The following checks are performed on inbound email:
- DNSBLs
- virus scanning
- valid reverse DNS lookup
- review of the recommendations issued by the MAAWG
- RFC compatibilities in particular RFC 5321 & RFC 5322
- different plausibility checks for HELO, RCPT TO, MAIL FROM
- verification of SPF DNS records, DKIM signatures & DMARC policies
- for some remote email services TLS is mandatory, incoming TLS connections will be validated through Mail Transfer Agent Strict Transport Securtiy (MTA‑STS) and DNS-based Authentication of Named Entities (DANE), where supported
- relaying is only allowed using SMTP authentication in combination with transport layer security (TLS)
- rejected MIME types are: application/x-msdownload, application/x-msdos-program, application/hta
- rejected file types are: .ade, .adp, .bat, .chm, .cmd, .com, .cpl, .docm, .dotm, .exe, .hta, .ins, .isp, .jar, .js, .jse, .lib, .lnk, .mde, .msc, .msp, .mst, .pif, .potm, .ppam, .ppsm, .pptm, .ps1, .rtf, .sldm, .scr, .sct, .shb, .sys, .vb, .vbe, .vbs, .vxd, .wsc, .wsf, .wsh, .xlam, .xll, .xlsb, .xlsm, .xltm, all Microsoft Binary File Format (BIFF) documents .xla, .xls and .xlt , all Microsoft Office documents and PDF documents with macros or script languages (based on recommandations of the German BSI “Lagedossier Ransomware”)
For RFC 2142 role based mailboxes this policies vary.