Email Security for Protective Markings
Email servers stop and track emails with wrong markings to prevent mistakes.
Plain language
This control is about making sure that emails are properly marked so that sensitive information isn't sent to the wrong person by mistake. If emails are not marked correctly, it could lead to serious privacy breaches or sensitive information getting into the wrong hands.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2019
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for emailSection
Email usageOfficial control statement
Email servers are configured to block, log and report emails with inappropriate protective markings.
Why it matters
If email servers don’t block, log and report incorrect protective markings, sensitive content may be misrouted or disclosed to unauthorised recipients.
Operational notes
Tune transport rules to detect mismatched protective markings; review logs and alerts regularly and investigate reported emails to correct sender behaviour.
Implementation tips
- The IT team should configure the email server to automatically block emails with incorrect markings. This can be done by setting rules that identify and stop emails that do not match the organisation's marking policies.
- Managers should provide training to staff on how to correctly mark emails. Regular workshops or online modules can help ensure everyone understands the importance of proper email markings.
- The system administrator should set up notifications for when an email is blocked due to improper markings. By configuring the server to send an alert, administrators can quickly address any issues and prevent future occurrences.
- Management should establish a procedure for handling incorrectly marked emails. This includes designating a person who will review and resolve incidents, ensuring accountability and swift correction of errors.
- Human Resources should incorporate email marking awareness into new employee orientation. This can help new staff understand the policies from day one and reduce the risk of mistakes.
Audit / evidence tips
-
Askthe email server configuration settings: Request a copy of the rules or policies used by the email system to handle email markings
GoodThe settings should show automatic blocking and detailed logs
-
Askto see training records for staff on email marking: Request evidence of recent training sessions or modules completed by staff
GoodDocumented evidence that a majority of staff have completed marking training in the last year
-
Askrecords of any email marking violations and how they were addressed
GoodReports show timely detection and resolution, with steps taken to prevent recurrence
-
Asknotifications or alerts that the system generates: Request samples of alerts sent when a marking issue is detected
GoodAlerts clearly notify the relevant staff with steps for resolution
-
Askcopies of training content provided to new employees
GoodTraining materials include detailed guidance on email marking policies and importance
Cross-framework mappings
How ISM-0565 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.12 | ISM-0565 requires email servers to prevent and track mislabelled emails by blocking, logging and reporting inappropriate protective markings | |
| Annex A 8.15 | ISM-0565 requires email servers to block, log and report emails that have inappropriate protective markings | |
| extension Depends on (1) expand_less | ||
| Annex A 5.12 | ISM-0565 requires email servers to block, log and report emails with inappropriate protective markings | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.