CDT Email Setup
Comrie Development Trust — Email modernisation summary for the team
The principle: function-first email
Emails belong to the role, not the person. All external correspondence goes through shared functional mailboxes that the whole team can see. Personal addresses are just for signing in, internal messages, and calendar invites. This follows NCSC guidance on individual accounts and no shared passwords, and aligns with the governance principles set out by OSCR and the Charity Governance Code.
The setup at a glance
How email flows — practical examples
Read each row left to right. Blue highlights shared mailboxes.
Who sent what — attribution
“If everyone sends from chair@, how do we know who wrote it?” M365 tracks this automatically.
- Visible to the recipient
- With Send on Behalf, the recipient sees “Fiona on behalf of Chair | CDT” — transparent and professional. They know both the role and the person.
- Sent Items folder
- The Sent Items in the shared mailbox shows who sent each message — visible to all members.
- Audit logs
- Microsoft 365 automatically records every “Send on Behalf” action with the individual user's identity. Retained for 90 days (standard) or longer with extended licences.
- Sent copy setting
- Enable
MessageCopyForSentAsEnabledso sent items are automatically saved in both the sender's personal mailbox and the shared mailbox. Full transparency.
Potential pitfalls and how we handle them
Shared mailboxes bring shared responsibility. Here are the most common issues and the built-in safeguards.
Two people reply to the same email
When someone starts replying, Outlook shows a “Fiona is replying to this message” notice to other mailbox members. Once sent, the reply appears immediately in the shared Sent Items so others see it was handled.
Mitigation: Use Outlook categories or flags (e.g. “In progress”, “Handled”) to claim items. For high-volume mailboxes like lettings@, agree a simple rota or split by alphabet.
Accidentally sending from the wrong address
When replying from within a shared mailbox, Outlook automatically sets the From address to the shared address — so this rarely happens. The path of least resistance is already correct.
Mitigation: If someone does send from their personal address by mistake, it's not blocked — the email goes through. This is by design: the policy encourages using shared addresses, but doesn't create friction. Over time, the habit forms naturally.
Email gets lost or missed
Because multiple people have access to each shared mailbox, there's always a colleague who can see and respond if someone is away. Emails cannot be siloed in one person's inbox.
Mitigation: If someone external emails a personal address about trust business, the policy asks staff to forward it to the relevant shared mailbox. CDT owns all mailboxes in the tenant, so even if someone forgets, the admin can always access it.
Someone deletes important emails
Shared mailbox items deleted by one member go to the shared Deleted Items, where any other member can recover them. Microsoft 365 retains deleted items for 14 days by default (extendable to 30).
Mitigation: For critical mailboxes (chair@, treasurer@), an admin can enable a litigation hold which preserves everything permanently, even after deletion.
When things change
Role changes, leavers, and new starters are covered in the How It Works tab. Step-by-step admin procedures are in Policy & Manual.
Two types of mailbox, one team
Everyone signs in with their own personal account. Shared mailboxes appear as extra folders in Outlook — no separate password needed.
Shared mailboxes appear automatically. Click between them like folders.
Your day-to-day workflow
A typical day for any team member.
Avoiding duplicate replies
- Flag or categorise an email when you start handling it. Colleagues see the flag immediately.
- Check Sent Items in the shared mailbox — if someone already replied, you'll see it.
- For busy periods, agree a simple rota: “I'll cover lettings@ this morning, you cover admin@.”
How email flows in
Give the public the shared addresses (admin@, lettings@, chair@). Multiple people always have eyes on it.
Use personal addresses for internal team chat, calendar invites, and individual tasks.
What happens when…
Someone is on holiday or sick
Shared mailboxes: no impact — the rest of the team is already monitoring them. Personal mailbox: set an Out of Office auto-reply. An admin can grant temporary delegate access if needed.
Someone leaves CDT
Block sign-in. Remove from shared mailboxes. Convert personal mailbox to shared (preserves emails, frees licence). Grant a colleague access to handle loose ends. Set an auto-reply redirecting people to the right address.
Someone new joins
Create a personal mailbox + licence. Add to relevant shared mailboxes. They see everything immediately — full history, no handover folders.
What the authorities actually say
No single authority says “set up shared mailboxes.” Our email architecture is a design decision we've made based on principles from several sources. Here's an honest breakdown.
How to read this table: “Directly supports” means the source contains specific language that our setup implements. “Aligns with” means the source sets a general principle that our setup is consistent with — but doesn't prescribe this specific approach.
