Applications that communicate to end-users do so from an organisational domain and organisational email account.
Specification
All emails from organisational applications should be clearly recognisable as official by using official mail addresses. Other characteristics, such as coloring scheme and logos are too easily falsified in phishing emails and train users to trust outside sources.
Note the rules regarding guarding the top-level domain SPF records when allowing suppliers to mail on behalf or the organisation, only allowing the external party to email from subdomains.
ISO 27001 & 27002:2022
A5.8,
A5.36,
A5.37,
A8.1,
A8.7,
A8.12,
A8.19,
A8.26
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
SM.01 Security Baselines
SM.12 Manage malware attacks