Email policies are necessary for businesses old and new, big and small. They protect you from legal liability and establish firm guidelines for employee conduct. 

Let’s dive into why you need an email policy, what you should include in its contents, and how to implement best practices for privacy and data security.



What is an email policy?

An email policy is a document which outlines your company’s basic rules and regulations regarding employee email. It gives employees a better idea of how they should use their email accounts. 

Email policies make it clear who is entitled to access office email accounts, who owns those emails, and which kinds of communications are deemed appropriate. It lays out the degree to which personal use is allowed on office email accounts, alongside restrictions on any other kinds of business. 

Possible prohibitions could include: 

  • Using the account for shopping or online services.
  • Using the account for inappropriate or illegal activities.
  • Sharing offensive content.
  • Using the account to conduct other kinds of business.
  • Sharing access to the work account with people outside of the office.

An email policy may even detail the protocol for disciplinary action when any of the guidelines are breached.



Why do you need an email policy?

It hardly needs to be stated that the Internet is an integral part of contemporary working life.
In the wake of the pandemic, remote working is more popular than ever, meaning more and more of our workplace interactions take place online. 

Further, customers and clients increasingly prefer to get in touch via an omnichannel contact center. They expect the option of sending a message or an email when phone lines are busy. 

So, it’s crucial that the guidelines for appropriate and professional employee behavior are legible and firm. A clear, well-written email policy helps ensure that any email exchanges stay as professional as possible. Email should be a tool for getting work done, not a distraction. 

It also protects your business against legal liability. Social media and emails are allowed as evidence in a court of law. This can be used to damage the reputation of your business. The phrase “The Internet is forever” exists for a reason. Once something is in writing, it can be difficult to take it back. It’s even possible for forensic IT equipment to retrieve emails which have been deleted.

Finally, a strong email policy is vital for security and data protection. Email is a highly insecure medium of communication. Online, we are all vulnerable to cyber attacks.

On the phone, we can easily use call screening. However, online scammers are often devious, imitating colleagues in the company using “spoof domains” to entice employees to click on a dangerous link. They distribute spam and malware, and even convince users to leak private data or make payments. 

Ensuring all of your employees are aware of best practices for cybersecurity can help reduce the risk of fraud.
So, what should the contents of your email policy include? 



The introduction

Your policy must be comprehensive and informative, but it must also be readable. Employees should be able to open the document and find the information they need at a glance. Therefore, any company policy must have a strong introduction.

Outline why you need your policy. Highlight productivity, safety and security. Employees shouldn’t feel overwhelmed by detail or intimidated by stringency. They should understand that having a clear code of conduct not only benefits the employer and the business, but the employees themselves.

Explain that cybersecurity, online safety, and appropriate usage are not optional. Employees should understand that emails can be contractually binding. Anything employees say in an email to a client could impact them later, even if it’s in a private, one-on-one communication.  

Introduce the main points you will cover, in the order that you intend to cover them. Your policy should flow well, be logically structured and easy to follow. 

If you need help structuring your policy, consult legal counsel or use a template like this NDA example.


Who does the policy apply to? 

This section could be included in the introduction, or under a subsection. Briefly explain who the company is for and who it affects.For most companies, policy will apply to everyone with a company email account. This means all staff, including management and administrators.



Permitted use 

Next, you will set out what company email accounts are allowed to be used for, ie. the usage guidelines. 

Company email accounts should be used primarily for business. Employees should use their accounts to contact colleagues, management and clients.

In this section, you can also outline any guidelines for your email layout, eg. a requirement to include your job title, contact details, and company logo in email signatures. You can also advise

employees on standards of decorum in their writing, and maintain a polite, pleasant and professional tone wherever possible.However, although you can caution your employees against using email for non-work purposes, it’s impossible to completely stop them from receiving emails of a personal nature. In certain instances, the lines between professional and personal may be blurred.

If your company’s policy is to allow certain colleagues to keep in touch outside of working hours, then some degree of personal use should reasonably be allowed. As some employees are obligated to stay logged in, it makes sense that their company email account would become their primary email account.In these instances, you should encourage employees to keep their inboxes organized by using email filters or labels. Personal emails should be placed in their own separate folder.




Cell phones have revolutionized our working life. Connecting our phones with our work accounts should be a no-brainer. Maybe your company even distributes company cell phones with phone extensions so that clients and colleagues can easily stay in touch while on the move. 

Unfortunately, cell phones pose huge security and data protection risks. In your email policy, all colleagues must be instructed to lock their phones if they want to connect them to their email accounts. They should use password protection or biometric security (eg. facial recognition, fingerprint scanner) to prevent strangers from accessing their data.