Directly supports our setup
| Source | What it actually says | Our connection |
|---|---|---|
| Microsoft 365The platform vendor | "Shared mailboxes are used when multiple people need access to the same mailbox, such as a company information or support email address, reception desk, or other function." Sign-in is blocked; access is via individual credentials. | Our setup uses shared mailboxes exactly as Microsoft designed them: functional addresses (chair@, lettings@) accessed through individual sign-ins, with no shared password. |
| NCSC Small Charity GuideUK Gov cyber security | "Your charity's IT systems should not require trustees, volunteers or staff to share accounts or passwords." Use 2FA on email. Give people the least access needed. | Our setup eliminates shared passwords entirely. Every person signs in with their own account + 2FA. Access is granted per role and revoked instantly. |
| Cyber EssentialsUK Gov certification scheme | "Authenticate users with unique credentials." "Authentication to cloud services must always use MFA." "Remove or disable user accounts when no longer required." | Unique credentials per person, MFA on all cloud services, accounts disabled on departure. Some funders require this certification. |
| ITIL 4IT service management | "The service desk should be the entry point and single point of contact." "A Service Desk should make it easy for users: one email per service function." | The ITIL "single point of contact" principle is exactly what functional mailboxes provide. Users contact lettings@ or admin@, not individual staff. |
| NIST SP 800-53US Gov security controls | IA-2: "Uniquely identify and authenticate organizational users." AC-2(9): shared accounts create "increased risk due to the lack of accountability." AU-3: audit records must capture individual identity. | Every action is traceable to an individual via audit logs. Shared mailboxes avoid the accountability gap because each person signs in with their own identity. |
| ISO 27001:2022International security standard | A.5.16: "A specific identity is only linked to a single person." Shared identities need "dedicated approval and documentation." | Each person has their own identity (bravo@, lindsay@) to access shared resources. No shared identities exist. ISO 27001 is the international gold standard. |
| CIS Controls v8Global cybersecurity benchmarks | 6.3: "Require all externally-exposed enterprise applications to enforce MFA." 5.4: "Restrict administrator privileges to dedicated administrator accounts." | MFA on all accounts and admin access separated from daily email use, following CIS baseline controls (Implementation Group 1 — essential for all organisations). |
Aligns with (general principles, not email-specific)
| Source | What it actually says | Our connection |
|---|---|---|
| OSCRScottish Charity Regulator | "Charity trustees have collective responsibility." Requires proper accounting records and minuted decisions. Does not mention email architecture. | Shared mailboxes support collective oversight — all trustees see correspondence for their function. But OSCR's focus is governance duties, not email systems. |
| Governance & Digital Codes2025 editions | Governance Code: "The board leads the organisation in being transparent and accountable." Digital Code: "Charity leaders must drive digital." Neither mentions email or specific technology. | Our setup supports transparency (shared visibility), accountability (audit trails), and demonstrates digital leadership. But these are principles, not technical prescriptions. |
| UK GDPR / ICOData Protection Act 2018 | "A name and a corporate email address clearly relates to a particular individual and is therefore personal data." Does not say whether role-based addresses (chair@, info@) are or aren't personal data. | Role-based addresses are less likely to be personal data than firstname@ — but in a small org, chair@ could still indirectly identify someone. Simplifies data management, but no automatic exemption. |
| Cyber Breaches Survey 2025DSIT / Ipsos | 30% of charities breached. Phishing is the #1 attack (86%). Average cost: £8,690. A statistical survey — contains no recommendations. | Illustrates the threat landscape. 2FA and individual accounts are effective defences — but that link comes from NCSC guidance, not the survey. |
What happens when organisations don't do this
Real, publicly reported UK cases. Each shows the kind of risk our setup prevents.
Bible Society — fined £100,000 by the ICO
TrusteesICO enforcement notice, 2018
Hackers entered the charity's network by exploiting a weak shared password set up in 2009 and never changed. They accessed the personal data of 417,000 supporters including home addresses and bank details.
How we prevent this: No shared passwords exist anywhere in our system. Every person signs in with their own account and their own two-factor authentication. When someone leaves, their access is revoked immediately and their mailbox is converted to shared — no passwords to change, no emails lost.
Central YMCA — fined £7,500 by the ICO
StaffICO enforcement notice, 2023
A staff member sent a group email using CC instead of BCC, revealing the identities of 270 people living with HIV. The ICO found the charity lacked proper email handling procedures.
How we prevent this: Send on Behalf ensures external email goes through functional addresses where colleagues can see what's being sent. The From field shows both the sender and the role, adding a layer of transparency and professionalism.
