Restrict Email Relay to Specific Domains
Ensure email servers only relay emails within their own domains to prevent misuse.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Aug 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Email servers only relay emails destined for or originating from their domains (including subdomains).
Source: ASD Information Security Manual (ISM)
Plain language
This control ensures your email server only sends or accepts emails from your specific organisation's domain, like yourcompany.com, including subdomains. It prevents outsiders from using your email server without permission, which could lead to spam or fraudulent emails being sent from your address, damaging your reputation and clogging up your system.
Why it matters
If relay isn’t restricted to your own domains/subdomains, attackers can abuse the server as an open relay for spam/phishing, damaging your organisation’s reputation.
Operational notes
Review SMTP logs for unauthorised relay attempts and regularly verify allowed sender/recipient domains (incl. subdomains) so relay rules stay aligned to current domain settings.
Implementation tips
- IT team should configure the email server settings to restrict email relay. This means setting rules so that emails can only be sent or received if they're from the same domain, like 'yourcompany.com'. This can often be done through server management software or by contacting your email service provider for guidance.
- System administrators should test the configured email relays. They can do this by trying to send an email from an external domain through the server and ensuring it’s blocked. If it succeeds, further adjustments are needed to tighten the settings.
- Office manager should communicate the importance of this control to all staff. They should organise a short info session explaining why emails should remain within company domains to prevent misuse and avoid external threats.
- Procurement should ensure all new email server solutions include easy-to-use relay restrictions as part of their features. This involves checking with vendors on how they handle domain restrictions during the purchasing process.
- The IT team needs to regularly review and update relay settings. This involves checking for system updates or changes in company domains and adjusting restrictions accordingly to maintain security.
Audit / evidence tips
-
Ask: the email server configuration document: Request the documentation detailing how the server is set up to restrict email relays to specific domains
Good: clear documentation showing these settings are active and configured correctly
-
Ask: evidence that tests have been conducted to check the restriction's effectiveness
Good: a document showing blocked attempts from outside domains
-
Ask: to see the email server's access logs: Request logs that show email traffic on the server. Look to confirm that relays attempt from outside domains are rejected
Good: logs showing zero successful relays from external domains
-
Ask: proof of the office manager's session with staff about the relay policy
Good: records showing the session was conducted and key points discussed
-
Ask: vendor communication records: Request any communications with vendors regarding email server purchases and configuration inquiries
Good: records showing vendor confirmation of domain relay restrictions in the purchased system
Cross-framework mappings
How ISM-0567 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.9 | ISM-0567 requires email servers to be configured so they only relay emails destined for or originating from the organisation’s own domain... | |