IT components send emails to end-users using an email address ending in a top-level domain for which the organisation is legally responsible.
Mailservers take measures to prevent the reception and transmission of spam and malicious mails.
Mails should be revocable on managed servers and supported endpoints.
Links in emails should be validated to not be malicious.
Mailserver reputation is monitored. Thresholds are determined and actions are taken to improve the reputation if it falls below thresholds.
Specification
DKIM, STARTTLS, DMARC are implemented according to the relevant standard:
https://www.forumstandaardisatie.nl/open-standaarden/verplicht?domein=125&trefwoord=180
Organisations closely guard their top-level domain SPF records. For system emails use authenticated mailing (sSMTP or SMTPs) or alternatively (supplier-specific) subdomains when allowing suppliers to mail on behalf of the organisation.
Sending e-mail is only allowed for authenticated connections. Open relays are not allowed.
Configure MTA-STS policy to 'enforce'
ISO 27001 & 27002:2022
A5.10,
A5.14,
A5.33,
A5.34,
A7.7,
A7.10,
A8.1,
A8.7,
A8.12,
A8.19,
A8.26,
A8.33
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
DM.03 Beveiligingseisen voor Datamanagement
SM.12 Manage malware attacks