An email policy for employees

A clear email policy helps prevent time wasting, protects data security and minimises the risk of legal problems. As well as setting out how employees can use email, the policy should cover any email monitoring you intend to carry out.

Permitted use

Employees should primarily use company email systems for business

However, it is pragmatic to allow some personal use of email, especially if you have employees who use their email for business purposes outside of normal working hours. You may encourage employees to use filters to separate their messages into specific business and personal folders.

Limit personal use

You might prohibit:

  • Excessive personal use of email;
  • Inappropriate or illegal content such as offensive jokes;
  • Engaging in illegal activities;
  • Encrypting personal emails and attachments;
  • Employees from allowing other people to access their email account.

For example, harassing someone by email might be a clear violation of your email policy.

Set out what devices employees may use to send and receive email

  • For instance, can they use their own smart phone with their company email account?

Mobile devices

It is common for employees to send and receive emails from mobile devices, like smart phones and tablets. Such use is subject to the same guidelines. Keep in mind that employees may resent you cracking down on personal use of email if they stay in touch via their mobile device outside of office hours.

The biggest issue with mobile devices is security

  • Make sure all mobile devices require a passcode to be entered before emails can be viewed.
  • Set up a ‘remote wipe’ function, so email data can be deleted remotely if a device is lost or stolen.
  • Use an email service that syncs emails across all devices. This ensures employees can always access emails, even if they lose their mobile device.

It is also worth considering your employees work-life balance. There is a risk that using mobile devices for email can encourage employees to check messages at all hours. Perhaps lay down a policy to regulate staff ‘on-call’ time. Mobile email can also increase the number of messages sent, not all of which are necessary.


Explain the style and tone you expect employees to use in business emails

  • This usually falls somewhere between the informality of a telephone conversation and the formality of a letter, although it may vary depending on who your staff are contacting.
  • An overly formal style may seem tedious to people used to quick, friendly emails.
  • Some industries, and some nationalities, have their own standards.
  • Short emails can appear brusque.
  • Typing in capitals is the email equivalent of shouting and can be considered rude.
  • Use a formal style for formal documents or when approaching someone for the first time.

Automatically add an email signature to all messages

  • This should contain key company details and any disclaimer.

Specify what content is prohibited

This should include:

  • sexist, racist or other offensive material;
  • defamatory material;
  • content that is protected by copyright;
  • links to inappropriate material.

Sending emails

Employees should use their own, password-protected accounts to send emails

  • Passwords should be strictly controlled.
  • Passwords should be changed around every 90 days.
  • Passwords should be strong, using a mix of letters, numbers and symbols.

Encourage the use of emails for communications you wish to keep a record of

Establish standards for outgoing messages

  • Set out what typeface, type size and colour should be used.
  • Consider putting a limit on the size of any attachments. Even if your company email system can handle large attachments, your contacts may not have the same capabilities.
  • It is polite to send large files (e.g. those over 10MB) using a transfer service like Dropbox or Box.

Have rules for handling confidential information

    • Make sure employees know that most emails are sent in plain text, so they can be intercepted and read online.
    • You may want to ban certain types of information from being sent by email. For example, lists of customers and information about new products.
    • You might specify that some information can only be sent using encrypted email.
  • Encryption scrambles the message and any attachments so they cannot be intercepted and read.

Explain the potential contractual significance of emails to employees

  • An email can be as contractually binding as any other form of communication.
  • You may prohibit the use email for any contractually significant communications, and insist that such documents are posted.
  • Consider including a disclaimer on emails. For example: ‘This email is confidential, and is intended for the use of the named recipient only. If you have received this message in error, please inform us immediately, and then delete it. Unless it specifically states otherwise, this email does not form part of a contract.’
  • Keep in mind that there is no legal authority in these messages.

Sending too many emails can lead to information overload

  • Excessive email, particularly within your company, can lead to overwork or a tendency to disregard emails. It can also seem rather impersonal.
  • If you send and receive a large amount of email, important messages may go unnoticed. You can use a ‘priority flag’ to highlight important messages, but it’s better to reduce overall email volume instead.
  • Avoid sending emails when it would be easier to make a call or speak in person.
  • Before sending a message to a large number of people, ask yourself whether they all need to receive it.
  • Using the ‘Reply all’ feature is another common problem. Some companies ban it altogether.
  • Consider using collaboration tools (like Basecamp or Trello) or instant messaging for day-to-day internal communications, rather than handling everything via email.

Explain your policy on storing both sent and received emails

  • Your system may file emails automatically.
  • Stored emails need to be protected from any later editing or unauthorised deletion.
  • Back up all email data regularly.
  • Inform employees about the permanence of emails. For example, centrally stored emails are still available even after an employee deletes them.
  • You must tell employees how you are monitoring emails.

