4.11 Ensure that DKIM is enabled for all Exchange Online Domains

Information

You should use DKIM in addition to SPF and DMARC to help prevent spoofers from sending messages that look like they are coming from your domain.

Rationale:

By enabling DKIM with Office 365, messages that are sent from Exchange Online will by cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and not being spoofed.

Impact:

There should be no impact of setting up DKIM however, organizations should ensure appropriate setup to ensure continuous mail-flow.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To setup DKIM records, first add the following records to your DNS system, for each domain in Exchange Online that you plan to use to send email with:

For each accepted domain in Exchange Online, two DNS entries are required.

Host name:selector1._domainkey
Points to address or value:selector1-<domainGUID>._domainkey.<initialDomain>
TTL:3600
Host name:selector2._domainkey
Points to address or value:selector2-<domainGUID>._domainkey.<initialDomain>
TTL:3600

For Office 365, the selectors will always be selector1 or selector2.
domainGUID is the same as the domainGUID in the customized MX record for your custom domain that appears before mail.protection.outlook.com. For example, in the following MX record for the domain contoso.com, the domainGUID is contoso-com:

contoso.com. 3600 IN MX 5 contoso-com.mail.protection.outlook.com

The initial domain is the domain that you used when you signed up for Office 365. Initial domains always end in on microsoft.com.

After the DNS records are created, enable DKIM signing in the Office 365 Admin Portal

Launch the Security Admin Center.

Expand Threat Management then select Policy.

Click DKIM.

Click on each domain and click Enable next to Sign messages for this domain with DKIM signature.

To set DKIM is enabled, use the Exchange Online PowerShell Module:

Connect to Exchange Online service using Connect-ExchangeOnline.

Run the following Exchange Online PowerShell command:

Set-DkimSigningConfig -Identity < domainName > -Enabled $True

See Also

https://workbench.cisecurity.org/files/3433