I've never been a big fan of legal disclaimers on email messages. I have several reasons, not least of which is that a disclaimer that loudly proclaims a message as confidential usually doesn't appear until after the recipient has read the message! Also, marking every message with a classification of "confidential" or "privileged" means that trivial messages get the same protection as very important messages, and that reduces the degree of protection that the critical messages get.

However, there are cases where using disclaimers is appropriate. For example, if you have mail that's generated by an automated program or is sent from a mailbox that people don't monitor, it's a good idea to append a disclaimer telling recipients not to reply (or what address to reply to). You might also append disclaimers to mail sent through a filtering or scanning gateway to indicate that the message has been filtered; many ISPs do this to let their customers know that malware might have been removed in transit.

Exchange Server 2007's transport rules provide a straightforward way to append disclaimers to a message. You can easily specify what text you want to add and which senders' or recipients' messages should be modified. Transport rules provide enough functionality for many common disclaimer or footer requirements, but there are some subtle points you should consider when evaluating transport rules for this use.

Consider the UK's Data Protection Act, and similar legislation by other member countries of the European Union (EU) based on the EU's Directive 95/46/EC on the protection of personal data. The Data Protection Act specifies a number of compliance requirements that you might be familiar with, but one that still occasionally surprises people is the requirement that all email originating within a company and going to outside customers or sales prospects must contain a valid opt-out mechanism and a valid physical address for the sender. This requirement is simple enough to implement if you have only a small number of physical addresses. For example, if you have two Exchange servers in the same building, a single transport rule can easily handle appending the required contact information. Complications arise if you have a larger, more distributed environment.

Let's say that you have field offices in Ireland and England, with your main office in Germany. What's the correct address to put on a message sent by an employee in your Irish office? What if the message transits a Hub Transport server in Germany? If you've deployed multiple Hub Transport servers to take advantage of Exchange 2007's improved message routing, this is certainly plausible, but what text should appear on the message? There are lots of other cases like this, and because I'm not an expert on the Data Protection Act, I'm not going to attempt to give any advice.

It's interesting to contrast the flexibility of transport rules with the relative simplicity of a time-tested tool: the ability to have Microsoft Outlook append signatures to users' messages. Doing so ensures that the correct text appears after each message, although trying to administer signatures (and monitor compliance) for a large global company would be exceedingly painful.