MS.EXO.4.1v1 - A DMARC policy SHALL be published for every second-level domain.

Information

Without a DMARC policy available for each domain, recipients may improperly handle SPF and DKIM failures, possibly enabling spoofed emails to reach end users' mailboxes. Publishing DMARC records at the second-level domain protects the second-level domains and all subdomains.

Solution

DMARC is not configured through the Exchange admin center, but rather via DNS records hosted by the agency's domain. As such, implementation varies depending on how an agency manages its DNS records. See [Form the DMARC TXT record for your domain \| Microsoft Learn](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dmarc-configure?view=o365-worldwide#step-4-form-the-dmarc-txt-record-for-your-domain) for Microsoft guidance.

A DMARC record published at the second-level domain will protect all subdomains. In other words, a DMARC record published for `example.com` will protect both `a.example.com` and `b.example.com`, but a separate record would need to be published for `c.example.gov`.

To test your DMARC configuration, consider using one of many publicly available web-based tools. Additionally, DMARC records can be requested using the PowerShell tool `Resolve-DnsName`. For example:

Resolve-DnsName _dmarc.example.com txt

If DMARC is configured, a response resembling `v=DMARC1; p=reject; pct=100; rua=mailto:[email protected], mailto:[email protected]; ruf=mailto:[email protected]` will be returned, though by necessity, the contents of the record will vary by agency. In this example, the policy indicates all emails failing the SPF/DKIM checks are to be rejected and aggregate reports sent to [email protected] and [email protected]. Failure reports will be sent to [email protected].

See Also

https://github.com/cisagov/ScubaGear/tree/v1.5.0/

Item Details

Category: ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AC-4, 800-53|CA-7, 800-53|CM-2, 800-53|CM-6, 800-53|IA-9, 800-53|SC-7, 800-53|SC-20, 800-53|SC-44, 800-53|SI-2, 800-53|SI-3, 800-53|SI-4, 800-53|SI-8

Plugin: microsoft_azure

Control ID: de35258643df2bd5065bd32246a434e448135e0619d5514e432e07fc57535b29