2.1.10 Ensure DMARC Records for all Exchange Online domains are published

Information

DMARC, or Domain-based Message Authentication, Reporting, and Conformance, assists recipient mail systems in determining the appropriate action to take when messages from a domain fail to meet SPF or DKIM authentication criteria.

Rationale:

DMARC strengthens the trustworthiness of messages sent from an organization's domain to destination email systems. By integrating DMARC with SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), organizations can significantly enhance their defenses against email spoofing and phishing attempts.

Impact:

There should be no impact of setting up DMARC however, organizations should ensure appropriate setup to ensure continuous mail-flow.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To add DMARC records, use the following steps:

For each Exchange Online Accepted Domain, add the following record to DNS:

Record: _dmarc.domain1.com
Type: TXT
Value: v=DMARC1; p=none; rua=mailto:<[email protected]>; ruf=mailto:<[email protected]>

This will create a basic DMARC policy that will allow the organization to start monitoring message statistics.

The next steps will involve first implementing quarantine and next a reject policy with 100 percent of email is affected. Microsoft has a list of best practices for implementing DMARC that cover these steps in detail.

To establish a DMARC record for the MOERA domain:

Navigate to the Microsoft 365 admin center https://admin.microsoft.com/

Expand Settings and select Domains.

Select your tenant domain (for example, contoso.onmicrosoft.com).

Select DNS records and click + Add record.

Add a new record with the TXT name of _dmarc with the appropriate values outlined above.

Note: The remediation portion involves a multi-staged approach over a period of time. First, a baseline of the current state of email will be established with p=none and rua and ruf. Once the environment is better understood and reports have been analyzed an organization will move to the final state with dmarc record values as outlined in the audit section.

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7, CSCv7|7.8

Plugin: microsoft_azure

Control ID: c05665315b73affac6347a130c5ab8f7181fc5be9e9671425eab3b6a2c85f108