Detections
Analytics

2.1.9 (L1) Ensure that DKIM is enabled for all Exchange Online Domains

Information

DKIM is one of the trio of Authentication methods (SPF, DKIM and DMARC) that help prevent attackers from sending messages that look like they come from your domain.

DKIM lets an organization add a digital signature to outbound email messages in the message header. When DKIM is configured, the organization authorizes it's domain to associate, or sign, its name to an email message using cryptographic authentication. Email systems that get email from this domain can use a digital signature to help verify whether incoming email is legitimate.

Use of DKIM in addition to SPF and DMARC to help prevent malicious actors using spoofing techniques from sending messages that look like they are coming from your domain.

By enabling DKIM with Office 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and not being spoofed.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To remediate using a DNS Provider:

 - For each accepted domain in Exchange Online, two DNS entries are required.

Host name:selector1._domainkey
Points to address or value:selector1-<domainGUID>._domainkey.<initialDomain>
TTL:3600
Host name:selector2._domainkey
Points to address or value:selector2-<domainGUID>._domainkey.<initialDomain>
TTL:3600

For Office 365, the selectors will always be selector1 or selector2

domainGUID is the same as the domainGUID in the customized MX record for your custom domain that appears before mail.protection.outlook.com. For example, in the following MX record for the domain contoso.com, the domainGUID is contoso-com:

contoso.com. 3600 IN MX 5 contoso-com.mail.protection.outlook.com

The initial domain is the domain that you used when you signed up for Office 365. Initial domains always end with on.microsoft.com.

 - After the DNS records are created, enable DKIM signing in Defender.
 - Navigate to Microsoft 365 Defender

https://security.microsoft.com/

 - Expand Email & collaboration > Policies & rules > Threat policies
 - Under Rules section click Email authentication settings
 - Select DKIM
 - Click on each domain and click Enable next to Sign messages for this domain with DKIM signature

Final remediation step using the Exchange Online PowerShell Module:

 - Connect to Exchange Online service using Connect-ExchangeOnline
 - Run the following Exchange Online PowerShell command:

Set-DkimSigningConfig -Identity < domainName > -Enabled $True

Impact:

There should be no impact of setting up DKIM however, organizations should ensure appropriate setup to ensure continuous mail-flow.

See Also

https://workbench.cisecurity.org/benchmarks/17682

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7, CSCv7|7.8

Plugin: microsoft_azure

Control ID: 8581a9d06dd6c9d8b1c0b2b990fd0bf6aed29ab6c744b53d8cdcb7ab42bc7ce6