business email terms

It's becoming increasingly common to see emails purporting to be from companies with whom we do business, but which are, in fact, phishing, unsolicited advertising or other forms of network abuse. Mostly we can tell which ones are genuine, since we use specific email addresses for specific tasks, and an email telling us we've got an overdue invoice, sent to a family history mailbox, for example, is clearly not genuine. But scammers are getting better, and companies we do business with seem to be pretty lax about keeping our specifically-for-them email addresses secure.

We also seem to be getting more and more emails with no address to which to make enquiries or replies. This is not just bad netiquette - it's indicative of a wholly unacceptable attitude to the customer or client which is guaranteed to alienate us, and lose our business. Increasingly, mail from "no-reply" mailboxes are simply treated as spam - we will never see them, and we really don't want to. Converstaions are two-way things - we don't want your monologue.

It is our standard policy, therefore, not to accept emails which do not have a valid reply address, which ask us to visit a website, or which are not digitally signed by a private key whose public key we can obtain from public key servers, and which we can validate using open source software.

This means that we will not visit your website to download our bill, for example. If you want to send us a bill, you can do it on paper, by post (and accept that we may be away from home for up to two months at a time and will not see it), or you can send it by email. We really mean "send". The bill has to be in the email. We don't mind a printable PDF as an attachment, but we'd prefer that the important information is in plain text or, at least, something that is easy to parse without spending hours writing software. We would like to pay promptly, and to do that, we need to automate. We most certainly cannot automate a payment if your bill is in some complex, poorly documented format. We will never open Microsoft word documents, and we can't readily parse PDFs, so send it in plain, honest to goodness, 7-bit ascii text. Signed, and encrypted.

We will also not visit your website to send you a message. That doesn't leave anything in our "sent mail" folders, so we have no audit trail. Even if your website sends us a copy of a message filled in to a webform, this doesn't connect with other email via the threading mechanism which email uses. It becomes very time-consuming to go back over previous communications. We don't have that time - even if you paid us for wasting our time, we'd really rather do something productive.

"But email is not secure !" say organisations like, say, my bank (NatWest) whch are staffed by luddites and idiots. Why is your email not secure ? Mine is. If you want me to believe that the email is from you, you can digitally sign it. If you want no-one except me to read it (and it is likely that even if you don't want that I do), you can encrypt it. My OpenPGP/GPG public keys are on public keyservers, or you can ask for a key specifically for your use, which you can sign and trust. This technology is commonplace and mature - signed and encrypted email has been mainstream for two decades. We will accept any form of digital signature which can be validated using open source software, but prefer OpenPGP/GPG which, of course, is free (as in beer).

So, here are our terms and conditions for using electronic communications if you want to gain or retain our business:

  1. If the mail is bounced, at whatever stage, someone at your end must be aware of this and take action - you must have monitoring in place for failed emails.
  2. There must be a valid place to reply, by email, to a human reader who has, or can obtain, knowledge of the sent email.
  3. Mail must be digitally signed and traceable to a specific person responsible for it.
  4. Mail must not expect us to visit a website for information specific to our account, with or without a login. We don't object to having the facility to do so, but will not undertake to do so in repsonse to email. If you want us to receive information, it must be in the email.
  5. If you want to send us anything in confidence, encrypt it.
  6. If you want to be sure that we have received your email, ask for an MDN. We undertake to honour MDN requests for emails which meet the previous criteria.

In turn, we are more than happy to sign outgoing email, and for your email address only to accept mail from known addresses. We will encrypt if you give us a public key.

We increasingly rely on software to diagnose mail which fails to meet the above criteria, and mail which doesn't pass muster will not be seen by a human reader. It will be taken as an indication that you don't want our business, and we will be more than happy that you don't get it. Bad service is bad business, and bad businesses go bust. Good riddance to them.