Build Your Own: E-mail Usage Policy
1
© 1995-2005 CNET Networks, Inc. All rights reserved. “TechRepublic” and its logo are trademarks of CNET Networks, Inc. Reproduction of this publication in any form is prohibited.
Case Document
Build Your Own:
E-mail Usage POlicy
Why

an

E-mmail

Usage

Policy

is

important
E-mail is undoubtedly one of the greatest communication tools we have today. Employees, vendors, cus-
tomers, executives, and other corporate users have all benefited from the advancements made to e-mail over
the years. However, e-mail has also created many problems for IT professionals with the spread of viruses,
Spam, and worms. In addition, e-mail has spawned many lawsuits from users offended by the mail received
in their corporate inbox. While the law on Internet e-mail is still vague, the courts are clear about one thing—
employers that have an E-mail Usage Policy read and signed by employees can protect themselves from
many claims.
Typically, a company should develop an E-mail usage policy that is consistent with other communication
media such as fax or letter mail. While e-mail requires less effort to distribute than these more formal means
of communication, the company’s name still goes out on the header of the message. This company “sta-
tionery” makes it the responsibility of the company to ensure the intended recipients of employee’s e-mail are
not offended or damaged by the content.

Introduction
An E-mail Usage Policy’s introduction should briefly explain the purpose for the policy as well as define a few
of the elements the company considers to be “e-mail”. For instance, e-mail may be defined as mail sent from
a MAPI client software package like Outlook, an instant messaging service, a peer-to-peer file exchange, or
some combination thereof.
A comparison to other forms of written communication and the company’s expectation of standards for e-
mail should be presented. Most E-mail Usage Policy introductions reinforce the stricter guidelines that e-mail
is a tool used only for business communications, but some leave open the possibility of personal use if the
company’s culture desires it. The introduction should also clearly state that e-mail exchanged on its systems
is considered the property of the company, which gives it the right to monitor accounts for policy compliance.
Guidelines for authorized use
Acceptable use of e-mail should be clearly defined. If your organization permits reasonable personal use, the
policy should clearly state such use must not interfere with the performance of work responsibilities. The fol-
lowing are other guidelines typically seen in e-mail usage policies in the authorized use section:
z Subscribing to distribution lists and other forms of e-mail subscription services related to your job function
is allowed. If the service does not pertain to your job function, seek manager approval before signing up.
z Passwords are your best defense against unauthorized use of your e-mail account. Do not compromise
your account by giving it to others or displaying it in public view.
z The encryption of e-mail is not necessary for most situations, but all confidential messages should contain
some form of encoding. If in doubt, contact your manager.
z Users should take care in addressing messages so it reaches the appropriate recipient. Also, spelling and
grammar should be checked by the e-mail client before sending the message.
z Long term message retention is important only if it is relevant for business or legal purposes. If you desire
to keep less important messages for longer than X days, please archive the e-mail to your allotted server
storage space. The e-mail system is designed to delete messages older than X number of days.
z Avoid sending company- or department-wide messages. E-mail “blasting” can cause a system to slow
down and affect performance. If you have a company- or department-wide message to deliver, first send it
to a user who has access to the “all company” e-mail grouping.
z Large e-mail attachments can drastically slow system performance. Attachments that exceed X MB in size
will be removed by the server and not sent.

combat attachment broadcasting is to centralize stor-
age with space on an Intranet Web site that users
can provide links to in their e-mail messages.
Following the guidelines set forth in the E-mail
Usage Policy will help users understand the impor-
tance of sending well defined e-mails. Perhaps
nowhere is this clarification more apparent than the
subject line. Message handling is vastly improved
when subject lines are to the point and encompass
the major thrust of the e-mail message. This will
ensure the message is not discarded before being
read and will be easier to sort.
Security
E-mail is the easiest method for hackers to distribute
viruses, worms, and other forms of malicious soft-
ware. Defending against these attacks is a major part
of any IT professional’s job. Thus, the security sec-
tion of the E-mail Usage Policy can go a long way to
defining how restrictive an organization is with its e-
mail service. The company may wish to limit e-mail
accounts only to individuals whose job descriptions
require a legitimate business use. Others may define
a more liberal account structure, yet monitor usage
and deal with problem accounts according to the E-
mail Usage Policy.
Privacy
E-mail Usage Policies should ensure users maintain
no expectation of privacy while using company-
owned or company-leased equipment. Further, the
policy should make it clear that information passing

personnel on all messaging related to the violation.
And, if the organization monitors employee e-mail
use, mail server log files should be saved as backup.
IT staff should take care when reviewing monitored
communications to ensure employees are aware e-
mail use is being monitored. IT staff should monitor
users’ e-mail use only insofar as is required to sup-
port operational, maintenance, auditing, security, and
investigative activities. Users should be told that IT
staff may review individual employee’s communica-
tions during the course of resolving a problem, but IT
staff should be encouraged not to review specific
employees’ e-mail habits out of personal curiosity or
at the behest of individuals who have not received
proper approval to monitor employee e-mail use.
Build Your Own: e-mail Usage Policy
4
© 1995-2005 CNET Networks, Inc. All rights reserved. “TechRepublic” and its logo are trademarks of CNET Networks, Inc. Reproduction of this publication in any form is prohibited.
Organizational readiness
An E-mail Usage Policy will fail to curtail inappropriate e-mail use if the policy is not rolled out properly or
enforced. Employees should be required to sign a personal copy of the E-mail Usage Policy and state that
they have read and understood the policy.
E-mail Usage Policies must be enforced to be effective. Violation reports must be followed up professionally,
and offenders must be dealt with according to the policy’s direction.
Length and language
There is no requirement that an E-mail Usage Policy be lengthy, contain legal jargon, or use excessive word-
ing. You are likely to be best served by clearly communicating which e-mail activities are acceptable, which
are not, and what the penalties of noncompliance are succinctly and in language users understand.
Lack of enforcement
Users will catch on quickly when an E-mail Usage Policy is not enforced. Here IT staff members can lead by