Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Out-of-Office Replies are Evil

We’ve survived another holiday season. With the season comes vacation, and with vacations come the “vacation auto-responder”, also known as the “out of office” reply.

The evil “out of office reply”.

Evil? Yep. I’ll explain why.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:
  • Out-of-office messages have best practices.
  • When those best practices aren’t followed, out-of-office messages can annoy others.
  • Out-of-office messages can reveal your vulnerabilities.
  • Out-of-office messages can confirm your email address to spammers.

Out-of-office done right

Out Of OfficeOut-of-office replies, often termed OOF for “out of facility,” are automated email replies you can configure your email program or service to send on your behalf when you are out of the office, on vacation, or just not planning on responding to email in a timely fashion. The automated response says something like, “I’m out of the office this week and not checking email”.

OOFs can be useful if two important conditions are met:

  1. The automated reply is sent to each sender exactly once, no matter how many times they send email.
  2. The automated reply is never sent to mailing lists.

For some companies, there’s a third rule:

3. The automated reply is never sent outside the company.

I’ll also add a fourth rule I’ll simply call a “best practice”:

4. The automated reply is sent only to people in your address book.

If those conditions are all met, you may be able to use OOF replies safely.

If not, you run the risk of being evil.

Breaking the rules

If rule #1 is broken, you annoy everyone who needs to send you more than one email while you’re away. No matter how many they send, they’ll get your automated response again and again.

If rule #2 is broken, depending on how the mailing list is configured, your automated reply will go either to the person who sent a message to the list (whether or not he or she knows or cares about you), or possibly to everyone on the mailing list.

If both rules #1 and #2 are broken, then every message to a mailing list may cause your out-of-office message to get sent again and again and again, flooding the mailing list.

If rule #3 is broken, you may share company information with those who needn’t or shouldn’t have it.

If rule #4 is broken, then you don’t know who you’ll have informed of your absence. That, as it turns out, can have unwanted side effects. By sending an out-of-office reply to anyone who emails you, you may tell a random stranger you’re away, and open your home to a burglary.

On top of that, you’ve probably also replied to spam that wasn’t caught by a spam filter, thus validating your email address to the spammer. The result: you’ll likely get a lot more spam.

My take-away

My take is simple: unless you can follow the four rules or best practices listed above, OOF messages are a good idea that have gone horribly, horribly wrong 99% of the time.

And, honestly, most of the time an out-of-office reply isn’t needed anyway.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

Video Narration

27 comments on “Out-of-Office Replies are Evil”

  1. The OoOF of Lotus Notes works the right way. You can opionally set it to respond to only internal email, i.e., don’t respond to email originating outside the company (e.g., SPAM, newsletters, etc.) so it notifies co-workers once. Sadly, Outlook doesn’t have that feature so you can’t keep OoO Message internal and thus, the feature is not very useful.

    Reply
  2. Many years ago a mail storm occurred on our mail server for the exact reasons cited in Leo’s article.

    The lead engineer on our program had activated an email rule to forward all messages he received to the entire engineering staff when the subject line of the message contained certain key words. That produced an out-of-office reply from one of the recipients of the auto-forwarded message, which induced another auto-forward to the engineering distro list, which induced another OOO reply. The ensuing mail storm took down the server.

    Reply
    • This is called a “mail loop,” and there’s no need to explain its hazards — you found them out firsthand!

      Configuring your “OOF” to reply only once to any given sender, as Leo recommends (or, alternatively IMHO, no more often than once in every 24 hours) should suffice to prevent this sort of thing from happening.

      Reply
  3. Couple years ago I was out for surgery and decided to forward my Notes mail from work to my home email. Used my personal address shortcut for my home email address. Notes ‘autocompleted’ my name and forwarded all of my mail to an employee at our installation in France. MONTHS later I was copied on an email from her supervisor to our corporate IT folks, asking who I am and why am I forwarding so much email to her. Don’t I feel like a dope. She got a chuckle when I explained it, I felt so bad for her. Never used oof again.

    Reply
  4. I’m not sure of the “send-only-ONCE” rule, because people may have forgotten the original response, or might wish to check whether you are STILL out. An alternative might be to set the thing up to send a response to any given recipient no more often than once in 24 hours. This will kill any mail loops, but will still provide functionality.

    Interestingly, the ancient Unix “vacation” command (remember that?) provided this functionality, with a little fudging. :)

    Reply
  5. A further issue with OoO’s is that all too often, there’s never ANY follow-up to one’s original enquiry – which drives me nuts! It seems that when the suntanned OoO originator gets back from the Bahamas, he simply bins all the emails that piled up while he was away – apparently assuming a bot (or the fairies?) sorted it all out in his absence. Whatever happened to common courtesy in business?

    Reply
  6. Follow on to my Oct 2005 comment, apparently Exchange 2007 and Outlook 2007 will now do what Notes did years ago, have the option to only send OoO internally. Haven’t used it yet (we’re still Exchange 2003) but at least there’s hope.

    Reply
  7. —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    Geoff: I think that particular aspect of common courtesy
    gets lost in the email-overload that often piles up while
    people are away from the office. I know once I get an OOF I
    *assume* that the person did NOT get the message and that
    it’s on me to resend some time after they return.

