CIS compliancy: Exchange

  • Last update on September 27th, 2024

An SPF policy(s) that designates approved IPs is published 

The Sender Policy Framework (SPF) is a mechanism that allows domain administrators to specify which Internet Protocol (IP) addresses are explicitly approved to send email on behalf of the domain, facilitating detection of spoofed emails. SPF is not configured through the Exchange admin center, but rather via the Domain Name Service (DNS) records hosted by the organization’s domain.

 
 

DMARC is configured for every custom domain

Domain-based Message Authentication, Reporting, and Conformance (DMARC) works with SPF and DKIM to authenticate mail senders and ensure that destination email systems can validate messages sent from your domain. DMARC helps receiving mail systems determine what to do with messages sent from your domain that fail SPF or DKIM checks.

DMARC implementation varies depending on how an agency manages its DNS records.

DMARC records can be requested using the PowerShell tool Resolve-DnsName. For example:

Resolve-DnsName _dmarc.example.com txt

Replace “example.com” in the example with the domain(s) used for your agency’s emails. Ensure that:

  1. the DNS record exists
  2. “p=reject;” is included in the policy returned from the query
 
 

Enhanced Filtering Shall be configured if a 3rd party email filtering tool is being used

Enhanced email filtering can be set up if you have a connector in 365 (3rd party email filtering service or hybrid configuration) and your MX record does not point to Microsoft 365 or Office 365. This new feature allows you to filter email based on the actual source of messages that arrive over the connector. This is also known as skip listing and this feature will allow you to overlook, or skip, any IP addresses that are considered internal to you in order to get the last known external IP address, which should be the actual source IP address.

If you are using Defender for Office 365, this will enhance its machine learning capabilities and security around safe links/safe attachments/anti-spoofing from Microsoft’s known malicious list based off IP. In a way, you are getting a secondary layer of protection by allowing Microsoft to view the IPs of the original email and check against their database.