Hi Greg,
Depending on your budget, which if you're a not for profit may not be large, I would simply farm it out to a 3rd party, someone like GoDaddy, which have a lot of resources and can put this together very inexpensively. There are also many consultants that specialize in not-for profit, but they will still likely charge a lot more than a discount 3rd party like GoDaddy.
As for email campaigns, it is generally not an acceptable practise to launch an email campaign from your own internal resources. Even if you out-source your mail to to a 3rd party provider they will likely mitigate outbound emails on a daily basis. There are many valid reasons for this, which I will not get into and others may disagree as it is commonly done, but it is a bad idea. Again there are many reasonably priced 3rd parties that can take care of this for you, like campaigner, etc.
Also regardless of whom you engage for web development, don't assume they know what they are doing when it comes to best practises. There are a lot of developers out there that simply feel they are good enough to do web development without understanding some of the basic best practices from a security perspective. One of the most common things overlooked is to publish contact information in plain text within the code. The net effect of this will be that you are simply increasing the attack surface area of your published email which will increase spam over time. Considering spam is currently the highest method of propagating threats, this should be a concern. There are very easy methods of mitigating this activity. A common one is to obfuscate the email address in the code so that when the spam harvesters, who use automated methods to glean data from web pages, hit your site they cannot read the mailto links. There are many ways to obfuscate email addresses, from a simple graphic image of your email, which prevents the convenience of clicking the mailto link, to using various encryption methods on the mailto link. Your web developer should know about this and provide you with a suitable solution, keeping in mind that whatever solution they provide should be reviewed on a regular basis as spam harvesters do look for and employ ways around obfuscation techniques.
Storing user data or client information on a web server is another topic. My advice would be to consider your exposure of doing this as you may be putting yourself and or the organization at risk of legal action, this is often casually dismissed but should be considered even at this level. Keep in mind, databases are exploitable, as is any technology that is used on websites, Java, Flash, they all have unknown as well as unknown leveraged vulnerabilities. These nefarious techniques are well known, and can allow a would be attacker to use your site for their gain either by gleaning confidential information from your site or by redirecting traffic to your site and using it as a bot to eventually glean information from other unsuspecting surfers.
There are many other factors to consider as some other posters have touched on such as managing the content, etc...lots to consider!