HIV Scotland — fined £10,000 by the ICO
StaffICO enforcement notice, 2021
CC/BCC error exposed 105 recipients. The charity had purchased a bulk-email system seven months earlier but hadn't implemented it and was still using personal email accounts casually.
How we prevent this: Policy and training direct all external communication through functional mailboxes. Outlook defaults the From address to the shared mailbox when replying. Send on Behalf makes the process transparent — no need for technical blocks.
UK Cyber Security Breaches Survey 2025
EveryoneDSIT / Ipsos, 2025
30% of charities reported a cyber breach or attack in the past 12 months. Average cost of the most disruptive breach: £8,690. Phishing (fake emails) was the most common attack type.
How we prevent this: Two-factor authentication on every account blocks the vast majority of phishing attacks. Functional addresses reduce the number of public-facing mailboxes that attackers can target.
Secondary benefits
- Simpler data protection
- Role-based addresses like chair@ are less likely to be classed as personal data than firstname@ addresses. Cleaner separation simplifies information requests.
- Stronger cyber security
- No shared passwords anywhere. Every account protected by two-factor authentication. Access revoked in seconds when someone leaves.
- Easier audit & reporting
- OSCR or funders ask about decisions? The full email trail for any function is in one place, regardless of who was in the role.
- Reduced volunteer burden
- Trustees and volunteers sign in once and see the mailboxes relevant to their role. Nothing complex to learn.
- Professional public image
- External contacts see "Fiona on behalf of Chair | CDT" — both the person and the role. Transparent, consistent, and professional.
- Built-in document management
- M365 Groups automatically create SharePoint sites. Meeting minutes, policies, and contracts stored centrally — not in someone's personal OneDrive.
What's involved
Everything is done through the Microsoft 365 Admin Centre — point-and-click, no coding. An admin can complete this in an afternoon.
- 1Create shared mailboxesAdmin Centre → Shared mailboxes
One per function: chair@, treasurer@, admin@, lettings@, cdtevents@, etc. Most are now created — see the Mailbox Status tab for current state. Guide →
- 2Check personal accountsAdmin Centre → Active users
Confirm each team member has their own account (bravo@, lindsay@, etc.) with a licence.
- 3Grant mailbox accessShared mailboxes → Members
Add people to shared mailboxes for their role. Tick "Full Access" and "Send on Behalf". Guide →
- 4Create M365 GroupsAdmin Centre → Teams & groups
E.g. "Board", "Operations". Each gets a SharePoint site and shared calendar. Guide →
- 5Enable two-factor authenticationAdmin Centre → MFA settings
Switch on 2FA for all accounts. Each person sets it up once on their phone. Guide →
Cost
Designed to minimise costs.
| Item | Cost | Notes |
|---|---|---|
| Shared mailboxes (chair@, lettings@, admin@, etc.) | Free | Included in M365. Up to 50GB each. |
| M365 Groups + SharePoint sites | Free | SharePoint, shared calendars included. |
| Send on Behalf permissions | Free | Built into Exchange Online. Recipients see who sent on behalf of which role. |
| Two-factor authentication | Free | Uses free Microsoft Authenticator app. |
| Personal mailbox licences | Existing cost | One per person — you already pay for these. |
Bottom line: the entire setup uses features already included in your Microsoft 365 subscription. The only ongoing cost is the personal-mailbox licences you already pay for. When someone leaves, converting their personal mailbox to shared frees that licence — so turnover actually reduces costs over time.
UK charity pricing for Microsoft 365
Available through the Microsoft nonprofit programme.
| Plan | Price | What you get |
|---|---|---|
| Microsoft 365 Business Basic | Free | Donated to registered charities (up to 300 users). Exchange Online, SharePoint, OneDrive. This is all we need for our email setup. |
| Microsoft 365 Business Standard | £2.30/user/month | Everything in Basic plus desktop Outlook, Word, Excel, PowerPoint apps. 75% charity discount applied. Annual commitment. |
| Microsoft 365 Business Premium | £4.20/user/month | Everything in Standard plus advanced security: Intune device management, Azure Information Protection, extended audit logs. 75% charity discount applied. |
Key point: if CDT is registered with the Microsoft Nonprofits programme (free to join for OSCR-registered charities), the Business Basic plan is completely free and includes everything needed for shared mailboxes, Send on Behalf permissions, and SharePoint. You only need Business Standard if you want the full desktop Office apps.
