One other thing you will need is managment who will back you and any policies up. One of the problems we have had with corporate email is not technology change, its changing human behaviour. Including ones who ignore what the IT/Security/Tech part of the organization instructs them to do. Especially if there is a culture of letting certain ones to circumvent the policies because they are a "good guy." Good luck, the testing out the social engineering is the usual way to find weakenesses in the chain/departments.