Emails with DKIM failures may indicate spoofing attempts by adversaries attempting to bypass email authentication, and SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential phishing or credential compromise campaigns early. DKIM failures can serve as a red flag for malicious activity that evades standard email security controls, allowing adversaries to deliver phishing payloads or exfiltrate data undetected.
KQL Query
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
EmailEvents
| extend DMARCFail = AuthenticationDetails has_any ('DKIM":"fail')
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| render timechart
id: b49ef73f-71c3-4dce-a433-1c89c9ab8935
name: DKIM Failure Trend
description: |
This query visualises total emails with Spoof - DKIM fails summarizing the data daily.
description-detailed: |
This query visualises total emails with Spoof - DKIM fails summarizing the data daily.
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
EmailEvents
| extend DMARCFail = AuthenticationDetails has_any ('DKIM":"fail')
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| render timechart
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled Email Reports from Email Security Gateway
Description: A legitimate scheduled job runs daily to generate email security reports, which includes sending emails with DKIM failures due to internal testing or reporting mechanisms.
Filter/Exclusion: Exclude emails sent by the email security gateway (e.g., Cisco Secure Email Gateway, Microsoft Defender for Office 365) during scheduled report generation times.
Scenario: Internal System Health Checks via Email
Description: System health check tools (e.g., Nagios, Zabbix) send automated alerts to internal administrators via email, which may fail DKIM validation if the sender is not properly configured.
Filter/Exclusion: Exclude emails sent from internal monitoring tools (e.g., nagios@internal.domain, zabbix@internal.domain) or from specific IP ranges used by monitoring systems.
Scenario: Automated Email Archiving Jobs
Description: Email archiving solutions (e.g., Symantec Enterprise Vault, Microsoft Exchange Archiving) may send emails to archive servers, which can result in DKIM failures due to misconfigured signing or relay settings.
Filter/Exclusion: Exclude emails originating from archiving servers (e.g., archive@domain.com) or from IP addresses associated with the archiving solution.
Scenario: User-Initiated Email with Misconfigured DKIM
Description: A user may send an email with a misconfigured DKIM signature (e.g., incorrect domain or selector), leading to a DKIM failure. This can happen during testing or due to a local misconfiguration.
Filter/Exclusion: Exclude emails from users with known DKIM misconfigurations or from specific user groups (e.g., test-users@domain.com) that are known to send test emails.
Scenario: Email Relay from Internal SMTP Server
Description: Emails relayed through