ORCA.243 - Authenticated Receive Chain is set up for domains not pointing to EOP/MDO, or all domains point to EOP/MDO.
Overviewβ
When EOP/MDO is behind a third-party service, sender authentication checks such as DKIM & SPF can fail. This is due to the fact that the service infront may modify the message and break the signature, or send from an IP address that is not a registered sender for the domain. By configuring the third-party to ARC seal the message, and setting up a trusted ARC sealer, the authentication results of the third-party mail relay can be used. IMPORTANT NOTE: This check cannot validate that the third-party service infront of these domains is correctly ARC sealing your emails, nor can it check that the domain portion matches one of the trusted ARC sealers. This check purely validates a trusted ARC sealer exists. Even if this check passes, you should validate your emails are passing ARC seal
Remediation actionβ
Enable Authenticated Receive Chain (ARC) trusted sealers for domains not pointed at EOP/MDO.
Related Linksβ
- Configuring trusted ARC sealers
- Improving 'Defense in Depth' with Trusted ARC Sealers for Microsoft Defender for Office 365
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | ORCA.243 |
| Severity | Medium |
| Suite | ORCA |
| Category | EXO |
| PowerShell test | Test-ORCA243 |
| Tags | EXO, ORCA, ORCA.243 |
Sourceβ
- Pester test:
tests/orca/Test-ORCA243.Tests.ps1 - PowerShell source:
powershell/public/orca/Test-ORCA243.ps1