CISA.MS.EXO.2.1 - A list of approved IP addresses for sending mail SHALL be maintained.
Overview
This test is deprecated by CISA as of May 2024 and will always be skipped. The content below is retained as a historical archive and will be removed in a future version.
MS.EXO.2.1v1 was removed because it is not a security configuration that can be audited; it acts as an implementation step for MS.EXO.2.2. Maintaining the list of approved IP addresses has been incorporated into the implementation guidance for MS.EXO.2.2 and removed as a standalone policy. See CISA SCuBA Removed Policies — MS.EXO.2.1v1.
A list of approved IP addresses for sending mail SHALL be maintained.
Rationale: Failing to maintain an accurate list of authorized IP addresses may result in spoofed email messages or failure to deliver legitimate messages when SPF is enabled. Maintaining such a list helps ensure that unauthorized servers sending spoofed messages can be detected, and permits message delivery from legitimate senders.
Remediation action:
- Identify any approved senders specific to your agency.
- Perform regular review of SPF record and update as necessary.
- Additionally, see External DNS records required for SPF for inclusions required for Microsoft to send email on behalf of your domain.
Related links
- Exchange admin center - Accepted domains
- CISA 2 Sender Policy Framework - MS.EXO.2.1v1
- CISA ScubaGear Rego Reference
Test Metadata
| Field | Value |
|---|---|
| Test ID | CISA.MS.EXO.2.1 |
| Severity | Medium |
| Suite | CISA |
| Category | Deprecated |
| PowerShell test | Test-MtCisaSpfRestriction |
| Tags | CISA, CISA.MS.EXO.2.1, Deprecated, MS.EXO, MS.EXO.2.1 |
Source
- Pester test:
tests/cisa/exchange/Test-MtCisaSpfRestriction.Tests.ps1 - PowerShell source:
powershell/public/cisa/exchange/Test-MtCisaSpfRestriction.ps1