SB.3.003 Technical email security
IT components send emails to end-users using an email address ending in a top-level domain for which the organisation is legally responsible.
Mailservers take measures to prevent the reception and transmission of spam and malicious mails.
Mails should be revocable on managed servers and supported endpoints.
Links in emails should be validated to not be malicious.
Mailserver reputation is monitored. Thresholds are determined and actions are taken to improve the reputation if it falls below thresholds.
DKIM, STARTTLS, DMARC are implemented according to the relevant standard:
Organisations closely guard their top-level domain SPF records. For system emails use authenticated mailing (sSMTP or SMTPs) or alternatively (supplier-specific) subdomains when allowing suppliers to mail on behalf of the organisation.
Sending e-mail is only allowed for authenticated connections. Open relays are not allowed.
Configure MTA-STS policy to 'enforce'