LogoLogo
Get CIPPJoin Discord
  • ☕CIPP Documentation
  • 🦸Setup
    • Self Hosting Guide
      • Prerequisites
      • Installation
      • Run From Package Mode
      • Post-Install Configuration
      • Configuring Automatic Updates
      • Updating Versions
      • Migrating to Hosted CIPP
      • Self-hosted API Setup
    • Service Account Setup
      • GDAP's Importance in CIPP
      • Creating the CIPP Service Account
      • Conditional Access best practices
      • Recommended Roles
    • Configuring CIPP
      • Adding users to CIPP
      • Executing the SAM Setup Wizard
      • Tenant Onboarding
      • Adding Tenants & Consenting the CIPP-SAM Application
      • User Roles in CIPP
      • Adding a custom domain name
      • I want to manage my own tenant
    • Implementing CIPP
      • Recommended First Steps
      • Standards Setup
    • Resources
      • Professional Onboarding Services
      • Sponsor Quick Start
  • 🙋User Documentation
    • Shared Features
      • Menu Bar
        • Tenant Select
        • Display Mode
        • 🔍Search
        • Bookmarks
        • User Preferences
      • Table Features
      • Speed Dial
      • Keyboard Shortcuts
    • CIPP Dashboard
    • Identity Management
      • Administration
        • Users
          • Bulk Add
          • Invite Guest
          • Add User
          • View Individual User
            • Edit User
            • Exchange Settings
            • Compromise Remediation
            • Conditional Access
        • Risky Users
        • Groups
          • Add Group
          • Edit Group
        • Group Templates
          • Add Group Template
          • Deploy Group Templates
        • Devices
        • Deleted items
        • Roles
        • JIT Admin
          • Add JIT Admin
        • Offboarding Wizard
      • Reports
        • MFA Report
        • Inactive Users
        • Sign-in Report
        • AAD Connect Report
        • Risk Detections
    • Tenant Administration
      • Administration
        • Tenants
          • Edit Tenant
          • Tenant Groups
            • Add Tenant Group
            • Edit Tenant Group
        • Alert Configuration
          • Add Alert
        • Audit Logs
          • View Audit Log
        • Enterprise Applications
        • Secure Score
        • App Consent Requests
        • Authentication Methods
        • Partner Relationships
      • GDAP Management
        • Relationships
          • Relationship Summary
        • Role Mappings
          • Map GDAP Roles
        • Role Templates
          • Add Template
        • Invites
          • New Invite
        • Onboarding
        • Offboarding
      • Configuration Backup
        • Backups
          • Restore Configuration Backup
          • Add Configuration Backup Task
      • Standards
        • List Standards Templates
        • Add Standards Template
        • Compare Tenant to Standard
        • Best Practice Analyser
          • Best Practice Templates
          • Custom Reports
        • Domains Analyser
      • Conditional Access
        • CA Policies
          • Deploy CA Policies
        • CA Vacation Mode
          • Add Vacation Schedule
        • CA Templates
        • Named Locations
          • Add Named Location
      • Reports
        • License Report
        • Sherweb License Report
          • Add Subscription
        • Consented Applications
    • Security & Compliance
      • Incidents & Alerts
        • Incidents
        • Alerts
      • Defender
        • Defender Status
        • Defender Deployment
        • Vulnerabilities
      • Reports
        • Device Compliance
    • Intune
      • Applications
        • Applications
          • Add Application
            • Add MSP App
            • Add Store App
            • Add Choco App
            • Add Office App
        • Application Queue
      • Autopilot
        • Autopilot Devices
        • Add Autopilot Device
        • Profiles
          • Add Profile
        • Status Pages
        • Add Status Page
      • Device Management
        • Devices
        • Configuration Policies
