Maybe legal problem with test MS.EXO.4.3

[CW-RKR]

Test MS.EXO.4.3

MS.EXO.4.3: The DMARC point of contact for aggregate reports SHALL include reports@dmarc.cyber.dhs.gov.

comes from CISA in the US and is primarily aimed at US authorities. In Germany and the EU, there is a high probability of problems if DMARC reports (which may also contain personal data) are transmitted to a US authority voluntarily and without a contractual obligation. In my opinion (I am not a lawyer), this test should be removed or provided with an opt-in and a warning.

[Snozzberries]

Hey @CW-RKR, this looks like a bug where https://github.com/maester365/maester/blob/main/powershell/public/cisa/exchange/Test-MtCisaDmarcAggregateCisa.ps1#L54 needs to be moved up before the record enumeration to trigger the skip properly.

Since Maester itself is not sending any data, nor is it encouraging anyone outside of applicable US agencies to use this control it aligns with the intent of the CISA controls.

We can add an additional note to handle your own DMARC aggregate reports respective as your organization's policy.

[f-bader]

Hi @CW-RKR I hope the change provided by @Snozzberries is sufficient to rule out your doubts. If not please feel free to reopen and let's talk more