microsoft Defender portal, with no software to buy and no hardware to install. Your IT team can work through them in a day.
The Bottom Line
Microsoft Secure Score is a useful health indicator, but it's not a complete picture. It tells you how well you've configured the tools Microsoft gives you. It doesn't tell you whether your email domain is correctly authenticated from the outside, or whether your domain is already being used to send fraudulent emails without your knowledge.
Use the Secure Score as a starting point, not a finish line. Then check your domain's email authentication separately. It's the one thing Microsoft's own dashboard can't fully verify for you.