Email Security Policy

[ORGANIZATION] shall implement email authentication standards on all email domains: SPF (Sender Policy Framework) with a -all (hard fail) policy, DKIM (DomainKeys Identified Mail) for all outbound messages, and DMARC (Domain-based Message Authentication, Reporting & Conformance) with a policy of quarantine or reject.

DMARC aggregate and forensic reports shall be monitored at least [CUSTOMIZE: weekly/monthly] to identify unauthorized use of [ORGANIZATION]'s email domains.

Third-party services authorized to send email on [ORGANIZATION]'s behalf shall be included in SPF records and configured for DKIM signing.

All inbound email shall be filtered through [ORGANIZATION]'s email security gateway, which shall provide: anti-spam filtering, malware scanning (including sandbox detonation for attachments), URL rewriting and click-time protection, impersonation detection, and attachment filtering.

Executable file types (.exe, .bat, .cmd, .ps1, .vbs, .js, .msi, and similar) shall be blocked as email attachments.

Email containing sensitive data patterns (SSN, credit card numbers, etc.) shall be scanned by DLP controls before delivery or transmission.

Users shall not auto-forward [ORGANIZATION] email to external email addresses without approval from [CUSTOMIZE: management/IT Security].

Users shall report suspected phishing emails to [CUSTOMIZE: security team/phish reporting button] immediately upon identification.

Email encryption shall be used when sending Confidential or Restricted data externally.