Should our company allow employees to forward their Exchange email to GMail?

There is one really good reason to disallow this:

Even if you configure gmail to use the company address as the FROM-header, gmail will still add a

Sender: <[email protected]>

To every mail that is sent out.

Now, this might seem like a small issue, was it not for Outlook that displays a Mail with these headers:

From: <[email protected]>
Sender: <[email protected]>

as a Mail from "[email protected] in behalf of [email protected]". Even worse: Replies will be sent to the google alias now.

So this not only confuses potential recipient, it also means that company mail now ends up in private mailboxes where it's not subject to a companies possible audit- or backup policy.

I think from a security perspective, you should not allow this.

All the data in the company mail system belongs to the company, I think you'll be putting the company at risk this way by opening this up - as usual - security comes at the cost of convenience, there's no easy way around it. Of course you can't go too far with restricting people's freedom with an iron fist either because if staff feel shafted, they'll go out of their way to circumvent the system, and that's much worst - you then have to start worrying about insiders (more so than usual that is).

Secondly, if using gmail for example becomes the norm, you're then also exposing the company (more so than already) to social-engineering attacks. People who've not looked into this (including me at first) laugh at this kind caution, but social engineering attacks are in general much more difficult to protect from than you think - in most cases you wouldn't even know it when it occurs.

And as previously mentioned - I think Audit would vomit when they hear about this :)