Skip to content

Email & Messaging Security

Email is one of the most common ways into an organisation. For staff the rules are short: be wary of unexpected attachments and links, use the Report button, don't auto-forward Holmes mail outside, and don't send from accounts that aren't yours. The larger half of this policy is technical, the anti-spoofing and anti-phishing settings IT maintains.

1. For staff

Ref Requirement
EML.1 Treat unexpected attachments and links with caution. If a message seems suspicious, use the Report button rather than engaging with it.
EML.2 You MUST NOT set up auto-forwarding of Holmes email to external addresses.
EML.3 You MUST NOT send email from an account that isn't yours unless authorised, for example an executive assistant acting for a principal.
EML.4 You MUST NOT forge email or any electronic message.
EML.5 You MUST NOT use personal or third-party email services (Gmail, Outlook.com, and the like) for Holmes business or to store Holmes email.
EML.6 Confidential material received by email MUST be filed into the project system of record, not left as the durable copy in a mailbox (02, section 5).

2. Platform controls (IT)

Ref Requirement
EML.7 All Holmes owned and sending domains MUST have SPF, DKIM, and DMARC configured, with DMARC at enforcement (p=quarantine or p=reject). Non-sending domains MUST be locked down (v=spf1 -all, DMARC reject).
EML.8 Automatic external mail-forwarding MUST be blocked at the platform, enforcing EML.2 technically rather than by rule alone.
EML.9 Anti-phishing policy MUST quarantine, not just junk, mailbox-intelligence and impersonation detections, and priority accounts (executives, finance) MUST have enhanced protection.
EML.10 External-sender tagging MUST be enabled so staff can see when a message comes from outside Holmes.
EML.11 Outbound anti-spam limits and admin alerting MUST be configured, and mail-flow and security events MUST be logged (11).

A user rule against auto-forwarding (EML.2) only holds if the platform enforces it (EML.8). Domain authentication (EML.7) applies to every owned domain, including ones that don't send mail, which must be locked down so they can't be spoofed.

3. Retention

Email retention follows the records-retention rules in 02 Information Classification (IC.12 to IC.14). Business records are kept for their required period, and the mailbox isn't the system of record (EML.6).

Email authentication (EML.7) stops Holmes' domains being spoofed to defraud clients, a direct client-protection and reputational control and increasingly a client due-diligence checkpoint.

Business email compromise is a leading fraud vector for professional-services firms. EML.9 (impersonation quarantine, priority-account protection) is the main technical mitigation, alongside finance process controls outside this set.

00 Framework, 01 Acceptable Use, 02 Information Classification, 11 Logging & Monitoring, 12 Incident Response.