Detections
Analytics
2.1.9 Ensure that DKIM is enabled for all Exchange Online Domains
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
DKIM is one of the trio of Authentication methods (SPF, DKIM and DMARC) that help prevent attackers from sending messages that look like they come from your domain.DKIM lets an organization add a digital signature to outbound email messages in the message header. When DKIM is configured, the organization authorizes it's domain to associate, or sign, its name to an email message using cryptographic authentication. Email systems that get email from this domain can use a digital signature to help verify whether incoming email is legitimate.
Use of DKIM in addition to SPF and DMARC to help prevent malicious actors using spoofing techniques from sending messages that look like they are coming from your domain.
Rationale:
By enabling DKIM with Office 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and not being spoofed.
Impact:
There should be no impact of setting up DKIM however, organizations should ensure appropriate setup to ensure continuous mail-flow.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To setup DKIM records, first add the following records to your DNS system, for each domain in Exchange Online that you plan to use to send email with:For each accepted domain in Exchange Online, two DNS entries are required.
Host name:selector1._domainkey
Points to address or value:selector1-<domainGUID>._domainkey.<initialDomain>
TTL:3600
Host name:selector2._domainkey
Points to address or value:selector2-<domainGUID>._domainkey.<initialDomain>
TTL:3600
For Office 365, the selectors will always be selector1 or selector2.
domainGUID is the same as the domainGUID in the customized MX record for your custom domain that appears before mail.protection.outlook.com. For example, in the following MX record for the domain contoso.com, the domainGUID is contoso-com:
contoso.com. 3600 IN MX 5 contoso-com.mail.protection.outlook.com
The initial domain is the domain that you used when you signed up for Office 365. Initial domains always end in on microsoft.com.
After the DNS records are created, enable DKIM signing in Defender.
Navigate to Microsoft 365 Defender https://security.microsoft.com/
Expand Email & collaboration > Policies & rules > Threat policies.
Under Rules section click Email authentication settings.
Select DKIM
Click on each domain and click Enable next to Sign messages for this domain with DKIM signature.
To set DKIM is enabled, use the Exchange Online PowerShell Module:
Connect to Exchange Online service using Connect-ExchangeOnline.
Run the following Exchange Online PowerShell command:
Set-DkimSigningConfig -Identity < domainName > -Enabled $True
See Also
Item Details
Audit Name: CIS Microsoft 365 Foundations E3 L1 v3.0.0
References: CSCv7|7.8
Plugin: microsoft_azure
Control ID: e4bf3db05831500b9879c0acc051b1c6487257e2eea293b54747b086f1efb17d