CISA.MS.EXO.4.2 - The DMARC message rejection option SHALL be p=reject.
Overview
The DMARC message rejection option SHALL be p=reject.
Rationale: Of the three policy options (i.e., none, quarantine, and reject), reject provides the strongest protection. Reject is the level of protection required by BOD 18-01 for FCEB departments and agencies.
Remediation action:
- See MS.EXO.4.1v1 Instructions for an overview of how to publish and check a DMARC record.
- Ensure the record published includes p=reject.
Related links
- Exchange admin center - Accepted domains
- CISA 4 Domain-Based Message Authentication, Reporting, and Conformance (DMARC) - MS.EXO.4.2v1
- CISA ScubaGear Rego Reference
Test Metadata
| Field | Value |
|---|---|
| Test ID | CISA.MS.EXO.4.2 |
| Severity | High |
| Suite | CISA |
| Category | exchange |
| PowerShell test | Test-MtCisaDmarcRecordReject |
| Tags | CISA, CISA.MS.EXO.4.2, MS.EXO, MS.EXO.4.2 |
Source
- Pester test:
tests/cisa/exchange/Test-MtCisaDmarcRecordReject.Tests.ps1 - PowerShell source:
powershell/public/cisa/exchange/Test-MtCisaDmarcRecordReject.ps1