Detections
Analytics

2.1.10 (L1) Ensure DMARC Records for all Exchange Online domains are published

Information

DMARC, or Domain-based Message Authentication, Reporting, and Conformance, assists recipient mail systems in determining the appropriate action to take when messages from a domain fail to meet SPF or DKIM authentication criteria.

DMARC strengthens the trustworthiness of messages sent from an organization's domain to destination email systems. By integrating DMARC with SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), organizations can significantly enhance their defenses against email spoofing and phishing attempts.

Leaving a DMARC policy set to p=none can result in failed action when a spear phishing email fails DMARC but passes SPF and DKIM checks. Having DMARC fully configured is a critical part in preventing business email compromise.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To remediate using a DNS Provider:

 - For each Exchange Online Accepted Domain, add the following record to DNS:

Record: _dmarc.domain1.comType: TXTValue: v=DMARC1; p=none; rua=mailto:<[email protected]>; ruf=mailto:<[email protected]> <xhtml:ol start="2"> - This will create a basic DMARC policy that will allow the organization to start monitoring message statistics.3. One week is enough time for data generated by the reports to be useful in understanding email trends and traffic. The final step requires implementing a policy of p=reject OR p=quarantine and pct=100 with the necessary rua and ruf email addresses defined:

Record: _dmarc.domain1.comType: TXTValue: v=DMARC1; p=reject; pct=100; rua=mailto:<[email protected]>; ruf=mailto:<[email protected]>

Also remediate the MOREA domain using the UI:

 - Navigate to the Microsoft 365 admin center

https://admin.microsoft.com/

 - Expand Settings and select Domains
 - Select your tenant domain (for example, contoso.onmicrosoft.com).
 - Select DNS records and click + Add record
 - Add a new record with the TXT name of _dmarc with the appropriate values outlined above.

Note: The remediation portion involves a multi-staged approach over a period of time. First, a baseline of the current state of email will be established with p=none and rua and ruf Once the environment is better understood and reports have been analyzed an organization will move to the final state with dmarc record values as outlined in the audit section.

Microsoft has a list of

best practices for implementing DMARC

that cover these steps in detail.

Impact:

There should be no impact of setting up DMARC however, organizations should ensure appropriate setup to ensure continuous mail-flow.

See Also

https://workbench.cisecurity.org/benchmarks/17682

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7, CSCv7|7.8

Plugin: microsoft_azure

Control ID: f2ccee556b31576fa99563b75e009ec1625eb1915e27952baf248b7c3ab85ff1