ASD's Blueprint for Secure Cloud

Email

This page provides a template and guidance to assist organisations in documenting their approach to email gateways and servers and email use associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Estimated reading time: 3 minutes

Email usage

Applicability

ISM controls relating to the email usage within <SYSTEM-NAME>’s system boundary are applicable to and covered by this section of the SSP.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Organisational policies and processes implemented

The usage of <SYSTEM-NAME>’s email services by users is performed in accordance with the <ORGANISATION-NAME>’s [Email Usage Policy]({{ref <"/security-and-governance/policies/email-usage-policy">}}).

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Technical controls implemented

Technical controls for email usage within <SYSTEM-NAME> are configured with reference to ASD’s Blueprint for Secure Cloud including the following technical configurations:

  • <SYSTEM-NAME> applies protective markings based on the classification of the content of emails, including attachments
  • users are required to select the classification of emails to apply protective markings
  • only appropriate classification options will be presented to <SYSTEM-NAME> users
  • Defender for Microsoft 365 will notify users and administrators of blocked emails.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Email gateways and servers

Applicability

ISM controls relating to the hardening of email routing, including proper interaction with <ORGANISATION-NAME>’s <GATEWAY-SYSTEM>, within <SYSTEM-NAME>’s system boundary are applicable to and covered by this section of the SSP.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Organisational policies and processes implemented

The usage of <SYSTEM-NAME>’s email services by users is performed in accordance with the <ORGANISATION-NAME>’s Email Usage Policy.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Technical controls implemented

Technical controls for email gateways and servers within <SYSTEM-NAME> are configured with reference to ASD’s Blueprint for Secure Cloud including the following technical configurations:

<SYSTEM-NAME> uses Exchange Online within the Microsoft 365 platform. Native Exchange Online security capabilities are enabled to mitigate against email-related threats such as spoofing, phishing and malware.

The advanced features of Defender for Microsoft 365 are enabled within <SYSTEM-NAME> including Safe Attachments and Safe Links, which provide sandboxing of attachments and inspection of hyperlinks respectively. This provides email content filtering and expands on the default protections offered by Exchange Online Protection (EOP).

Exchange Online is configured to:

  • ensure OFFICIAL emails are not routed through <ORGANISATION-NAME>’s GATEWAY-SYSTEM
  • ensure OFFICIAL:Sensitive and above emails are routed through <ORGANISATION-NAME>’s GATEWAY-SYSTEM
  • encrypt traffic between external users with TLS 1.2, and then forward emails to <ORGANISATION-NAME>’s GATEWAY-SYSTEM via an Exchange connector
  • not act as an open relay
  • implement TLS 1.2 for opportunistic TLS encryption where supported by the other mail server
  • implement Mail Transfer Agent - Strict Transport Security (MTA-STS) for outbound mail flow
  • configure Sender Policy Framework (SPF) using a hard fail record
  • keep SPF blocks visible to the recipients
  • configure the appropriate use of DomainKeys Identified Mail (DKIM)
  • verify DKIM signatures on received emails
  • implement <ORGANISATION-NAME>’s Domain-based Message Authentication, Reporting and Conformance (DMARC) records

Defender for Microsoft 365 provides content filtering including sandboxing of attachments (Safe Attachments) and inspection of links (Safe Links).

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Security & Governance

Design

External documentation

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra