Checks/check-ORCA108_1.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
using module "..\ORCA.psm1"

class ORCA108_1 : ORCACheck
{
    <#
     
        CONSTRUCTOR with Check Header Data
     
    #>


    ORCA108_1()
    {
        $this.Control="108-1"
        $this.Area="DKIM"
        $this.Name="DNS Records"
        $this.PassText="DNS Records have been set up to support DKIM"
        $this.FailRecommendation="Set up the required selector DNS records in order to support DKIM"
        $this.Importance="DKIM signing can help protect the authenticity of your messages in transit and can assist with deliverability of your email messages."
        $this.ExpandResults=$True
        $this.ItemName="Domain"
        $this.DataType="DNS Record"
        $this.ChiValue=[ORCACHI]::Low
        $this.Links= @{
            "Use DKIM to validate outbound email sent from your custom domain in Office 365"="https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email"
        }
    
    }

    <#
     
        RESULTS
     
    #>


    GetResults($Config)
    {
        $Check = "DKIM"
    
        # Check DKIM is enabled
    
        ForEach($AcceptedDomain in $Config["AcceptedDomains"]) 
        {
    
            If($AcceptedDomain.Name -notlike "*.onmicrosoft.com") 
            {
    
                # Get matching DKIM signing configuration
                $DkimSigningConfig = $Config["DkimSigningConfig"] | Where-Object {$_.Name -eq $AcceptedDomain.Name}
    
                If($DkimSigningConfig)
                {  
                    if($DkimSigningConfig.Enabled -eq $true)
                    {

                        <#
                         
                        SELECTOR1
                         
                        #>

                            $ConfigObject = [ORCACheckConfig]::new()
                            $ConfigObject.ConfigItem=$($DkimSigningConfig.Domain)

                            # Check DKIM Selector Records
                            $Selector1 = $Null
                            if($null -ne $this.ORCAParams.AlternateDNS)
                            {
                                Try { $Selector1 = Resolve-DnsName -Type CNAME -Name "selector1._domainkey.$($DkimSigningConfig.Domain)" -Server $this.ORCAParams.AlternateDNS -ErrorAction:stop } Catch {}
                            }
                            else 
                            {
                                Try { $Selector1 = Resolve-DnsName -Type CNAME -Name "selector1._domainkey.$($DkimSigningConfig.Domain)" -ErrorAction:stop } Catch {}
                            }
                            
                            If($Selector1.Type -eq "CNAME" -and $Selector1.NameHost -eq $DkimSigningConfig.Selector1CNAME)
                            {
                                # DKIM Selector1 Correctly Configured
                                $ConfigObject.ConfigData="Selector1 CNAME $($DkimSigningConfig.Selector1CNAME)"
                                $ConfigObject.SetResult([ORCAConfigLevel]::Standard,"Pass")
                            } 
                            else
                            {
                                $ConfigObject.SetResult([ORCAConfigLevel]::Standard,"Fail")   
                            }

                            # Add selector 1 result
                            $this.AddConfig($ConfigObject)
                        
                        <#
                         
                        SELECTOR2
                         
                        #>

                            # Selector 2 Config Object
                            $ConfigObject = [ORCACheckConfig]::new()
                            $ConfigObject.ConfigItem=$($DkimSigningConfig.Domain)
                        
                            # Check DKIM Selector Records
                            $Selector2 = $Null
                            if($null -ne $this.ORCAParams.AlternateDNS)
                            {
                                Try { $Selector2 = Resolve-DnsName -Type CNAME -Name "selector2._domainkey.$($DkimSigningConfig.Domain)" -Server $this.ORCAParams.AlternateDNS -ErrorAction:stop } Catch {}
                            }
                            else 
                            {
                                Try { $Selector2 = Resolve-DnsName -Type CNAME -Name "selector2._domainkey.$($DkimSigningConfig.Domain)" -ErrorAction:stop } Catch {}
                            }

                            If($Selector2.Type -eq "CNAME" -and $Selector2.NameHost -eq $DkimSigningConfig.Selector2CNAME)
                            {
                                # DKIM Selector1 Correctly Configured
                                $ConfigObject.ConfigData="Selector2 CNAME $($DkimSigningConfig.Selector2CNAME)"
                                $ConfigObject.SetResult([ORCAConfigLevel]::Standard,"Pass")
                            }
                            else
                            {
                                $ConfigObject.SetResult([ORCAConfigLevel]::Standard,"Fail")  
                            }    
                            
                            # Add selector 2 result
                            $this.AddConfig($ConfigObject)
                    }
                }
    
            }
    
        }     

    }

}