What’s Your Business Email Policy?

Email is an integral tool for business communication. As such, it’s imperative that you have a solid email policy to govern how email is used in your organization and to detail the consequences of violation. Implementing an email use policy helps protect your business’ electronic assets, shield you from legal liability, and create usage expectations for employees.

With millions of business email addresses and other personal data recently stolen from large retailers and financial institutions and the ensuing phishing and spam attacks expected to result from the breach, now is a great opportunity to educate employees on email safety and reinforce or establish an email policy.

Begin your email policy by reviewing the legal and compliance requirements of your specific industry. An email policy for a bank may look a lot different from an ad agency’s policy. Most policies will cover at least these basic topics:

Appropriate Use

All email is considered company property. The Appropriate Use section should specify how the company expects employees to use the email system. Give user-specific style guidelines, required disclaimers, and email signature templates. Include a firm statement prohibiting distribution of offensive or disruptive messages (racist or sexist content, jokes, chain letters, pornography, and spam). Use this area to detail restrictions on certain files types or file sizes and clarify that users are not to engage in non-business activities that inappropriately consume network resources.

Message Retention

Retained emails are routinely requested by regulatory bodies and in legal disputes. Your industry may dictate certain email retention regulations. Use this section to let users know how long emails are saved and to support compliance activities. If only certain employees can access the email archive, include the process and turnaround time for retrieving archived messages.

Email Monitoring

An employer has the right to monitor any messages sent over the company’s email system. While it’s not necessary in most states to inform employees of monitoring, a formal email policy should explain that their messages, even if personal in nature, can be monitored without notice. Having this policy in place also reminds users to consider carefully what they send over the business email system because there is no expectation of privacy.

Legal and appropriate internal stakeholders should review the email policy before implementation. A review process should be defined to revisit and update the policy at scheduled intervals. All email users should sign or otherwise acknowledge receipt and understanding of the policy. Employee training sessions can help users better understand and adhere to the guidelines. Going forward, the policy should be included in employee handbooks, new hire paperwork, and published in an easily accessible place, like the company intranet or public folders.

Lizetta Staplefoote is a Rackspace Marketing Copywriter with a decade of experience writing about small business challenges for healthcare, real estate, and technology. Her passion is researching and writing about the impact of cloud computing. When she's not wordsmithing, she enjoys hanging out with her sons, exploring the Blue Ridge Mountains, and feeding her music addiction.


  1. Regarding this statement:

    “Retained emails are routinely requested by regulatory bodies and in legal disputes.”

    It’s my understanding that even *after* an e-mail is deleted from Rackspace Mail (for example), it remains warehoused in backup systems maintained by Rackspace. This presumably allows a 3rd party to seek an injunction disallowing Rackspace from permanently deleting an e-mail. It would be helpful if some customers could sign up for a Rackspace Mail account where a “deleted” e-mail is *permanently* deleted so that it cannot be recovered. Otherwise, even an e-mail that appears to be deleted has actually be “retained” — by Rackspace.

    Thank you in advance for your careful consideration of this issue.

    Nathan Falkner

    • There is a problem with this statement:
      “It would be helpful if some customers could sign up for a Rackspace Mail account where a “deleted” e-mail is *permanently* deleted so that it cannot be recovered.”

      Courts can and have taken such a policy as one of will-full destruction of evidence and such judged accordingly. Many jurisdictions now have or are making it mandatory for a minimum retention on all email, typically in terms of years of retention.
      It would still be nice to know how long Rackspace retains backups so that we do have an idea of how fast legally deleted messages take to be fully inaccessible. I can see thing having two answers, one for regular mail, one for archived.

  2. I’m a contractor to more than one company. One of the companies I work for uses rack space email and has administrator privilege on my phone. I understand they have the right to monitor their company emails but can they monitor anything else on my phone (like a different email, or texts)?


Please enter your comment!
Please enter your name here