As toomas clarifies: The primary source for contact data is AD and if AD sync is on, it will use the e-mail addresses from there on each sync.
To allow our ServiceDesk workers to change AD related data, we have created a simple workflow, using the out-of-the-box workflow AD components. The workflow is published in the Service Catalog and verifies on each run that the calling user belongs to a specific group with the needed permissions in our ServiceDesk.