        • Compliance Policies
        • Protection Policies
        • Apply Policy
        • Policy Templates
        • Scripts
      • Reports
        • Analytics Device Score
        • Work from Anywhere
    • Teams & SharePoint
      • OneDrive
      • SharePoint
        • Add Site
        • Bulk Add Sites
      • Teams
        • Teams
          • Add Team
        • Teams Activity
        • Business Voice
    • Email & Exchange
      • Administration
        • Mailboxes
          • Add Shared Mailbox
        • Deleted Mailboxes
        • Mailbox Rules
        • Contacts
          • Add Contact
          • Edit Contact
        • Quarantine
        • Tenant Allow/Block Lists
          • Add Entry
      • Transport
        • Transport Rules
          • Deploy Transport Rule Template
        • Transport Templates
        • Connectors
          • Deploy Connector Templates
        • Connector Templates
      • Spamfilter
        • Spamfilter
          • Deploy Spamfilter
        • Spamfilter Templates
        • Connection filter
          • Deploy Connection Filter
        • Connection filter templates
      • Resource Management
        • Rooms
          • Add Room
          • Edit Room
        • Room Lists
      • Reports
        • Mailbox Statistics
        • Mailbox Client Access Settings
        • Anti-Phishing Filters
        • Malware Filters
        • Safe Link Filters
        • Safe Attachment Filters
        • Shared Mailbox with Enabled Account
        • Global Address List
    • Tools
      • Tenant Tools
        • Graph Explorer
        • Application Approval
        • Tenant Lookup
        • IP Database
        • Individual Domain Check
      • Email Tools
        • Message Trace
        • Mailbox Restores
        • Message Viewer
      • Dark Web Tools
        • Tenant Breach Lookup
        • Breach Lookup
      • Template Library
      • Community Repositories
        • View Repository Templates
      • Scheduler
        • Add Job
    • CIPP
      • Application Settings
        • Permissions
        • Tenants
        • Backend
        • Notifications
        • Partner Webhooks
        • Licenses
        • CIPP Backup
        • Global Variables
      • Logbook
      • SAM Setup Wizard
      • Integrations
        • Integration Sync
        • CIPP-API
        • Sherweb
        • Gradient
        • Halo PSA Ticketing
        • NinjaOne
        • Hudu
        • Password Pusher
        • Have I Been Pwned?
        • Cloudflare
        • GitHub
      • Custom Data
        • Directory Extensions
          • Add Directory Extension
        • Schema Extensions
          • Add Schema Extension
        • Mappings
          • Add Mapping
          • Edit Mapping
      • Advanced
        • Super Admin
          • Tenant Mode
          • Function Offloading
          • Custom Roles
          • SAM App Roles
          • SAM App Permissions
        • Exchange Cmdlets
        • Timers
        • Table Maintenance
  • 📂Troubleshooting
    • Error codes
    • Troubleshooting instructions
      • Refreshing a Specific Tenant's Permissions via CPV API
    • Frequently Asked Questions
      • I got a "Potential Phishing page detected" alert. What do I do with that?
  • 🔐Security
    • CIPP Security and Compliance
      • Security Policy
      • Security reports
    • CIPP Community Vulnerability Disclosure Policy
  • 👩‍💻👩💻 Dev Documentation
    • CIPP Dev Guide
      • Setting Up for Local Development
      • Executing Local Development
      • Project Structure
      • Development Tips
      • CIPP v7 Developer Brief
    • Contributing to the Code
    • Contributing to the Documentation
  • ⚙️API Documentation
    • Setup & Authentication
    • Endpoints
  • 🧰MSP Adoption Toolkit
    • Building a CIPP Business Case
  • ☕Sip & CIPP
    • Conditional Access
    • Autopilot & Intune
  • CIPP New Interface Release Candidate 2 (rc2)
Powered by GitBook
On this page
  • Getting Started
  • Refreshing / Generating the Data
  • Interpreting Results
  • Common Problems
  • Feature Requests / Ideas

