The best practice is to use Organization Policies to enforce constraints across the organization and IAM Groups for granting resource access to minimize operational cost and administrative overhead.

Blocking non-company-issued emails: The Organization Policy Service with the constraint domains/restrictIdentityPropagation (or similar constraints like constraints/iam.allowedPolicyMemberDomains) is the Google-recommended, automated way to ensure that only specified domains (your company's domain) can be used as identities in IAM policies, thus blocking non-company issued emails and eliminating manual checks.

Department-specific access: Access should be granted using IAM roles assigned to Google Groups that represent the departments. This adheres to the principle of least privilege and simplifies management (you only manage group membership, not individual users' IAM bindings).

Minimizing operational costs/overhead: Using IAM with Google Groups and Organization Policies is the native, lowest-overhead, and most scalable solution on Google Cloud. Option D's manual checks are high-overhead and not recommended.