CISA.MS.EXO.3.1 - DKIM SHOULD be enabled for all domains.
Overviewโ
DKIM SHOULD be enabled for all domains.
Rationale: An adversary may modify the FROM field of an email such that it appears to be a legitimate email sent by an agency, facilitating phishing attacks. Enabling DKIM is another means for recipients to detect spoofed emails and verify the integrity of email content.
Remediation action:โ
Option 1: Enable DKIMโ
To enable DKIM, follow the instructions listed on Steps to Create, enable and disable DKIM from Microsoft 365 Defender portal | Microsoft Learn.
Option 2: Disallow mail to be sent from domainโ
If the domain is not used for sending mail, we recommend disabling the ability to send from this domain. This will skip the domain for this particular test.
- Sign in to the Exchange Admin Center - Accepted Domains.
- Select the domain to disable sending from.
- Uncheck Allow mail to be sent from this domain.
We recommend doing this for *onmicrosoft.com domains.
Related linksโ
- Defender admin center - Email authentication settings
- CISA 3 Sender Policy Framework - MS.EXO.3.1v1
- CISA ScubaGear Rego Reference
Test Metadataโ
| Field | Value |
|---|---|
| Test ID | CISA.MS.EXO.3.1 |
| Severity | Medium |
| Suite | CISA |
| Category | exchange |
| PowerShell test | Test-MtCisaDkim |
| Tags | CISA, CISA.MS.EXO.3.1, MS.EXO, MS.EXO.3.1 |
Sourceโ
- Pester test:
tests/cisa/exchange/Test-MtCisaDkim.Tests.ps1 - PowerShell source:
powershell/public/cisa/exchange/Test-MtCisaDkim.ps1