I would say that's a bad policy. You've added it because so many people make a mistake, and putting it in the policy won't stop (or reduce) the mistake, but it gives you something to point at and say "you were told not to do that".
A better starting point for such a policy would be to enforce use of a mailing list for e-mails to customers.
It's a nonprofit, so we have no customers nor paid employees. Honestly I have no idea how a mass mailing works with our system, it'll probably be via Extension:MassMessageEmail or something. Honestly, I need to look into it for fundraising.
But what you're saying is analogous to saying checklists are ineffective for preventing errors. This isn't true. The first thing a person should do after finding and closing a security breach is to pull out the procedure, because not forgetting a step is important.
A better starting point for such a policy would be to enforce use of a mailing list for e-mails to customers.