Was this helpful?

Edit on GitHub
Export as PDF
  1. User Documentation
  2. Tenant Administration
  3. Standards

Domains Analyser

Check your managed domains against security and configuration best practices.

The domain analyser is a series of best practice checks that run on all your e-mail enabled domains across your delegated Microsoft 365 tenants.

It analyses the DNS records that are available and assesses the following areas:

  • Sender Policy Framework (SPF)

  • Domain-based Message Authentication, Reporting & Conformance (DMARC)

  • DomainKeys Identified Mail (DKIM)

  • Domain Name System Security Extensions (DNSSEC)

Please note - clicking More at the end of each row provides detailed information on identified problems.

Getting Started

If this is your first ever run you may see an error initially because there is no data, please wait for the analyser to run or use the refresh button.

Refreshing / Generating the Data

At the top of the page there is button called Run Analysis Now. You should only use this once.

Interpreting Results

The reporting here follows a standard colour theme. Red is bad and not something that should be happening on your tenant. Orange is either a warning or subjective. It doesn't necessarily indicate something is wrong. Green means there are no issues or the setting's configured in a manner that's meets the best practice.

Security Score

A measure of the overall security of the domain calculated by taking the following into account:

  • SPF

  • MX

  • DMARC

  • DKIM

  • DNSSEC

There's a detailed breakdown of each check and the score points available for it below:

Item
Description
Points

SPF Present

SPF is present.

10

SPF Correct All

SPF is present and set correctly.

20

MX Present

MX records are present.

10

DMARC Present

DMARC is present.

10

DMARC Action

DMARC set to quarantine. (-10 pts)

20

DMARC Action

DMARC set to reject.

30

DMARC Reporting Active

DMARC reporting is active.

20

DMARC Percentage Good

DMARC percentage set to a value of 100.

20

DNSSEC Present

DNSSEC is present.

20

DKIM Active and Working

DKIM is active and working.

20

Total Possible Points

160

Sender Policy Framework Pass Test

A check that your domains meet the following conditions:

  • Using the recommended SPF record that your mail provider suggests.

  • SPF set to hard fail as opposed to soft fail.

Mail Exchanger Pass Test

A check that your MX records are present and set correctly based on what your mail provider recommends. Where this is failing you likely have a domain in your 365 tenant that's using e-mail elsewhere, or has a mis-configured MX record.

Domain-based Message Authentication, Reporting & Conformance Present

A check that you have a DMARC record. Your domains absolutely should have a correctly configured DMARC or you are putting this domain at risk of spoofing.

Domain-based Message Authentication, Reporting & Conformance Action Policy

Your DMARC record is only as good as the action set on it.

If you're just starting out with DMARC, start by creating a record in reporting only mode, and utilising a DMARC aggregation / reporting service to assess reports. The ideal setting for your DMARC policy is reject.

Domain-based Message Authentication, Reporting & Conformance % Pass

It's possible to configure your DMARC to subject less than 100% of your mail to filtering. This test makes sure you have your DMARC record configured to filter 100% of e-mails.

Domain Name System Security Extensions

A check that you have configured DNSSEC for the domain.

Domain Name System Security Extensions (DNSSEC) is a feature of DNS that authenticates responses to domain name look-ups, preventing attackers from manipulating or poisoning the responses to DNS requests.

DomainKeys Identified Mail Enabled

A check that you have configured DKIM for the domain.

DKIM (DomainKeys Identified Mail) is an e-mail security standard designed to make sure messages aren't altered in transit between the sending and recipient servers. It uses public-key cryptography to sign e-mail with a private key as it leaves a sending server.

Common Problems

This feature requires that your Secure Application Model (SAM) app has the delegated permission Domain.Read.All.

You must give adequate time for the best practice Analyser to run. In an environment with 100 tenants this takes on average 2 minutes.

Check that your permissions are correct by navigating to CIPP Settings > Configuration Settings > Run Permission Check.

Make sure both CIPP-API and CIPP are fully up-to-date. There is extensive logging in the log files in the CIPP-API Function App.


Feature Requests / Ideas

PreviousCustom ReportsNextConditional Access

Last updated 14 days ago

Was this helpful?

We value your feedback and ideas. Please raise any on GitHub.

🙋
feature requests