Appropriate use of Out of Office notices

For consistency and to minimize security risks, the following format should be used for Out of Office (OOO) messages:
I am presently out of the office
Please direct inquiries to [[|]]
For extended absences (1 week or longer)
I will be out of the office until Month 1, 201X
Please direct inquiries to [[|]]
Note for literalists: You may 'soften' the wording as needed, but keep it short. Do not use "" or "Month 1, 200X" literally. Replace these with an appropriate colleague's address and an appropriate date respectively.

Things to Avoid

  • Do not use your name in the notice (They should already know)
  • Do not use phone numbers in the notice (Leave an appropriate alternate phone contact on your voicemail greeting)
  • Do not divulge your reason for absence or where you have gone
  • Do not exceed more than a couple lines, keep the message as short as is absolutely necessary
  • Do not set out of office notices when you 'leave for the day/weekend'. These should only be used when you will be absent from normally expected work hours for a day or more, not every time you go home for the day or weekend.
  • Do not add your signature to your OOO notice

Malicious parties can use information from Out of Office messages to perform social engineering tricks on users designed to gain access to the network, passwords or other sensitive data or user information. Please take these recommendations seriously.


Prior to August 1st, 2007 “Out of Office” notifications (OOO) were delivered only to internal recipients. This was done for several reasons, the primary two of which were to avoid ‘loops’ from mailing lists triggered by an out of office message and as part of a security policy.

The technical ‘loop’ problem has been largely resolved and it was determined that the security threat can be minimized through appropriate use of the policy above.

This change is however expected to result in an increase in SPAM E-mail as it will serve to verify addresses that were previously not able to be verified by automated engines and bots.

Updated by Steven Quirk 10/7/13