S 2.122 Standard e-mail addresses

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: User, Administrator

E-mail addresses should be allocated on the basis of clear naming conventions. In this context, it is important that no non-ASCII characters such as German umlauts are used in e-mail addresses.

To impede attacks, avoid spam and advertising e-mails and/or release as little information as possible outside the protected network, it may be a good idea to assign e-mail addresses which are difficult to guess instead of e-mail addresses related directly to users and/or the organisation such as surname@organisation.com. However, this makes the forwarding of addresses less convenient and can make communication with external parties more difficult.

If e-mail addresses are modified or if they are no longer applicable, it must be ensured that, at least for a transitional period, e-mail still bearing the old address is redirected to the respectively current addresses.

Setting up function-specific e-mail addresses

In many organisations, business processes are meanwhile handled completely or in part by e-mail. In this respect, it is important that messages are promptly sent to the correct recipient. Because of holidays, business trips, illness or personnel changes, however, completely different people might be responsible for processing an e-mail at different times.

Therefore, organisation- and/or function-specific e-mail addresses should be set up for certain functions in order to ensure delivery to the correct organisational unit irrespective of specific persons. This is especially important for central points of contact. This approach provides the following advantages, amongst others:

• E-mails sent to function-specific addresses may be distributed directly to deputies. Thus, quick processing can be achieved even if the main point of contact is absent. If e-mails to function-specific addresses are not forwarded directly to the respective contact person, but are stored in separate mailboxes, this approach also offers an additional advantage in terms of data protection. In this case, it is not necessary to "open" the actual recipient's personal mailbox in the event of an unplanned absence (for example accident, illness).
• If the responsibilities change, it is not necessary to inform all communication partners. In this case, it is only necessary to forward all e-mails addressed to the function-specific e-mail address to the new contact person.
• Function-specific e-mail addresses can be named in an informative manner, e.g. counselling@..., webmaster@..., sales@..., which are thus often easier to remember than personal addresses.
• Due to the addressing of function-specific e-mail addresses, the recipients can, irrespective of the subject also recognise the probable topic of the e-mail.

For various functions which are directly related to operating an Internet domain, the availability of certain function-specific e-mail addresses (for example postmaster) in the relevant De-Facto-Standards (IETF RFCs, here RFC 822 and RFC 2142 in particular) are explicitly required in addition (see also S 2.456 Secure administration of groupware systems).

It should be documented which organisation- and function-specific e-mail addresses are available and for what purpose they are used.

Review questions:

• Is a clear naming convention available for e-mail addresses?