E-mail Policy

Version: 1.00Issue Date: 1/13/2015

This E-mail Policy is required to protect the security of the organization to limit a possible method to attack organizational resources, the organization, and its members. It is also intended to prevent abuse. The use of this policy will help prevent security incidents, compromise of data, and possible damage to the organization.

1.0 Overview

E-mail configuration and security is a very important part of organizational computer security since email is a primary method used by attackers to gain control of user workstations or steal account information.

2.0 Purpose

This E-mail Policy is intended to provide minimum standards of configuration and control for E-mail. This E-mail Policy defines how organizational e-mail will be configured to reduce the chance of system compromise, destruction of data, and unauthorized access. This E-mail policy will also help protect the operation of email systems. This E-mail policy defines the proper and professional use of email and email resources.

3.0 Scope

This E-mail Policy applies to anyone using the organizational email system including all members in the organization or those who work on organizational premises or equipment. This e-mail policy applies to contractors, vendors, part time users, and other staff. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 E-mail Use, Rights, and Privacy

The following items apply to email use:

  • All email on the organizational system is the propery of the organization.
  • Any email on the organizational system may be monitored or audited. Any email account password or settings may be changed for purposes authorized by management.
  • There is no right to privacy when using the organizational email system.
  • The organization holds the right of privacy of material on its email system. No external organization has rights to view or modify organizational email except where explicitly mandated by law.
  • Email access to any users or all users may be completely or partly restricted with no prior notice.
  • Email must be used in a professional anc courteous manner.
  • The organizational email system may not be used in a manner to deny, restrict, or interfere with other user's access of the system.
  • The organizational email system may not be used in a manner to put undue strain on the system.
  • The organizational email system may not be used for sending spam.
  • The organizational email system may not be used for sending mass emails (more than 50 at a time) without the consent of management.
  • Email use is subject to the Acceptable Use Policy, Code of Ethics Policy, Code of Ethical Conduct Policy, and the Privacy and Confidentiality Policy.

5.0 Requirements

The following rules apply to email servers and email system and server configuration.

  • The Server Security Policy and associated policies must be followed including but not limited to server hardening, system updates, antivirus protection, amd backups.
  • All inbound and outbound mail must be screened for viruses and malware. This is in addition to anti-virus software protecting the e-mail server.
  • Administrative access to email servers must be monitored or recorded.
  • Use of external e-mail services for organizational business purposes is not allowed without explicit management permission. The director of computer security must approve this use after an examination of the sensitivity of data to be used on an external e-mail system is established and evaluated. Use of external e-mail that contains sensitive data should not be allowed since the organization cannot control the security of those systems.
  • All users should be trained to understand what data is sensitive and how to protect it. Users should also be trained in the safe use of email, including the fact that it may be read by third parties when traveling over unsecure media and they should learn how to avoid e-mail scams.
  • When email contains sensitive data, it should be encrypted according to organizational encryption standards outlined by the Encryption Policy.
  • Strong authentication to the email system should be provided and required for remote users such as dynamic passwords, challenge response, biometrics and/or public key cryptography.
  • All organizational e-mail servers shall be configured to strip dangerous file attachments or delete emails containing them. Dangerous file attachment types shall be determined by the e-mail server manager and will include but not be limited to executable file attachments. A list of these attachment types shall be developed and all users shall be informed which attachments are not allowed. In some cases users will be given a secure work around for sending files. This will prevent many virus infections that may attempt to enter the organization before the virus is identified by the anti-virus tool. See Mail and Security for more information and a list of dangerous attachments.
  • Relaying of email through organizational servers without authentication shall not be allowed. No organizational server may be configured to allow relaying without authentication.
  • The email server non-delivery reply feature shall be configured as follows:
    • Email containing viruses that are sent to non-deliverable addresses shall not be responded to with non-deliverable responses since viruses fake many sender addresses. The responses waste many administrator's time trying to track down viruses that do not exist.
  • According to the Workstation Configuration Policy, end user systems shall be configured to show file extensions for known file types so users can see the file types they are opening and are less likely to be tricked into opening executable files when they think they are opening text files.

6.0 Enforcement

Since E-mail security and configuration is a very important part of organizational computer security, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

7.0 Other Requirements

  • Create a list of file attachment types that are not allowed. See Mail and Security for a list of dangerous attachments.
  • Inform users about blocked attachments, the behavior of servers when attachments are blocked (NDR notice, email deleted, etc.) and provide work around solutions for business processes that require exchange of dangerous attachments.


Approved by:__________________________ Signature:_____________________ Date:_______________