Receiving emails

Set out who should read incoming emails

  • Generally, employees should read only their own emails.
  • Establish how you will handle emails sent to generic addresses (eg [email protected]). Assign responsibility for dealing with such emails and set up your technology so the relevant people can read them.
  • The policy should cover how incoming emails are handled when employees are absent (eg on holiday).

Set out your security procedures for dealing with viruses and other email threats

  • Make sure staff understand how to deal with the threat from viruses and phishing.

Set a response time

  • You might stipulate that all emails of particular types – for instance, customer enquiries – should be replied to, or at least acknowledged, within 24 hours.
  • Depending on your industry, a faster response time may be more appropriate.
  • Software can help you filter and prioritise emails.

Explain how emails should be handled when an employee is absent or leaves. Often, it’s simplest to set up an auto-responder which says the employee has left/is absent and provides an alternative contact. If you decide to allow someone else to check the employee’s emails, ensure personal emails are handled appropriately.

Explain how unwelcome emails should be dealt with. Employees should tell friends and contacts not to send inappropriate emails. For instance, inappropriate chain letters or enquiries from recruitment consultants. Delete junk emails (spam). It is a bad idea to reply to spam as a response confirms that the email has been sent to a live address.

Set out your policy on storing incoming emails

Viruses and phishing

Emails can pose a security risk to your business. They are often used to distribute viruses and spyware, or for phishing attempts.

A central email server or an email service provided by your IT supplier will include protection to reduce risks. However, even the strongest filters will allow the occasional malicious email to slip through.

Ensure your email policy includes procedures for dealing with suspicious emails.

Delete attachments from unknown senders

  • You may need a different approach if you expect to receive such files from new contacts.

Take care with high-risk file types

  • Some kinds of file are more likely to carry viruses. For example, file names including .vbs, .js, .exe, .bat, .cmd or .lnk extensions.
  • Compressed files (containing .zip, .arc or .cab) may also contain such file types.

Get advice from the IT manager if you are unsure

  • Always inform the IT manager if you receive a suspicious attachment or if you suspect a virus has entered the system.

Be aware of phishing emails

  • Make employees aware that criminals increasingly target individuals in spear phishing attempts, where the email appears to come from someone they know.

Monitoring email

There are legal restrictions on how you can monitor employees’ use of email. Include a clause on email monitoring in your employment contracts. If you fail to do so, you will need to get consent to perform checks. If you use monitoring software, you should make employees aware of this.

Explain that you reserve the right to read individual emails

You may inspect individual emails for ‘specific business purposes’, including:

  • establishing the content of transactions and other important business communications;
  • making sure employees are complying with the law and with your internal policies;
  • preventing abuse of your telecoms system;
  • checking emails when employees are on leave.

If you wish to make interceptions for other purposes (eg marketing) you will need consent from the sender and recipient.

Respect your employees’ right to privacy

  • Your employees are entitled to a degree of privacy at work.
  • If you suspect an employee is wasting time on personal emails, only monitor their emails if they know there is a limit on personal use and that their email may be monitored.
  • If you choose to monitor an employee’s emails, avoid reading the actual content.
  • Checking the email’s recipient or sender should tell you if a message is personal.


Consult employees on what you should include in your email policy

Take expert and legal advice

  • Advice can be particularly useful for issues of data protection and privacy.

Make the policy available to everyone

  • Ask employees to sign a copy to confirm they have read it.
  • Refer to the policy in your employment contracts.
  • Make sure managers familiarise themselves with the contents of the policy.
  • Provide a contact name for employees who have any questions.

Put in place any software that will help

This might include:

  • monitoring software to provide a record of email traffic;
  • filtering software to help employees prioritise emails;
  • auto-responder software to reply to emails when employees are absent;
  • virus-checking and other security software.

Provide any training that is needed

  • Employees may need training in effective use of email software.

Enforce the policy

  • Make an individual responsible for routine enforcement of the policy – usually the network administrator. A director should take overall responsibility.
  • Apply the policy consistently and fairly to everyone, including management and leadership teams.
  • Clarify any exceptions.
  • Make sure you have an appropriate disciplinary procedure in place to deal with breaches of the policy.
  • Revise the policy when necessary.
  • The policy will only provide legal protection if it is properly implemented and enforced.

© Atom Content Marketing Ltd. All rights reserved.

Better directors for a better world

The IoD supports directors and business leaders across the UK and beyond to learn, network and build successful, responsible businesses.

Safeguarding your organisation and employees

Browse valuable cyber resources from the IoD.
Internet Explorer
Your web browser is out of date and is not supported by the IoD website. It is important to update your browser for increased security and a better web experience.