[external]
All emails delivered to users which originate from outside of the enterprise should by default come with an [external] subject line tag. This simple security control provides users with a simple but in your face warning that the contents of the communication need to be evaluated before interacting with it. This is particularly useful when an adversary spoofs an internal employee. The presence of an external subject line from a sender claiming to be your boss is enough by itself to treat the email with significant suspicion.
[partner]
An unsung hero of the security awareness posture-the [partner] subject line tag which differentiates between approved third party vendors and other external senders who the cyber security operations center has not vetted. This crucial control drastically cuts down on the volume of emails users must self triage as they can confidently assume all emails with this tag are safe to interact with reducing the operational burden of phishing awareness.
[internal] or simply nothing
I’ve heard different perspectives on having an internal subject line tag and do not disagree with either side. One side claims that the absence of this tag causes users who less frequently receive emails from external sources to forget about the value of tags. The other perspective, which I happen to share is that the absence of this tag makes the presence of the other two more pronounced when they arrive. There is not a correct answer here, so open a debate with your relevant security leaders and come to a decision together.
Consider adding color to give your tags that extra flavor some users will notice more frequently.
Which of these are more noticeable to you?
[external] or [external]
[partner] or [partner]
Such a simple implementation with potential incident saving capability.
The following are optional subject line tags which I personally do not choose to utilize however you may find value in.