The problem is purely administrative. Establish a close relationship between the HR and IT departments.
And do not fire an employee without a signature on the bypass sheet, a system administrator.
Accordingly, as soon as the signature is put, the user's data is blocked, passwords and appearances change.
Something like this.
Well, or set all passwords to temporary

turn on the brain and do not start mailboxes on public gmail mail and others,
but give [email protected] mailbox

Well, how do you build security? Do employees know each other's email passwords? If so, then it will be difficult to change anything. In general, the password should be changed every 2-3 months, the change request can be configured automatically.
When an employee is dismissed, we create an electronic bypass sheet, and each admin notes in it that the employee’s access to the services provided has been disabled.
1. Blocked the mailbox - ticked.
2. Blocked the account in AD - ticked.
3. Passed the equipment - ticked.
5. ....

But what if I have mail, why not use it in personal correspondence?
You can restrict sending to allowed domains, otherwise there is no other way.
People in the office worked for me for 15-17 years, they registered corp mail, skype icq, etc. in different social networks, that's when the office was dispersed there were sides for employees to change mail