    Leo

    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.7 (MingW32)

    iD8DBQFIWXI4CMEe9B/8oqERAvwAAJwIEBua8e6WZRTBW61jkIbBiwLtJwCfWLB9
    tGgn+9iX4EvuHBqCFJqw+BU=
    =Zill
    —–END PGP SIGNATURE—–

    Reply
  8. Exchange 2003 SP2 has the functionality to only send internally. We use have that setting enabled. It’s located under Global Settings -> Internet Message Formats -> Advanced. Uncheck “Allow out of office responses”

    Reply
  9. I have never understood why the out of office assistant can’t simply only reply to emails that successfully make it through my spam filter. Out of office assistant seems to reply to any and everything.

    Reply
  10. ‘Out of office ‘ evil? Perhaps.
    Annoying – certainly.
    For some unknown reason my pc sends a random response to people who have e-mailed me telling them I am away until Sept. 1st. I wish I was but what can I do to rid myself og this?

    You’ll need to check the out of office functionality either in your email program (not sure what you’re using), or your email service. Might well be on the service, so see if they have a web interface where such things can be configured.

    Leo
    10-Feb-2011

    Reply
  11. I disagree with Rule One, but have my own personal variation:

    Rule 1: It should be arranged that no “Vacation” reply message (you call it an “Out Of Office” message) will ever be sent more often than once in every 24 hours (and the message itself should explicitly say so).

    Rationale: People can be forgetful and need reminding, or they may simply wish to check whether you have yet returned (either early or late); thus, provision should always to be made for senders to receive subsequent “Vacation” reminders should they seek them. A significant delay, however, IS most certainly ABSOLUTELY NECESSARY in order to prevent a possible mail loop — THAT would be most TRULY Evil!!!

    I absolutely and heartily agree with Rule Two, but it can be difficult to implement.

    Not replying to Spam can be prevented with good Spam filters — if Spam is filtered out before it reaches your Inbox, it will never be replied to (automatically or otherwise)!

    Unix users have a “vacation” command that easily implements my variation of Rule One, (and only replies to messages that entered then Inbox, so Spam filters would be effective); but it leaves Rule Two completely out in the cold. Some other (temporary) “filter” would be necessary to block newsletters.

    Reply
    • No, but it isn’t as useful as you might hope, because the person receiving the email has to confirm that they want to send the receipt. Many choose not to. I personally block the requests before they even get to me.

      Reply
    • Not really pointless in a large office environment. Look at from the perspective of a manager, managing dozens of people. The manager sends hundreds of emails on different topics to many people and needs to track of responses and acknowledgements. The read receipt is required and it helps check off who bothered to open an email (although they may not have actually read it). If some task is not performed with the claim that “I didn’t know”, there are different actions that can be taken for not opening the email or opening the email and not reading it. Conversely, when I get an email, but I cannot respond to it promptly, I may deliberately open the email to sent a read receipt as an acknowledgement and then mark the email as unread so I can track it and follow up later. I also save the read receipts so that when someone says I never got your email I can provide the receipts as evidence. These methods work not just with employees, but also with contractors and clients. Think big and don’t just rely on your memory.

      Reply
  12. I was the Operations Manager for an international company, in my absence my deputy took my Emails. If you really think that it is imperative that others know that you are absent I suggest that you take a reality check.

    Reply
  13. Our company pretty much follows rules 1-3. That makes 4 a moot point. If someone from within the company wants me to respond, they get my message saying when I am out, when I will return, who they can contact for some things, and if I will check mail occasionally.

    Barry – your statement only works for executives that have deputies that will answer their mail. Most of us do not have that luxury.

    Reply
    • Bill – totally agree with your reply to Barry. Small companies often only have 1 person doing 1 particular job. In addition, I agree with the entire article except the last sentence, stating that OoO’s are normally not needed, again for the same reasons.

      Reply
  14. There’s one more problem which can result from violating rule number 1. A colleague of mine is required to use OOF responses. One day she came home after a weekend to find over 30,000 emails in her inbox. The person who wrote the original email was also using an OOF autoresponder and the autoresponders played OOF tennis all weekend. :-)

    Reply
  15. At the accounting firm I support, clients expect a quick response to email during the working day. If they are ignored, they will start looking for a new accountant. And there are no secretaries. OOO is required.

    Reply
    • Ditto. OOO reply wasn’t meant for personal users. When you work in a big organization, with offices in many cities, perhaps in several countries, you’re not going to call everyone to tell them you’ll be gone. And if you don’t cover yourself with an OOO reply, all hell will break loose with clients and contractors. Of course, the other alternative is to take your device on vacation and respond to emails on the beach.

      Reply
  16. For any company that respects their clients, vendors, potential clients,,, OOO replies are a MUST. You cannot limit OOO replies only to within company or your mailing list unless you are prepared to miss on important business inquiries. Remember when you sent an mail and did not get timely reply? Were you upset? Anointed? So will be others. My suggestion to modify rule 1: sent one OOO, but one per day. On top of that – if you can do this securely — and OOO notwithstanding, do check your emails occasionally when you are away and reply those that need a prompt reply.

    Reply
  17. Leo, you wrote:

    “By sending an out-of-office reply to anyone who emails you, you may tell a random stranger you’re away, and open your home to a burglary. “

    Leo, don’t be silly! To do a burglary, they’d need to know your PHYSICAL address, not just your E-Mail address. (OTOH, if you’re stupid enough to include your physical address in an autoresponse message, you deserve whatever you get.)

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.