business email terms

It's becoming increasingly common to see emails purporting to be from companies with whom we do business, but which are, in fact, phishing or other forms of scam. Mostly we can tell which ones are genuine, since we use specific email addresses for specific tasks, and an email telling us we've got an overdue invoice, sent to a family history mailbox, for example, is clearly not genuine. But scammers are getting better, and companies we do business with seem to be pretty lax about keeping our specifically-for-them email addresses secure.

We also seem to be getting more and more emails with no address to which to make enquiries or replies. This is not just bad netiquette - it's indicative of a wholly unacceptable attitude to the customer or client which is guaranteed to alienate us, and probably lose our business.

It becoming our standard policy, therefore, not to accept emails which do not have a valid reply address, which ask us to visit a website, or which are not digitally signed by a private key whose public key we can obtain from public key servers, and which we can validate using open source software.

This means that we will not visit your website to download our bill, for example. If you want to send us a bill, you can do it on paper, by post (and accept that we may be away from home for up to two months at a time and will not see it), or you can send it by email. We really mean "send". The bill has to be in the email. We don't mind a printable PDF as an attachment, but we'd prefer that the important information is in plain text or, at least, something that is easy to parse without spending hours writing software. We would like to pay promptly, and to do that, we need to automate.

We will also not visit your website to send you a message. That doesn't leave anything in our "sent mail" folders, so we have no audit trail. Even if your website sends us a copy of a message filled in to a webform, this doesn't connect with other email via the threading mechanism which email uses. It becomes very time-consuming to go back over previous communications. We don't have that time - even if you paid us for wasting our time, we'd really rather do something productive.

"But email is not secure !" say organisations like, say, my bank (NatWest). Why is your email not secure ? Mine is. If you want me to believe that the email is from you, you can digitally sign it. If you want no-one except me to read it, you can encrypt it. My OpenPGP/GPG public keys are on public keyservers, or you can ask for a key specifically for your use, which you can sign and trust. This technology is commonplace and mature - signed and encrypted email has been mainstream for two decades. We will accept any form of digital signature which can be validated using open source software, but prefer OpenPGP or GPG.

So, here are our terms and conditions for using electronic communications if you want to retain our business:

  1. If the mail is bounced, at whatever stage, someone at your end must be aware of this and take action
  2. There must be a valid place to reply, by email, to a human reader who has knowledge of the sent email.
  3. Mail must be digitally signed.
  4. Mail must not expect us to visit a website for information specific to our account, with or without a login. We don't object to having the facility to do so, but will not undertake to do so in repsonse to email. If you want us to receive information, it must be in the email.
  5. If you want to send us anything in confidence, encrypt it.
  6. If you want to be sure that we have received your email, ask for an MDN. We undertake to honour MDN requests for emails which meet the previous criteria.

In turn, we are more than happy to sign outgoing email, and for your email address only to accept mail from known addresses. We will encrypt if you give us a public key.

We increasingly rely on software to diagnose mail which fails to meet the above criteria, and mail which doesn't pass muster will not be seen by a human reader.