Employees should also set up remote wipe. Remote wipe is a feature available on both Android and iOS which allows users to remove all data from their phone if it’s ever lost or stolen. This could stop any interlopers who may scour email apps looking for personal or banking details.

Finally, employees should be made aware that they can sync their emails across devices, so that even if they break their iPad, lose their phone, or are logged out on their laptop, they can still find a way to get connected.



How to choose a password

Cybersecurity is crucial for both employees and clients. Every possible precaution must be taken to avoid falling prey to scammers and hackers. Here are the best tips for choosing passwords for your email account. 

Value length over complexity. Choosing a password with many different symbols and numbers is not always the best idea. The National Institute for Standards in Technology (NIST) states that complex passwords can actually pose a security risk: users are more likely to forget their passwords and change them more frequently.

Instead, the NIST recommends prioritizing password length. Don’t use a jumble of characters, but a passphrase. Strong passwords contain a few unrelated words which are easy to remember. You can then input your chosen phrase into a password strength checker to assess its level of security.



No recycling. Do not dredge up old passwords for reuse, or use the same passwords across multiple accounts. Using the same password for your personal and business accounts makes it extremely easy for bad actors to target you. 

Instead, use a unique password for each account. A password manager can help alleviate the struggle of having to remember so many different phrases.

Update your passwords regularly… or don’t. The received wisdom used to be that it was necessary to change your password every ninety days, or sooner if possible. This was considered essential advice for throwing off potential attackers. However, more recent advice from the NIST suggests that you don’t need to change your password so often. In fact, constantly updating your password can lead to users becoming fatigued and frustrated, and eventually choosing weaker passwords, or passwords with just one or two differences in characters, to make them easier to remember.

Whether your policy instructs employees to update passwords regularly is up to you. However, changing passwords after a security breach is not optional. 

If you discover any signs that a stranger has accessed your email account, it’s imperative to change your password as quickly as possible. A whole new phrase should be chosen, instead of just a few characters swapped out. 



Handling confidential data

Employees should know the protocols to use when dealing with personal information. Because email accounts can be hacked and emails intercepted, certain kinds of information should be prohibited from being shared over email.

For example, banking, accounting or other financial data, performance marketing data, and customer lists should never be pasted into the body of an email. Extra precautions should be taken when sharing sensitive information.

Encryption can protect data by converting the plain text into scrambled cipher text. The recipient can then open and decode the email using a private key. This should prevent anyone who tries to intercept the email from reading the contents.

Make sure you use end-to-end encryption as well as zero-access encryption. End-to-end encryption secures the data on the sender’s device and will only decrypt it on the recipient’s device. Thus, only two users should be able to access it. Zero-access encryption means that email can only be decrypted using your own private key and public key.

A variety of methods are used for encryption. If you handle large amounts of data, for example in MLOps solutions, a more complex system may be required. However, three major methods for sharing data over email are:

PGP. Short for Pretty Good Privacy, this method uses symmetric encryption and public-key encryption.

S/MIME. Uses asymmetric cryptography and enables you to digitally sign your emails, identifying you as the real sender.

SMTP STARTTLS. This is a command between an email client and server. It tells the server that the contents of an email must be encrypted. If an email is intercepted, the email will be scrambled and can only be decoded by the intended recipient.

Another way to transfer information more securely is to use a cloud storage system with password protection options, like Dropbox or Google Drive.

A note about email monitoring



We’ve covered the importance of protecting private data, but your employees’ personal privacy must also be respected. If you need to monitor your employees’ email accounts, you must obtain their consent to do so.

If you don’t explain your email monitoring practices in your employment contracts and/or email policy, legally you must ask employees every single time you perform a check.

In your email policy, explain how your email is monitored, and whether you use any monitoring software.

Emails sent over a company account are not considered private, so employers have the right to

inspect them for valid business purposes. These could include checking the details of transactions, making sure the inbox is up-to-date while an employee is on vacation, or ensuring employee emails comply with policy. 

For any other reason, or if you want to share these emails with another party, you must obtain the consent of both the sender and the recipient.

Heavy monitoring creates an atmosphere of distrust in the office. As an employer, you should show strong leadership, not revert to petty micro-management tactics. Wherever possible, avoid reading the contents of personal emails. 



To sum up

An email policy might seem like unnecessary red tape at first, but having a strong set of guidelines in place is critical for your business. Email policies prevent legal liability. They can help protect you and your employees against phishing attacks, hackers, and other malicious actors.

Further, an email policy can help to reinforce firm professional boundaries. Encouraging employees to keep their personal and work emails separate promotes productivity, as it deters

them from chatting to friends during work hours, but more importantly, it promotes work-life balance. Employees should not have to answer work emails off the clock.

Consult legal counsel and incorporate our tips to build a robust email policy that will keep your workplace safe, systematized and secure.