CISA.MS.EXO.4.3 - The DMARC point of contact for aggregate reports SHALL include [email protected].
Overviewβ
The DMARC point of contact for aggregate reports SHALL include [email protected].
Rationale: Email spoofing attempts are not inherently visible to domain owners. DMARC provides a mechanism to receive reports of spoofing attempts. Including [email protected] as a point of contact for these reports gives CISA insight into spoofing attempts and is required by BOD 18-01 for FCEB departments and agencies.
Note: Only federal, executive branch, departments and agencies should include this email address in their DMARC record.
For other organization's there are many services that offer managed DMARC analysis and reporting, though ensure you properly align your implementation with your organization's policies for data handling.
Remediation action:β
- See MS.EXO.4.1v1 Instructions for an overview of how to publish and check a DMARC record.
- Ensure the record published includes [email protected] as one of the emails for the RUA field.
Related linksβ
- Exchange admin center - Accepted domains
- CISA 4 Domain-Based Message Authentication, Reporting, and Conformance (DMARC) - MS.EXO.4.3v1
- CISA ScubaGear Rego Reference
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CISA.MS.EXO.4.3 |
| Severity | Medium |
| Suite | CISA |
| Category | exchange |
| PowerShell test | Test-MtCisaDmarcAggregateCisa |
| Tags | CISA, CISA.MS.EXO.4.3, MS.EXO, MS.EXO.4.3 |
Sourceβ
- Pester test:
tests/cisa/exchange/Test-MtCisaDmarcAggregateCisa.Tests.ps1 - PowerShell source:
powershell/public/cisa/exchange/Test-MtCisaDmarcAggregateCisa.ps1