Email Security/Exchange Online - Ensure That DKIM Is Enabled For All Exchange Online Domains

 







Summary

DKIM should be used along with SPF and DMARC to prevent spoofers from sending messages that look like they are coming from your domain.

Reason

If DKIM is enabled with Office 365, then, the messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages are generated by a server authorized by the organization and not being spoofed.

What If?

Although, setting up DKIM will not affect anything, but, the organizations must ensure appropriate setup to ensure continuous mail-flow.

How to?

To setup DKIM records, first add the records to the DNS system, for each domain in Exchange Online that you plan to use to send email with:
  1. After creating the DNS records, enable DKIM signing in the Office 365 Admin Portal.
  2. Launch the Security Admin Center.
  3. Under E-mail & Collaboration navigate to Policies & rules > Threat policies.
  4. Now, under Rules pick DKIM.
  5. After that, click on each domain and click Enable next to Sign messages for this domain with DKIM signature.

To verify DKIM is enabled, use the Exchange Online PowerShell Module:
  1. Connect to Exchange Online using Connect-ExchangeOnline.
  2. Now, run the following Exchange Online PowerShell command: 
  3. Get-DkimSigningConfig

       3. Verify Enabled is set to True.

Monitor:

To review if DKIM is enabled, use the Microsoft 365 Admin Center:
  1. Select Security in order to open the Security portal.
  2. Under E-mail & Collaboration navigate to Policies & rules > Threat policies.
  3. Now, under Rules pick DKIM.
  4. After that, click on each domain and confirm that Sign messages for this domain with DKIM signature is Enabled.

To verify Anti-Phishing policy, use the Exchange Online PowerShell Module:
  1. Connect to Exchange Online using Connect-ExchangeOnline.
  2. Now, run the following Exchange Online PowerShell command: 
  3. Get-AntiPhishPolicy | ft Name.

      3. Verify Office365 AntiPhish Default  policy exists.


































Comments

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

Work with String Data Using KQL Statements

Threat Hunting in Microsoft Sentinel (part 1)