Many developer prefer the GMail interface and thus forward (actually pull) all their email to GMail.
Assuming we trust Google, are there any reasons why this should be disallowed?
Edit: Interesting article today from Bruce Schneier about Cloud Services and security.
There is one really good reason to disallow this:
Even if you configure gmail to use the company address as the FROM-header, gmail will still add a
Sender: <google-alias@gmail.com>
To every mail that is sent out.
Now, this might seem like a small issue, was it not for Outlook that displays a Mail with these headers:
From: <original.address@example.com>
Sender: <google-alias@gmail.com>
as a Mail from "google-alias@gmail.com in behalf of original.address@example.com". Even worse: Replies will be sent to the google alias now.
So this not only confuses potential recipient, it also means that company mail now ends up in private mailboxes where it's not subject to a companies possible audit- or backup policy.
I think from a security perspective, you should not allow this.
All the data in the company mail system belongs to the company, I think you'll be putting the company at risk this way by opening this up - as usual - security comes at the cost of convenience, there's no easy way around it. Of course you can't go too far with restricting people's freedom with an iron fist either because if staff feel shafted, they'll go out of their way to circumvent the system, and that's much worst - you then have to start worrying about insiders (more so than usual that is).
Secondly, if using gmail for example becomes the norm, you're then also exposing the company (more so than already) to social-engineering attacks. People who've not looked into this (including me at first) laugh at this kind caution, but social engineering attacks are in general much more difficult to protect from than you think - in most cases you wouldn't even know it when it occurs.
And as previously mentioned - I think Audit would vomit when they hear about this :)
By allowing them to forward their email to GMail, you are now dependant on the developers to implement the security for protecting sensitive company information, rather than being able to enforce strict password and security options centrally.
If a user replies to an email from their GMail account, this then completely bypasses any logging and tracking on the Exchange server, the company will never know an email was sent on their behalf.
The Security Side of Me:
One of the companies (MediaDefender, I think, anyone want to confirm?) that was helping the RIAA track down and prosecute Bittorrent sharers permitted one of their VPs to forward his company mail to his Gmail account.
Some people who did not appreciate this company's efforts guessed his password and pulled all his mail, and leaked all the company-related mail. You can probably still find torrents of it floating around. Included were salary documents, operating plans, etc.
So, you need to not only trust Google, but also trust the developers to pick reasonable passwords. You might think that, at least once it's explained, it would be a simple matter to get the developers, who should all be "computer people" (but sometimes aren't) to pick good passwords. Anecdotally, however, I've seen many developers with piss-poor security.
The User Side of Me:
On the other hand, I hate having multiple mailboxes, and I get much better productivity out of having all my mail flow into one. I check it all in one place (and all the bloody time); and I don't really have to care where people email me at, it all reaches me eventually.
As we speak, actually, I'm doing a mail migration of several Gmail accounts into one GAFYD account, and after that I'll be pulling in my old Outlook/Exchange archives.
If I couldn't forward my work mail into my GAFYD account, I'd be very peeved, and you (the person stopping me) would be rather screwed anyways, because I would be importing my archives instead. Which brings us to the bottom line: The primary reason not to let me forward my mail into Gmail is security. And if I want my mail in Gmail bad enough, I'll get it there one way or the other. Maybe it won't be in real-time, but I will eventually, and once it's there, it's the same as if you let me forward it in.
I'm not sure that "trusting Gmail" is the issue really. It's a governance matter - do you know where your corporate information is? Has your Intellectual Property remained at all times under your control? etc.
I work with Loa PowerTools, a company that provides a virtual local SMTP service. We have users whose employers cannot, for accountability, liability and regulatory reasons allow their corporate email to reside on Google servers that may be mined (by software, admittedly) for information of use to Google.
I tried this once and regretted it. In addition to the email header issues, if smtp between your company and gmail/google apps fails, the sender may receive a undelivered message.
Emails contain all sorts of sensitive information from specs, to discussions about design, operations, code extracts, sample data, maybe live, client data, proposals, budgets, passwords, and more.
Forget whether you trust Google. Do you trust the developers? You might trust them today, but in 2 years time when someone has left the company, how do you make sure you get all this sensitive information back? You can't, and he/she could probably deny responsibility because the company deemed it an acceptable risk to allow emails to be copied to Gmail.
Also, in the UK, The eighth basic principle of the Data Protection Act states that personal information should "not be transferred to other countries without adequate protection" (all EU countries have similar privacy laws - the DPA derives from legislation passed in Brussels) - but I don't think the USA is classed as a country with adequate law/protection over data. If developers copy their emails to Google, can you prevent any data that a client might have emailed from being copied?
Wow this a big question,with some great replies so far.
I guess my view would be that whether your users want to forward mail to gmail or hotmail or any other mail, its going to be pretty hard to stop them from forwarding, creating mail rules or manually hitting forward. Maybe what you should ask is, is your existing mail system brocken? ie if you or your users feel the need the forward to email is their a better system that would do what you want to do.
As far as users using personal gmail accounts for business mail, guess that while your on good terms with them, your fine provided they're playing by your company rules now, but what if you ever fall out with them, they leave, they're unexpectantlly ill you have no way to access the mail.