Verify Senders for Email Failure Notifications
Only verified senders get notified if their email cannot be delivered.
Plain language
This control means that when you send an email and it can't be delivered, you'll only get a notification if your identity as the sender can be verified. This is important because it helps to combat email scams and ensures that only genuine users are notified about email issues, preventing harmful activities like spammers from getting useful information about email addresses that work.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for emailSection
Email gateways and serversOfficial control statement
Notifications of undeliverable emails are only sent to senders that can be verified via SPF or other trusted means.
Why it matters
If undeliverable mail notifications go to unverified senders, attackers can confirm valid addresses and refine spam/phishing campaigns, increasing fraud risk.
Operational notes
Configure NDRs to only notify senders that pass SPF, DKIM/DMARC or other trusted checks; review mail gateway rules and update records regularly.
Implementation tips
- The IT team should configure the email system to check the sender's identity. This can be done by setting up the Sender Policy Framework (SPF) on the email server to verify the sender's details. They should ensure the server only sends failure notifications to those who pass this check.
- The IT manager should work with an email provider that offers sender verification features. This involves discussing with providers about how they validate sender identities using SPF or similar technologies, and ensuring it's included in their service package.
- The system administrator should regularly update the list of approved senders. This means reviewing and, if necessary, adding or removing email addresses or domains in the system's SPF record to align with current business needs.
- The office manager should educate staff on how to recognise when they should or should not receive a delivery failure notice. This can be done through a training session explaining that only verified senders will receive these notifications, reducing confusion and potential fraud.
- HR should include email usage and sender verification policies in the employee handbook. They should outline procedures on how employees can ensure their emails are recognised as legitimate by the systems in use, using plain language instructions.
Audit / evidence tips
-
Askthe email server's SPF configuration report
-
Goodprovides clear descriptions of their verification processes, referencing SPF or similar methods
-
Askto see the list of allowed senders in the email system
Goodlist is current, accurately reflects business operations, and excludes inactive or unauthorised accounts
-
Askcopies of the relevant sections in the employee handbook on email use policies
Goodhandbook clearly instructs staff on these processes, updated to reflect current systems and practices
Cross-framework mappings
How ISM-1024 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 8.12 | ISM-1024 requires that notifications of undeliverable emails (e.g | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.