Current state
Updated 19 March 2026. 14 of 20 paid licences in use. Converting shared and departed mailboxes will free up to 9 licences.
Shared mailboxes
These are addresses used by multiple people (e.g. admin@, chair@, lettings@) rather than belonging to one person. Shared mailboxes are free and don't need a licence. Some still need converting.
| Address | Display name | Last active | Items | Licence | Status |
|---|---|---|---|---|---|
| admin@ | Admin | CDT | 19 Mar 2026 | 46,757 | Free | Converted ✓ |
| lettings@ | Lettings | CDT | 18 Mar 2026 | 797 | Free | Converted ✓ |
| auditors@ | Auditors | CDT | 6 Jan 2025 | 202 | Free | Converted ✓ |
| cdtevents@ | Events | CDT | 30 Dec 2025 | 2,563 | Free | Converted ✓ |
| estates@ | Estates | CDT | 18 Mar 2026 | 485 | Free | Converted ✓ |
| calendar@ | CDT Team Calendar | 19 Mar 2026 | 5 | Free | Converted ✓ |
| chair@ | Chair | CDT | 19 Mar 2026 | 10,913 | Paid | To convert |
| treasurer@ | Treasurer | CDT | 19 Mar 2026 | 8,472 | Paid | To convert |
| accounts@ | Accounts | CDT | 19 Mar 2026 | 6,309 | Paid | To convert |
| itadmin@ | IT Admin | CDT | 12 Jan 2026 | 298 | Paid | To convertForwarding to bravo@ |
| caretaker@ | Caretaker | CDT | 10 Oct 2025 | 389 | Paid | To convertForwarding to admin@ |
| woodland@ | Woodland | CDT | 19 Mar 2026 | 8,746 | Paid | Keep as-isSteven Beaven — active user |
| communityland@ | Community Land | CDT | 19 Mar 2026 | 1,090 | Paid | Keep as-isActive user |
Personal mailboxes
Each person who accesses shared mailboxes needs their own M365 account (UserMailbox + licence).
Active accounts
| Address | Person | Role | Licence | Status |
|---|---|---|---|---|
| bravo@ | Bravo Nyamudoka | Officer | Business Premium | Active |
| seona@ | Seona | Officer | Business Premium | Active |
| christine@ | Christine | Officer | Business Premium | Active |
| lindsay.brown@ | Lindsay Brown | Trustee | Flow Free only | Active |
Accounts to be created
These people need M365 accounts to access shared mailboxes via Full Access + Send on Behalf. Trustees currently listed as external guests (#EXT#) must be converted to internal member accounts.
| Person | Role | Notes | Status |
|---|---|---|---|
| olena@ | Staff | Needs access to accounts@, auditors@ | Planned |
| unc@ | Staff (Caretaker) | Needs access to estates@ | Planned |
| andrea.loudon@ | Trustee | Currently external guest — needs M365 account for chair@ | Planned |
| fiona.blacke@ | Trustee | Currently external guest — needs M365 account for chair@ | Planned |
| ken@ | Trustee | Currently external guest — needs M365 account for treasurer@, accounts@, auditors@ | Planned |
| miles@ | Trustee | Needs M365 account for lettings@ | Planned |
Staff not requiring email
| Person | Role | Status |
|---|---|---|
| James | Staff | No email needed |
| Jen | Staff | No email needed |
Licence impact: 14 of 20 licences in use (6 available). Converting 5 shared + 4 departed mailboxes will free 9 — giving 15 available for new accounts.
Departed / inactive staff
bravo@ has full access to all. Still on paid licences — convert to shared mailboxes when ready to free them.
| Address | Person | Last active | Items | Size |
|---|---|---|---|---|
| blair.urquhart@ | Blair Urquhart | 19 Mar 2026 | 8,145 | 2.0 GB |
| chris.palmer@ | Chris Palmer | 18 Mar 2026 | 6,515 | 2.8 GB |
| colin.crawford@ | Colin Crawford | 19 Mar 2026 | 10,516 | 4.3 GB |
| lynn.manderson@ | Lynn Manderson | 19 Mar 2026 | 2,563 | 1.2 GB |
| naomi.clarke@ | Naomi Clarke | 1 May 2023 | 6,015 | 590 MB |
Cleanup candidates
Accounts and mailboxes discovered in the M365 audit (19 March 2026) that serve no current purpose. Review and delete.
