private/review/defender/collaboration/Invoke-ReviewDefenderEmailDomainDkim.ps1
function Invoke-ReviewDefenderEmailDomainDkim { <# .SYNOPSIS Review that all e-mail domains have DKIM configured. .DESCRIPTION Returns review object. .NOTES Requires the following modules: - ExchangeOnlineManagement - Microsoft.Graph.Identity.DirectoryManagement .EXAMPLE Invoke-ReviewDefenderEmailDomainDkim; #> [cmdletbinding()] param ( ) BEGIN { # Write progress. Write-Progress -Activity $MyInvocation.MyCommand -Status 'Running' -CurrentOperation $MyInvocation.MyCommand.Name -PercentComplete -1 -SecondsRemaining -1; # Write to log. Write-CustomLog -Category 'Microsoft Defender' -Subcategory 'Policy' -Message 'Getting all DKIM configuration' -Level Verbose; # Get all DKIM configuration. $dkimSigningConfig = Get-DkimSigningConfig; # Store DKIM settings. $dkimSigningSettings = New-Object System.Collections.ArrayList; # Store results. $results = New-Object System.Collections.ArrayList; # Write to log. Write-CustomLog -Category 'Microsoft Defender' -Subcategory 'Policy' -Message 'Getting all domains' -Level Verbose; # Get all domains in Microsoft 365 tenant. $domains = Get-MgDomain -All; # Get initial domain. $initialDomain = Get-DnsOnmicrosoftDomain; } PROCESS { # Foreach domain in the DKIM configuration. foreach ($domain in $dkimSigningConfig) { # If this is the initial domain. if ($domain.Domain -eq $initialDomain) { # Skip. continue; } # Boolean to check if DKIM is configured correctly. $valid = $true; # If DKIM is not enabled. if ($domain.Enabled -eq $false) { # Set boolean to false. $valid = $false; } # Get DKIM record. $dkimRecords = Get-DnsDkimRecord -Domain $domain.Domain -ErrorAction SilentlyContinue; # If DKIM record is not found. if($null -eq $dkimRecords) { # Continue. continue; } # If DKIM record is not found. if ($dkimRecords.Count -lt 2) { # Set boolean to false. $valid = $false; } # If selector1 in the domain matches the DKIM record. if (('{0}.' -f $domain.Selector1CNAME) -notlike $dkimRecords[0].data) { # Set boolean to false. $valid = $false; } # If selector2 in the domain matches the DKIM record. if (('{0}.' -f $domain.Selector2CNAME) -notlike $dkimRecords[1].data) { # Set boolean to false. $valid = $false; } # Add to object array. $dkimSigningSettings += [PSCustomObject]@{ Domain = $domain.Domain; Enabled = $domain.Enabled; Valid = $valid; Selector1CNAME = $domain.Selector1CNAME; Selector2CNAME = $domain.Selector2CNAME; DkimRecord1 = $dkimRecords[0].data; DkimRecord2 = $dkimRecords[1].data; } } # Foreach domain. foreach ($domain in $domains) { # If this is the initial domain. if ($domain.Domain -eq $initialDomain) { # Skip. continue; } # Boolean if DKIM is configured correct. $valid = $false; $enabled = $false; # If e-mail is a supported service. if ($domain.SupportedServices -contains 'Email') { # Get DKIM setting. $dkimSigningSetting = $dkimSigningSettings | Where-Object { $_.Domain -eq $domain.Id }; # If DKIM is configured correct. if ($dkimSigningSetting.Valid -eq $true) { # Write to log. Write-CustomLog -Category 'Microsoft Defender' -Subcategory 'Policy' -Message ("Domain '{0}' have a valid DKIM configuration") -Level Verbose; # SPF is configured correct. $valid = $true; } # Else if DKIM is not configured correct. else { # Write to log. Write-CustomLog -Category 'Microsoft Defender' -Subcategory 'Policy' -Message ("Domain '{0}' does not have a valid DKIM configuration") -Level Verbose; } # If DKIM is enabled. if ($dkimSigningSetting.Enabled -eq $true) { # DKIM setting is enabled. $enabled = $true; } # Add domain object array. $results += [PSCustomObject]@{ Domain = $domain.Id; Valid = $valid; IsDefault = $domain.IsDefault; IsVerified = $domain.IsVerified; AuthenticationType = $domain.AuthenticationType; DkimEnabled = $enabled; DkimRecord1 = $dkimSigningSetting.DkimRecord1; DkimRecord2 = $dkimSigningSetting.DkimRecord2; }; } } } END { # Bool for review flag. [bool]$reviewFlag = $false; # If review flag should be set. if (($results | Where-Object { $_.Valid -eq $false }) -or $null -eq $results) { # Should be reviewed. $reviewFlag = $true; } # Create new review object to return. [Review]$review = [Review]::new(); # Add to object. $review.Id = '92adb77c-a12b-4dee-8ce8-2b5f748f22ec'; $review.Category = 'Microsoft 365 Defender'; $review.Subcategory = 'Email and collaboration'; $review.Title = 'Ensure that DKIM is enabled for all Exchange Online Domains'; $review.Data = $results; $review.Review = $reviewFlag; # Print result. $review.PrintResult(); # Write progress. #Write-Progress -Activity $MyInvocation.MyCommand -Status 'Completed' -CurrentOperation $MyInvocation.MyCommand.Name -Completed; # Return object. return $review; } } |