Best Practices for Email Distribution Lists

Posted by

Matt Green

on 19 Feb 2024

Email distribution lists are a blessing and a curse. Our ten best practices will help ensure your lists stay effective, efficient and comply with the law.

Best Practices for Email Distribution Lists

A distribution list is a feature of email client programs (e.g. MS Outlook) that allows users to maintain a list of email addresses or send messages to everyone in their address book all at once.

Whilst they may save a lot of time and effort, they are a regulatory accident waiting to happen. When they go horribly wrong, it can mean fines and the kind of PR disaster that sees customers leaving in droves.

Free GDPR Self-assessment Questionnaire

Top tips for using email distribution lists

1. Question whether a distribution list is appropriate

If you are sending a message regularly or to a large audience, maybe a distribution list is not the right method of sending.

Email automation software may be cheap or even free to use. By using them, you can avoid the usual logistical and compliance headaches of managing email distribution lists.

If your colleagues may also be contacting the same people, they are a 'no-brainer'.

It is worth having your DPO create an email distribution list policy and communicating it to your staff. By giving them training and guidance, you can ensure that messages are efficient and compliant.

2. Check who's on the distribution list before hitting send

Sending emails to all recipients is only efficient if they all need to read what it contains. There is a name for those sending frequent, irrelevant or unwanted emails - spammers!

3. Promptly action removal requests

Under GDPR and other data protection laws, individuals are entitled to have their names removed from distribution lists. Comply with any such request promptly to avoid GDPR sanctions.

Often, staff feel that 'GDPR compliance is marketing's problem'. It's not; it's everyone's responsibility - the regulator will be unmoved by your staff stating, 'I don't use the database'.

4. Regularly clean up distribution lists by purging names

Keeping email lists clean is essential, especially when sending information outside of your own organisation.

If you do not, you may keep defunct addresses in your list. Regularly emailing those who have left a company may result in you being blacklisted.

Often blacklists relate to the domain of a sender, meaning all your colleagues get blocked too. Many companies use blacklisting software, and if the list is shared, your emails may be blocked across all those using the same software!

5. Prioritise security & confidentiality

The wider you share information, the more likely it will be seen by those not authorised to see it. So, before sending anything via distribution lists, check document classifications first and be clear about who can see it.

6. Don't overshare

Only share information via distribution lists when there is a genuine 'need to know'. Make sure you are absolutely certain that it's relevant to all recipients.

Consider splitting larger lists and creating a 'headline' version of your message for those who do not need all of the details.

7. Write succinctly

If you're writing for a bigger audience, you'll need to do so succinctly, avoiding jargon and colloquialisms so your message is easily understood.

Clarity is particularly important in situations where recipients speak English as a second language.

8. Think before you use file attachments

Not only do they make the size of your message balloon, but if sent externally, security software may either remove them or, worse, just block your message.

Where possible, use links or non-editable files (e.g. PDFs). If you use cloud-hosted files, make sure that you only share with named recipients and you can password-protect the files.

9. Avoid requesting read receipts when sending mass emails

As well as causing unnecessarily high volumes of traffic on your network, they come across as passive-aggressive. Ironically, recipients can choose not to confirm they've read your message anyway, so is there any point?

10. Beware 'Reply All' & 'Recall Message'

Sometimes, replying to everyone makes sense. If you have a small distribution list, recipients may like to comment. But as the examples above showed, on larger lists, it may create a car crash that goes out of control.

If you accidentally share information you shouldn't, 'Recall Message' is a sensible damage limitation technique. Equally, if your list is small, and there is a mistake, then recall may be fine, too. But if you have a very large list, be brave and send a short follow-up message to correct the error.

6 Tips for Personal Data Compliance

When email distribution lists go wrong

Disclosing confidential information

A Royal Navy officer at the US Pentagon added a UK-based schoolgirl to a distribution list in error. Diligently, she pointed out the mistake to no avail. For six months, she received highly confidential military information.

Mistyping the address caused the error; easily done. But the unforgivable mistake was ignoring the response from the recipient. The lessons are two-fold: be careful typing, and don't send emails if you have no intention of reading the replies.

Offending customers

When two holidaymakers complained to Spirit Airlines about their flight delay, they were underwhelmed by $200 in compensation. Their email was forwarded to the CEO, who hit 'Reply All' before sending a response:

"Please respond, Pasquale, but we owe him nothing as far as I'm concerned. Let him tell the world how bad we are. He's never flown us before anyway and will be back when we save him a penny."

Luckily for the company, this happened before social media became endemic. Imagine the Twitter storm had the same happened today.


In 2015, an unfortunate employee of Reuters accidentally emailed 33,000 of his colleagues. Having realised the mistake, he then compounded it by trying to recall the message. If you are going to make such a blunder, doing it at a news organisation is fatal.

Reuters employees took to Twitter with the hashtag #ReutersReplyAllGate. This approach brought humour to the situation; let's hope it saved the poor soul and in a way, did the world a favour by highlighting the risk.

Bringing NHS communications to a halt

You'd think that people would learn from Reuters. Not necessarily.

In 2016, the NHS secure email system crashed after an IT contractor accidentally sent an email to everyone on NHS England's distribution list, to around 1.2 million people.

Some recipients then hit the 'Reply to All' button to complain; worse still, they were requesting 'Read Receipts'. As a result, 186 million emails were sent, bringing communications to a standstill.

Alarmingly, the same email service was used for sharing patient-identifiable and sensitive information.

GDPR Training Presentation

Want to learn more about GDPR?

We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.

We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!

Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.

GDPR Training Presentation

The fines for GDPR breaches represent up to 4% of your global annual turnover or EUR 20 million, whichever is the highest. So it is critical to ensure your organisation understands and adheres to GDPR.

Our free GDPR Training Presentation is fully editable, presents the key points in plain English and is packed with practical activities to accelerate learning.

Download your free training aid