Guidance

Securing government email

Apply the government secure email policy.

This guidance applies to all email domains that public sector organisations run on the internet. You should follow this guidance if you’re in a role responsible for making sure your organisation exchanges email securely with other public sector organisations.

All gsi-family domain names (gsi.gov.uk, gse.gov.uk, gcsx.gov.uk or gsx.gov.uk) must now be replaced with a government domain like gov.uk, gov.scot, llyw.cymru or gov.wales.

How to secure email

You must:

Central government organisations should already have implemented encryption and authentication in line with the Government Cyber Security Policy.

Encrypt and authenticate email in transit

Protecting your email in transit makes it difficult to spoof your domain. Encryption and authentication only work if both the sender and the recipient use them.

To meet the Government Cyber Security Policy and protect email you must:

The Central Digital and Data Office recommends protecting email by:

  • forcing TLS when sending to *.gov.uk

  • forcing TLS when sending to any other domains you know support it if your local risk profile requires it

  • making sure you know if a TLS connection fails to partner organisations and your users know what to do if there’s a problem

  • using a provider that enforces MTA-STS policies when sending outbound email

  • using a provider that sends (TLS-RPT) and DMARC reports

  • forcing TLS to organisations you partner with if you have their agreement, where they don’t yet support MTA-STS

  • signing up to the NCSC Mail Check service to process and access your DMARC and TLS reports

Read the how to set up government email services securely for detailed information on how to set up TLS, DMARC, SPF and DKIM.

Make email security invisible to end users

Email security should be invisible to the end user as far as possible. Users should have the option to mark sensitive information if needed but not have to make complex technical decisions about sending data.

Do not make security difficult for users as they may find less secure work-arounds. Provide guidance so users:

  • can continue to work with minimal disruption
  • understand and can act on error or bounce-back messages
  • know who to contact if things go wrong
  • know if they have permission to send information by an insecure route if a secure route fails

Use extra encryption if your data needs more protection

If you routinely share bulk data with third parties consider using a secure web service or a secure bulk data transfer service. Email should not be used to transfer bulk sensitive data.

Make sure the data you send is appropriately protected by the recipient

As an information owner, you’re responsible for managing your organisation’s security risks. You should consider the protection of your data at rest as well as in transit. There is no standard list of approved, secure email domains for government. Your organisation must decide what assurance you need based on your own data and your own risk profile.

You need to understand possible risks when sharing information with other organisations and take steps to help protect your data. There are a number of approaches you can take to protect data including:

  • checking to make sure the recipient has independent accreditation that shows good security practice such as Cyber Essentials Plus or ISO 27001
  • asking the recipient organisation about their cyber security practices using the 10 steps to cyber security guidance
  • creating a data-sharing agreement between your organisations
  • relying on the reasonable expectation that the organisation you send data to will protect the data as required by legal or regulatory requirements like GDPR or the NIS Directive
  • using additional encryption methods described above to protect the data in transit and at rest so you do not have to get any security information from the recipient

Further email security guidance

For more information about email security, see:

Updates to this page

Published 24 August 2016
Last updated 4 March 2024 + show all updates
  1. 1) Updated to replace the Minimum Cyber Security Policy with the Government Cyber Security Policy. 2) Moved MTA-STS and TLS-RPT from ‘recommended’ to ‘must do’. 3) Added reference to PTR records 4) Changed references to Government Digital Service to Central Digital and Data Office.

  2. Adding information about MTA-STS and TLS-RPT protocols to the recommendations section. Adding clarity to the make email security invisible to end users.

  3. Updated information about TLS.

  4. Updated information about encryption, authentication and protection of data at rest

  5. The approach to email security is changing and we have removed the need to pass an assessment.

  6. In this version of the guidance, CTS has: * changed and removed wording throughout the document to make it easier to understand * moved technical detail into the set up guide * changed the document title in line with GDS style * restructured the document around the three aspects of encryption, anti-spoofing, and assessment * removed references to ADSP as it is no longer used widely enough to be valuable

  7. First published.

Sign up for emails or print this page