One of the great benefits of working with the salesforce platform is the ability to quickly and easily spin up a sandbox or test environment. Salesforce provides a number of different types of sandboxes. Each type can serve a different purpose based on what you are trying to build or test. One of the most helpful types of sandbox is the "FULL" sandbox. This is an exact copy of your production environment which means your data is copied in it's entirety to the sandbox org. The benefits of this type of sandbox include the ability to test various pieces of functionality with a large production like data set. You are able to refresh a full sandbox every 30 days but there are a few things to keep in mind when you refresh.
One of the biggest risks of using production data is that it is just that, production data. These are real contacts with real email addresses and phone numbers etc. When a sandbox is refreshed salesforce automatically concatenates all user email addresses and usernames with the sandbox name. For example, if my username was email@example.com it would be updated to be firstname.lastname@example.org. This is a very helpful feature which prevents you from emailing users accidentally from your sandbox. The danger is around the contacts that are cloned/created in your full sandbox. Salesforce does NOT concatenate these email addresses so they are the same as the REAL email address that was in production.
So what do we do? Salesforce has a built in "switch" for turning on and off the ability to send emails from a sandbox or production org. You can find this switch under Setup>Email Administration>Deliverability. It should look like this.
The options are "No Access" which means email will not be sent from the org at all, "System email only" which means only password reset type of emails will be sent out, and "All email" which means all email will be sent including workflow email.
By default when a sandbox is refreshed this should be set to "System email only". This is to prevent the issue I'm describing. However, what if I need to test workflow rules that send emails? I'll need to turn this to "All email" and the risk of emailing a real contact is back in play.
There are two ways to handle this. If you have a really large number of contacts then I would recommend doing an export using the data loader. This will give you a csv file with all of your contacts. You can simple change the email addresses and do an update also using the data loader. If you have a smaller more manageable number of contacts you can simply open the developer console and execute a simple update script. If you are not familiar with apex you will need some assistance from a developer to write this script. One final word of caution on using the developer console to update records. With great power comes great responsibility. The developer console can be very helpful when you need to update a set of records but it has the power to update and delete any records in your org. Double check your script before you execute it to be sure you're updating what you are intending to update.
To summarize, keep an eye on your contact emails when you refresh your full sandboxes and be sure to update them if you plan on testing workflow email functionality from your sandbox. Hopefully this will save you from accidentally emailing your contacts.