Detections
Analytics
4.8 Ensure that DKIM is enabled for all Exchange Online Domains
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
You should use DKIM in addition to SPF and DMARC to help prevent spoofers from sending messages that look like they are coming from your domain.Rationale:
By enabling DKIM with Office 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and not being spoofed.
Impact:
There should be no impact of setting up DKIM however, organizations should ensure appropriate setup to ensure continuous mail-flow.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To setup DKIM records, first add the following records to your DNS system, for each domain in Exchange Online that you plan to use to send email with:For each accepted domain in Exchange Online, two DNS entries are required.
Host name:selector1._domainkey
Points to address or value:selector1-<domainGUID>._domainkey.<initialDomain>
TTL:3600
Host name:selector2._domainkey
Points to address or value:selector2-<domainGUID>._domainkey.<initialDomain>
TTL:3600
For Office 365, the selectors will always be selector1 or selector2.
domainGUID is the same as the domainGUID in the customized MX record for your custom domain that appears before mail.protection.outlook.com. For example, in the following MX record for the domain contoso.com, the domainGUID is contoso-com:
contoso.com. 3600 IN MX 5 contoso-com.mail.protection.outlook.com
The initial domain is the domain that you used when you signed up for Office 365. Initial domains always end in on microsoft.com.
After the DNS records are created, enable DKIM signing in the Office 365 Admin Portal
Launch the Security Admin Center.
Under Email & collaboration navigate to Policies & rules > Threat policies.
Under Rules click DKIM
Click on each domain and click Enable next to Sign messages for this domain with DKIM signature.
To set DKIM is enabled, use the Exchange Online PowerShell Module:
Connect to Exchange Online service using Connect-ExchangeOnline.
Run the following Exchange Online PowerShell command:
Set-DkimSigningConfig -Identity < domainName > -Enabled $True
See Also
Item Details
Audit Name: CIS Microsoft 365 Foundations E3 L1 v1.4.0
References: CSCv7|7.8
Plugin: microsoft_azure
Control ID: 7365798562714e858383638b1ceee5256c4f99720fdb04a2346760df87a8a79f