Guidelines for Email Use at University of Guelph
April 27, 2026
Contents
The University of Guelph provides email accounts to students, staff, faculty and other authorized users to support administration, teaching, learning and research. Email security is a foundational element of the University's cybersecurity defenses since email is one of the most common vectors for unauthorized access and data breaches within higher education and research institutions. This guideline promotes safer, more effective use of University email by describing security measures in place and recommended practices that help protect personal and institutional information, and support compliance with applicable University policies.
These guidelines apply to all University-provided email services and all account holders including, but not limited to, students, staff, faculty, retirees and contractors, unless otherwise indicated.
These guidelines are intended to support other University policies, standards and procedures by providing the practical context and best practices necessary to meet our institutional standards. While policies dictate 'what' must be done, these guidelines offer the 'how' to ensure a consistent and secure experience. If there is a conflict between this guideline and an approved University policy or standard, the policy or standard takes precedence. Where local unit procedures are more restrictive, those more restrictive procedures should be followed.
Concerns about misuse of University email may be addressed under applicable University policies and administrative procedures, such as the Acceptable Use Policy for Information Technology (AUP) and other relevant processes as appropriate.
- Email Accounts - Access to University email is provided to support teaching, learning, research and administrative activities. Email accounts are provided in accordance with Computing and Communications Services (CCS) processes for central login accounts. To minimize the University's digital attack surface and ensure efficient resource allocation, email accounts should be created judiciously and only for specific, defined institutional purposes that justify the ongoing costs of maintaining and securing them. For questions on the use of shared mailboxes and organizational accounts for specific use-case, refer to the CCS guidance on sharing access to mailboxes.
- Acceptable Use - All users must adhere to the University’s Acceptable Use Policy (AUP). Examples of email-related activities that would violate the AUP include, but are not limited to, sharing copyrighted material, forwarding confidential or restricted University information to a personal email account, cyberbullying or discrimination, distributing offensive or obscene material, promoting violence, exploiting user lists or directory information for purposes beyond their intended scope, intentionally spreading malicious software, and accessing another user’s information.
- Account Expiration and Removal - For security reasons, all accounts expire and are removed based on the terms and conditions related to that account’s primary affiliation with the University. Details on the timing of expiration can be found on the CCS website.
- Passwords and Multi-Factor Authentication - All University of Guelph account holders are responsible for protecting their accounts and must follow the University Password Standard and the University’s multi-factor authentication (MFA) requirements. Phishing-resistant MFA methods, including app-based MFA and passkeys, are strongly recommended to better protect University accounts. Legacy MFA methods, such as text messages and phone calls, are susceptible to interception and should only be utilized in situations where app-based MFA or passkeys are not feasible. MFA methods and requirements may change as security guidance and technology evolve.
- Confidentiality - Email should not be considered a secure method of communication. By default, the contents of email messages may not be encrypted end-to-end, and messages can be misdirected, forwarded or accessed without the knowledge of the sender or intended recipient. In accordance with the Data Classification Policy, confidential information, such as passwords, personally identifiable information (PII) and other confidential data must never be sent via email unless appropriate protections are used, such as encrypting attachments or using email encryption. Microsoft Office365 users can password protect and encrypt Microsoft Office documents prior to sending. Users should make themselves familiar with the Data Classification Policy and follow the requirements for handling and sharing sensitive information.
- Limited Personal Use - In accordance with the AUP, email may be used for limited personal purposes, provided that such use does not violate University policy or any law. Personal use must not be for financial gain, must not incur any additional costs for the University, must not impede the ability of other University users from doing their work, must not circumvent any University security controls, and must not negatively impact the reputation of the University or the operation of University systems, applications or networks. As well, all users should avoid using their University email account to register for non-University related services to ensure continued access to those services after graduation or departure from the University.
- Automatic Email Forwarding - Under the Acceptable Use Policy (AUP) and related University requirements for protecting institutional information, staff and faculty are not permitted to configure their University email account to automatically forward email to external third-party email providers. Automatic forwarding can bypass institutional security controls, increase the risk of data loss or unauthorized access, increase complexity and support requirements, and make it more difficult for the University to meet legal and privacy obligations. The University may implement technical measures to restrict or disable automatic forwarding to external email services to reduce institutional risk.
- Email Client Support - To support compatibility, security, privacy and consistent service across the University, CCS supports the following methods for accessing email services:
To guarantee full functionality, the use of alternative email clients, including Apple Mail and other third-party applications, is not supported by CCS and therefore not recommended for use with University of Guelph email accounts.
- Suspicious, Unsolicited or Offensive Email - When users receive email messages that are suspicious, unsolicited or contain offensive content, they are encouraged to report them by forwarding the email to the CCS Help Centre. Always use caution with unexpected messages to help protect your account and devices. For example:
- Do not reply to unsolicited messages.
- Do not open attachments or click links from unknown or untrusted sources.
- Offensive, harassing or discriminatory messages violate University policy and may result in action under applicable processes. Report any such messages by forwarding them to the CCS Help Centre.
- Report phishing and junk mail by using the “Report Phishing” and “Block Sender” functionality in Outlook respectively.
- Stay current on the latest email threats, including AI-generated phishing and QR code phishing by reviewing the content on the Information Security website.
