L1 BIO 13.02 ISO A.13.2.1 CIS 2.1.2

DKIM Email Signing Ingeschakeld

πŸ“… 2025-10-29
β€’
⏱️ 6 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

DKIM (DomainKeys Identified Mail) digitally signs outgoing emails, allowing recipients to Verifieer email authenticity en detecteer spoofed/forged emails claiming to be van your domain.

Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
7/10
Implementatie
3u (tech: 2u)
Van toepassing op:
βœ“ M365
βœ“ Exchange Online

Zonder DKIM kunnen attackers spoof your domain: Verzend emails appearing to come van @yourcompany.com, recipient servers kan niet Verifieer authenticity, phishing emails van spoofed domain succeed, damage to domain reputation. DKIM signing proves: email actually came van your domain, email hasn't been tampered in transit. Receiving servers can Verifieer DKIM signature en reject spoofed emails.

PowerShell Modules Vereist
Primary API: Exchange Online PowerShell
Connection: Connect-ExchangeOnline
Required Modules: ExchangeOnlineManagement

Implementatie

Schakel in DKIM signing voor alle aangepaste domains in Exchange Online. Configuration: (1) Add DKIM DNS records (TXT records) to public DNS, (2) Schakel in DKIM signing in Exchange Online per domain, (3) alle outbound emails get DKIM-Signature header met cryptographic signature, (4) Receiving servers Verifieer signature against public key in DNS. DKIM works samen met SPF en DMARC voor complete email authentication.

Vereisten

  1. Exchange Online
  2. aangepaste domains (verified in M365)
  3. DNS management access
  4. Exchange Administrator rechten

Implementatie

  1. Security.microsoft.com β†’ Email authentication settings β†’ DKIM
  2. Voor elke aangepaste domain: Get DKIM CNAMEs (selector1._domainkey, selector2._domainkey)
  3. Add CNAME records to public DNS
  4. Verifieer DNS propagation (nslookup)
  5. Schakel in DKIM signing in M365 admin center
  6. Test: Verzend email, Controleer headers voor DKIM-Signature
  7. monitor: DKIM failures in email logs

Compliance en Auditing

  1. CIS M365 - regelen 2.1.2 (DKIM ingeschakeld)
  2. BIO 13.02
  3. ISO 27001:2022 A.13.2.1
  4. NIS2 Artikel 21

Monitoring

Gebruik PowerShell-script dkim-enable.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script dkim-enable.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS DKIM Signing Configuration .DESCRIPTION Ensures DKIM (DomainKeys Identified Mail) is enabled for all domains. DKIM prevents email spoofing and improves deliverability. .NOTES Filename: dkim-enable.ps1 Author: Nederlandse Baseline voor Veilige Cloud .EXAMPLE .\dkim-enable.ps1 -Monitoring Check DKIM status for all domains .EXAMPLE .\dkim-enable.ps1 -Remediation Enable DKIM for all domains #> #Requires -Version 5.1 #Requires -Modules ExchangeOnlineManagement [CmdletBinding()] param( [Parameter(Mandatory = $false)] [switch]$Monitoring, [Parameter(Mandatory = $false)] [switch]$Remediation, [Parameter(Mandatory = $false)] [switch]$Revert, [switch]$WhatIf ) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "DKIM Signing Configuration" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop Write-Host "Checking DKIM configuration for all domains..." -ForegroundColor Gray $configs = Get-DkimSigningConfig -ErrorAction Stop $result = @{ isCompliant = $true total = $configs.Count enabled = 0 disabled = 0 disabledDomains = @() } foreach ($config in $configs) { if ($config.Enabled) { $result.enabled++ Write-Host " [OK] ENABLED: $($config.Domain)" -ForegroundColor Green } else { $result.disabled++ $result.isCompliant = $false $result.disabledDomains += $config.Domain Write-Host " [FAIL] DISABLED: $($config.Domain)" -ForegroundColor Red } } Write-Host "`n Total domains: $($result.total)" -ForegroundColor Cyan Write-Host " DKIM Enabled: $($result.enabled)" -ForegroundColor Green Write-Host " DKIM Disabled: $($result.disabled)" -ForegroundColor $( if ($result.disabled -gt 0) { "Red" } else { "Green" } ) if ($result.isCompliant) { Write-Host "`n[OK] COMPLIANT - DKIM enabled for all domains" -ForegroundColor Green exit 0 } else { Write-Host "`n[FAIL] NON-COMPLIANT - DKIM not enabled for all domains" -ForegroundColor Red Write-Host "`nNote: You must publish CNAME records in DNS before enabling DKIM" -ForegroundColor Yellow exit 1 } } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Remediation { try { Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop Write-Host "Getting disabled DKIM configurations..." -ForegroundColor Gray $configs = Get-DkimSigningConfig | Where-Object { -not $_.Enabled } if ($configs.Count -eq 0) { Write-Host " [OK] All DKIM configs already enabled" -ForegroundColor Green exit 0 } Write-Host "`nEnabling DKIM for $($configs.Count) domains...`n" -ForegroundColor Cyan $enabled = 0 $failed = 0 foreach ($config in $configs) { try { Write-Host " Enabling DKIM for $($config.Domain)..." -ForegroundColor Gray # First, ensure DNS records are published Write-Host " Checking DNS records..." -ForegroundColor Gray Set-DkimSigningConfig -Identity $config.Domain -Enabled $true -ErrorAction Stop Write-Host " [OK] Enabled" -ForegroundColor Green $enabled++ } catch { Write-Host " [FAIL] Failed: $_" -ForegroundColor Red Write-Host " Check DNS CNAME records are published!" -ForegroundColor Yellow $failed++ } } Write-Host "`n Enabled: $enabled" -ForegroundColor Green if ($failed -gt 0) { Write-Host " Failed: $failed" -ForegroundColor Red Write-Host "`n⚠️ Failures likely due to missing DNS records" -ForegroundColor Yellow Write-Host "Publish CNAME records shown in Microsoft 365 Admin Center" -ForegroundColor Cyan } if ($enabled -gt 0) { Write-Host "`n[OK] DKIM enabled for $enabled domains" -ForegroundColor Green } exit 0 } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Revert { try { Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop $configs = Get-DkimSigningConfig | Where-Object { $_.Enabled } foreach ($config in $configs) { Set-DkimSigningConfig -Identity $config.Domain -Enabled $false -ErrorAction Stop Write-Host " ⚠️ Disabled: $($config.Domain)" -ForegroundColor Yellow } exit 0 } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Revert) { Invoke-Revert } elseif ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Usage:" -ForegroundColor Yellow Write-Host " -Monitoring Check DKIM status" -ForegroundColor Gray Write-Host " -Remediation Enable DKIM (requires DNS records!)" -ForegroundColor Gray Write-Host " -Revert Disable DKIM" -ForegroundColor Gray } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan }

Risico zonder implementatie

Risico zonder implementatie
High: High - Domain spoofing attacks succeed. Attackers Verzend phishing emails appearing to be van your company. Damages reputation, maakt mogelijk BEC attacks, no cryptographic verification of email authenticity.

Management Samenvatting

Schakel in DKIM signing voor alle domains. Cryptographically signs outgoing emails. Recipients can Verifieer authenticity. Works met SPF/DMARC. Voldoet aan CIS 2.1.2 L1, BIO 13.02. Setup: 2u (DNS changes).