Restrict Email Relay to Specific Domains
Ensure email servers only relay emails within their own domains to prevent misuse.
Plain language
This control ensures your email server only sends or accepts emails from your specific organisation's domain, like yourcompany.com, including subdomains. It prevents outsiders from using your email server without permission, which could lead to spam or fraudulent emails being sent from your address, damaging your reputation and clogging up your system.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Email servers only relay emails destined for or originating from their domains (including subdomains).
Why it matters
If relay isn’t restricted to your own domains/subdomains, attackers can abuse the server as an open relay for spam/phishing, damaging your organisation’s reputation.
Operational notes
Review SMTP logs for unauthorised relay attempts and regularly verify allowed sender/recipient domains (incl. subdomains) so relay rules stay aligned to current domain settings.
Implementation tips
- IT team should configure the email server settings to restrict email relay. This means setting rules so that emails can only be sent or received if they're from the same domain, like 'yourcompany.com'. This can often be done through server management software or by contacting your email service provider for guidance.
- System administrators should test the configured email relays. They can do this by trying to send an email from an external domain through the server and ensuring it’s blocked. If it succeeds, further adjustments are needed to tighten the settings.
- Office manager should communicate the importance of this control to all staff. They should organise a short info session explaining why emails should remain within company domains to prevent misuse and avoid external threats.
- Procurement should ensure all new email server solutions include easy-to-use relay restrictions as part of their features. This involves checking with vendors on how they handle domain restrictions during the purchasing process.
- The IT team needs to regularly review and update relay settings. This involves checking for system updates or changes in company domains and adjusting restrictions accordingly to maintain security.
Audit / evidence tips
- AskThe email server configuration document: Request the documentation detailing how the server is set up to restrict email relays to specific domains GoodClear documentation showing these settings are active and configured correctly
- AskEvidence that tests have been conducted to check the restriction's effectiveness GoodA document showing blocked attempts from outside domains
- AskTo see the email server's access logs: Request logs that show email traffic on the server. Look to confirm that relays attempt from outside domains are rejected GoodLogs showing zero successful relays from external domains
- AskProof of the office manager's session with staff about the relay policy GoodRecords showing the session was conducted and key points discussed
- AskVendor communication records: Request any communications with vendors regarding email server purchases and configuration inquiries GoodRecords showing vendor confirmation of domain relay restrictions in the purchased system
Cross-framework mappings
How ISM-0567 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | ISM-0567 requires email servers to be configured so they only relay emails destined for or originating from the organisation’s own domain... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.