- Misrepresentation - Email users must not give the impression that they are representing, giving opinions, or otherwise making statements on behalf of the University of Guelph unless they are explicitly authorized to do so. Where necessary, an explicit disclaimer should be included such as, "These statements are my own and do not reflect the views or opinions of the University of Guelph."
- Email Aliases - An email alias is an alternate email address attached to an existing email account, with which a user can send and receive email. The alias itself does not have a separate inbox or login. Email aliases in the format firstname.lastname@uoguelph.ca are permitted for staff and faculty, however they are not created automatically. All requests for email aliases should be submitted to the CCS Help Centre and are reviewed based on the use case, appropriateness and availability. Aliases are not available for student accounts.
- Mass Email - Individuals or groups within the University community that need to send email messages to a large number of recipients must follow the Mass Email Policy. Senders of mass email must be familiar with and adhere to the Canadian Anti-Spam Legislation (CASL). Email sent to groups or distribution lists must always identify how recipients can unsubscribe if they no longer wish to receive communications.
- Organizations and Applications Sending Email on Behalf of the University – In situations where external vendors or applications need to send email on behalf of the University (i.e. from the uoguelph.ca domain), those organizations are expected to meet modern email security standards to help protect recipients and the institution. This includes the requirement for digitally signing email to ensure messages are trusted and verified as legitimate. Partner organizations remain responsible for their own email systems, including maintaining and protecting security credentials. Organizations sending email from non‑University domains are also expected to authenticate their messages appropriately, and high‑volume senders should publish additional protections to meet the requirements of major email providers and reduce the risk of messages being blocked or flagged as suspicious.
- Email Subdomains - Department specific email aliases or subdomains, such as userid@department.uoguelph.ca are no longer issued and their use is being phased out. When a staff member changes roles or retires from the University, email aliases are removed. Account holders that currently have an alias in this format are encouraged to update their contact information to solely use their userid@uoguelph.ca email address or approved alias.
- Administrative Access - In limited circumstances, authorized University staff may need to access or examine an email account to address suspected compromise, support urgent operational requirements, or assist with investigations. This may include, but is not limited to situations involving a formal complaint, suspected malicious activity, or a suspected breach of policy or law. Any such access is expected to follow the approvals and procedures described in the Acceptable Use Policy and applicable privacy requirements.
- Account Locking - The University may restrict access to a user account when:
- There is evidence that the account has been compromised
- There are indicators of suspicious or malicious activity
- The account is being used to deliver unsolicited email
- The account is found to be in violation of the Acceptable Use Policy
- When required by law enforcement, University Human Resources, Faculty and Staff Relations, Legal, Privacy, or Student Affairs
In the event that Information Security detects indicators of compromise or suspicious behavior on a user account, the first action will be to force a password change at next login. However, depending on the risk associated with the detected activity, a full account lock may be required. If an account is locked, email will continue to be received, however the user will need to contact the CCS Help Centre to verify their identity prior to the account being reinstated.
- Automated Monitoring and Threat Prevention - The University uses industry-standard automated email security monitoring systems for detecting and eliminating malicious content which may affect the integrity or operation of the University’s email system. Scanning and filtering are highly effective, however, threat actors continuously adjust tactics and techniques to bypass security controls. As a result, unwanted or offensive messages may still be delivered to University users, and legitimate messages may be incorrectly blocked or sent to the “Junk Mail” folder inadvertently. Users are encouraged to frequently check their Junk Mail folder for legitimate messages, review the Information Security guidance on how to spot and react to malicious email messages and report phishing, spam, or misclassified email to the CCS Help Centre.
- Automated Malicious Email Removal - The University uses automated tools to proactively remove malicious email messages delivered to user mailboxes as necessary. This approach is a security best-practice and part of the institution’s commitment to maintaining a secure email environment and protecting users from emerging threats. Such actions are taken to reduce risk and ensure the ongoing integrity of University systems.
- Email Logs - The University collects and uses email system logs to support security monitoring, compliance with applicable University policies, capacity planning, troubleshooting, investigations and reporting. Logs include metadata rather than full message content. Access to logs is limited to authorized staff and is managed in accordance with applicable policies and privacy requirements, such as the HR Electronic Monitoring Policy.
- E-Discovery Practices - The University of Guelph is committed to meeting its legal and regulatory obligations related to e‑discovery. Email messages sent, received or stored on University systems may be subject to disclosure during litigation, investigations or formal access-to-information requests. The University will follow established processes and policy to protect user information while meeting these obligations, ensuring that all actions relating to e-discovery are carried out responsibly and transparently.
- Security Awareness Phishing - To strengthen cybersecurity awareness, the University continuously runs phishing simulation exercises involving students, staff and faculty. These exercises are not punitive and intended to build awareness of deceptive email tactics, build safer digital habits and reduce the risk of real‑world security incidents. Participation data may be used in aggregate to improve training and awareness programs, however individual results are handled responsibly in accordance with University Privacy and Information Security policies.
Users with questions or requiring assistance should contact the Information Security team via email (infosec@uoguelph.ca) or the CCS Help Centre (https://ithelp.uoguelph.ca/it-help).
Microsoft Copilot was used in the creation and editing of this document. All generated content has been reviewed and verified to be accurate.
Written by: CCS Information Security