| Account | Type | Issue |
|---|---|---|
| [email protected] | SharedMailbox | Duplicate of [email protected] — causes ambiguous identity errors in Exchange |
| jeremytestgroup@ | SharedMailbox (disabled) | Test artifact — “CDT IT Team”, no permissions, created 17 Feb 2026 |
| ColinCDT@ | User (no licence) | Duplicate of colin.crawford@ — enabled but unlicensed |
| selfcatering@ | User (no licence) | Enabled but unlicensed — no mailbox access |
| jeremy@ | User (Flow Free only) | Test account — no Business Premium licence |
| [email protected] | User (no licence) | Andrew Heming — enabled but unlicensed, onmicrosoft UPN |
Access matrix
Who gets Full Access + Send on Behalf on each shared mailbox. Officers = Bravo, Seona, Christine (identical access).
| Mailbox | Officers | Olena | Unc | Andrea | Fiona | Ken | Miles | Lindsay |
|---|---|---|---|---|---|---|---|---|
| Governancechair@ | — | — | — | ✓ | ✓ | — | — | — |
| treasurer@ | — | — | — | — | — | ✓ | — | — |
| auditors@ | — | ✓ | — | — | — | ✓ | — | — |
| Operationaladmin@ | ✓ | — | — | — | — | — | — | — |
| accounts@ | — | ✓ | — | — | — | ✓ | — | — |
| lettings@ | ✓ | — | — | — | — | — | ✓ | — |
| cdtevents@ | ✓ | — | — | — | — | — | — | — |
| estates@ | ✓ | — | ✓ | — | — | — | — | — |
| itadmin@ | ✓ | — | — | — | — | — | — | ✓ |
| caretaker@ | — | — | — | — | — | — | — | — |
| calendar@ | ✓ | — | — | — | — | — | — | — |
| Specialistwoodland@ | — | — | — | — | — | — | — | — |
| communityland@ | — | — | — | — | — | — | — | — |
woodland@ (Steven Beaven) and communityland@ are actively used — kept as UserMailbox. Real user assignments to follow.
Email Usage Policy
When replying to or composing email for anyone outside CDT, send from the appropriate shared address (e.g. chair@, lettings@, admin@), not your personal one. Outlook defaults to this automatically when you reply from a shared mailbox.
Use [email protected] for calendar invites and internal messages between colleagues only.
Both personal and shared mailboxes are organisational property, administered by CDT. Do not use them for private personal correspondence. CDT retains the right to access any mailbox for business continuity, compliance, or handover purposes.
If someone external emails your personal address about trust business, forward it to the relevant shared mailbox so the team has visibility.
Multi-factor authentication must be enabled on your account. Do not share your password or sign-in credentials with anyone.
Your personal mailbox will be converted to a shared mailbox so CDT retains access to organisational correspondence. Your shared mailbox permissions will be transferred to your successor.
Quick reference
| I want to... | Use... |
|---|---|
| Reply to a funder | chair@ or treasurer@ |
| Respond to a letting enquiry | lettings@ |
| Answer a general public enquiry | admin@ |
| Message a colleague | Your personal address |
| Book a meeting | Your personal calendar |
| Send something personal | Your own personal email (Gmail etc.) |
By using your CDT email account, you acknowledge and agree to this policy.
Email Admin Manual
Step-by-step procedures for the IT Trustee. All done via the Exchange Admin Centre — no PowerShell needed.
