2.1.8 Ensure that SPF records are published for all Exchange Domains

Information

For each domain that is configured in Exchange, a corresponding Sender Policy Framework (SPF) record should be created.

Rationale:

SPF records allow Exchange Online Protection and other mail systems to know where messages from domains are allowed to originate. This information can be used by that system to determine how to treat the message based on if it is being spoofed or is valid.

Impact:

There should be minimal impact of setting up SPF records however, organizations should ensure proper SPF record setup as email could be flagged as spam if SPF is not setup appropriately.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To setup SPF records for Exchange Online accepted domains, perform the following steps:

If all email in your domain is sent from and received by Exchange Online, add the following TXT record for each Accepted Domain:

v=spf1 include:spf.protection.outlook.com -all

If there are other systems that send email in the environment, refer to this article for the proper SPF configuration: https://docs.microsoft.com/en-us/office365/SecurityCompliance/set-up-spf-in-office-365-to-help-prevent-spoofing.

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7, CSCv7|7.8

Plugin: microsoft_azure

Control ID: 53ae2e76900425c35daa318a31118b3470c2e3b2e6f778fc05edc274e4f8458a