External Email Warning Banner (Body-Level) #234
Description
Description
Currently, there is no built-in way in Grommunio to display a warning for emails originating from external senders directly within the message body.
Many organizations rely on such visual indicators to improve security awareness and reduce the risk of phishing attacks. While subject tagging is possible, a banner within the email body provides a clearer and more user-friendly approach.
Feature Request
Introduce a native mechanism to automatically prepend a configurable warning banner to incoming emails that originate from external senders.
The banner should be inserted at the top of the message body and support both text/plain and text/html formats.
Expected Behavior
Incoming external emails should be modified to include a warning banner such as:
For HTML emails:
<div style="border:1px solid #f5c2c7;background:#fff3cd;padding:12px;border-radius:6px;">
<strong>⚠ Warning:</strong> This email originated from outside your organization.
</div>
For plain text emails:
⚠ WARNING: This email originated from outside your organization.
Scope / Requirements
The implementation should:
Apply only to incoming (external) emails
Exclude authenticated/internal senders
Avoid duplicate banners if already present
Support all hosted domains automatically
Be configurable (enable/disable, custom text, styling)
Work reliably with multipart messages (HTML + plain text)
Avoid modifying attachments
Optional Enhancements
Add a custom header (e.g. X-External-Mail: yes)
Allow domain/IP-based whitelisting
Provide admin UI integration for configuration
Important Considerations
Modifying the message body may affect cryptographic signatures such as S/MIME or PGP. This should be documented and optionally configurable (e.g. skip signed messages).
Reference / Prior Art
This feature is commonly available in enterprise mail systems such as Microsoft Exchange, where it is known as an "External Email Warning" or "External Sender Banner".
Motivation
Improves end-user awareness, reduces phishing risk, and aligns grommunio with common enterprise security standards.