New starter joins
- M365 Admin Centre > Users > Active Users > Add a user
- Set their name (e.g. [email protected])
- Assign a Microsoft 365 Business Premium licence
- Set a temporary password, require change at first sign-in
- Enable MFA on their account
- Grant shared mailbox access: Exchange Admin Centre > Recipients > Mailboxes > select shared mailbox > Delegation > Full Access + Send on Behalf > Add the person
- Share the Email Usage Policy with them
Someone changes role
- Remove their access from old shared mailbox (Delegation > Full Access + Send on Behalf > Remove)
- Grant access to new shared mailbox (Delegation > Full Access + Send on Behalf > Add)
- Nothing else changes — personal mailbox stays the same, all history preserved
Someone leaves CDT
- Block sign-in immediately: M365 Admin Centre > Users > Active Users > select person > Block sign-in
- Reset their password (invalidates saved sessions)
- Remove shared mailbox access from all shared mailboxes
- Convert personal mailbox to shared: Exchange Admin Centre > Recipients > Mailboxes > select mailbox > Convert to shared mailbox
- Remove the licence (shared mailboxes under 50GB are free)
- Grant Full Access to successor so they can see email history
- Optionally set up forwarding to the appropriate shared mailbox
Access someone's mailbox in an emergency
- Exchange Admin Centre > Recipients > Mailboxes > select their mailbox
- Delegation > Full Access > Add yourself
- Their mailbox appears in your Outlook within 30-60 minutes
- Remove your access when done
- All access is automatically logged in the M365 audit trail
Ensure sent items stay in shared mailbox
- Exchange Admin Centre > Recipients > Mailboxes > select shared mailbox
- Enable: Copy items sent as this mailbox
- Enable: Copy items sent on behalf of this mailbox
- Do this once per shared mailbox — applies to all delegates
Troubleshooting
| Problem | Solution |
|---|---|
| Shared mailbox not appearing in Outlook | Wait 30-60 mins after granting access. Restart Outlook if still missing. |
| Person sends from personal address instead of shared | Check Send on Behalf permission is granted. Remind them to reply from within the shared mailbox. |
| Can't convert mailbox to shared | Mailbox might be over 50GB or have a litigation hold. Check size in Exchange Admin Centre first. |
| Departed person's mail bouncing | Mailbox was deleted instead of converted. Restore within 30 days via Admin Centre > Deleted Users. |
| Need to see what someone sent from a shared mailbox | Check the shared mailbox's Sent Items, or use Audit logs at compliance.microsoft.com. |
Frequently asked questions
Do I need another password for shared mailboxes?
No. You sign in once with your own account. Shared mailboxes appear automatically in Outlook.
How do I send "from" the shared address?
Open the shared mailbox, click New Email or Reply — Outlook automatically sets the From to the shared address using Send on Behalf. The recipient sees your name "on behalf of" the shared address.
Can others see it was me who replied?
Yes — with Send on Behalf, the recipient sees "Fiona on behalf of Chair | CDT". This is transparent and professional. Internally, the Sent Items folder also shows the sender's name.
What if two of us reply to the same email?
Flag or categorise when you start handling it. Check Sent Items before replying. For busy periods, agree a rota.
What if someone emails my personal address about a lettings enquiry?
Forward it to the shared mailbox so the team has visibility. Ask the sender to use the shared address next time.
Will I get notifications for shared mailbox emails?
Desktop Outlook: yes, a badge/count appears. Mobile: add the shared mailbox in Settings → Add shared mailbox.
Can I access shared mailboxes on my phone?
Yes. Outlook mobile → Settings → tap your account → "Add shared mailbox".
What happens to old emails if someone leaves?
Shared mailbox emails are unaffected. Personal mailbox is converted to shared — all emails preserved, licence freed.
Does this cost more?
Shared mailboxes are free (up to 50 GB). You only pay for personal licences you already have.
Is this more secure than sharing a password?
Significantly. Remove one person's access without affecting anyone else. Every account has its own 2FA.
Sources and further reading
Grouped by type. Directly supports means the source contains specific language our setup implements. Aligns with means we're applying a general principle to email. All links verified March 2026.
Systems & security standards
— directly support our setup
Directly supports. Microsoft's own documentation describes shared mailboxes as designed for functional use. Sign-in is blocked; access is via individual credentials.
Directly supports. Explicitly says charities must not share passwords, must use 2FA on email, and must give people individual accounts.
Directly supports. Requires unique credentials per user, MFA mandatory for cloud services. Increasingly expected by charity funders.
Directly supports architecture. Single Point of Contact principle: one email per service function, not individual staff addresses.
Directly supports. Requires unique identification per user (IA-2), warns shared accounts create accountability risk (AC-2(9)).
Directly supports. Each identity must be "linked to a single person" for accountability. International gold standard for information security.
Directly supports. MFA mandatory for externally-exposed apps (6.3). Separate admin from non-admin accounts (5.4). Baseline controls apply to all organisations.
Scottish regulation & charity governance
— aligns with (general principles)
Aligns with. Collective responsibility, record-keeping, accountability. Does not mention email.
Aligns with. Scotland-specific guidance on board effectiveness and digital confidence.
Aligns with. Transparency, accountability, digital leadership. Neither mentions email systems or specific technology.
Partially relevant. Named email addresses are personal data; role-based addresses are less clear. No email architecture guidance.
Real-world cases & statistics
Weak shared password led to breach of 417,000 records.
CC/BCC errors exposed vulnerable individuals. Both lacked email handling procedures.
Context only. 30% of charities breached, average cost £8,690. Statistics, not recommendations.
Microsoft 365 implementation guides
Step-by-step Microsoft Learn guides for implementing each component of our setup.
Business Basic is free for up to 300 users at registered charities.