Apply the government secure email policy.
This guidance applies to all email domains that public sector organisations run on the internet. You should follow this guidance if you’re in a role responsible for making sure your organisation exchanges email securely with other public sector organisations.
All gsi-family domain names (gsi.gov.uk, gse.gov.uk, gcsx.gov.uk or gsx.gov.uk) must now be replaced with a government domain like gov.uk, gov.scot, llyw.cymru or gov.wales.
How to secure email
- encrypt and authenticate email in transit by supporting Transport Layer Security (TLS) and Domain-based Message Authentication, Reporting and Conformance (DMARC) as a minimum
- use extra encryption if your data needs more protection
- make sure the recipient protects the data you send to them
- make email security invisible to end users as far as practically possible
Central government organisations should already have implemented encryption and authentication in line with the Minimum Cyber Security Standard.
Encrypt and authenticate email in transit
Protecting your email in transit makes it difficult to spoof your domain. Encryption and authentication only work if both the sender and the recipient use them.
To meet the Minimum Cyber Security Standard and protect email you must:
- support Transport Layer Security Version 1.2 (TLS v1.2) or later for sending and receiving email securely
- have Domain-based Message Authentication Reporting and Conformance (DMARC), DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) records in place to make email spoofing difficult
- implement spam and malware filtering, and enforce DMARC on inbound email
The Government Digital Service recommends protecting email by:
- forcing TLS when sending to *.gov.uk
- forcing TLS when sending to any other domains you know support it if your local risk profile requires it
- making sure you know if a TLS connection fails and your users know what to do if there is a problem
- signing up to the NCSC Mail Check service to access your DMARC reports
- having rules in place to handle organisations that don’t support TLS 1.2 - set up TLS Reporting (TLS-RPT) and send reports to the NCSC Mail Check service at email@example.com to make this easier in the future
- using extra encryption services if you need them
Read the how to set up government email services securely for detailed information on how to set up TLS, DMARC, SPF and DKIM.
Use extra encryption if your data needs more protection
If you need extra security for individual messages consider using an end-to-end email encryption tool or service from the Digital Marketplace. Choose a tool or service that does not place unnecessary burdens on the user receiving information.
If you routinely share bulk data with third parties consider using a secure web service or a secure bulk data transfer service.
Make sure the data you send is appropriately protected by the recipient
As an information owner, you’re responsible for managing your organisation’s security risks. You should consider the protection of your data at rest as well as in transit. There is no standard list of approved, secure email domains for government. Your organisation must decide what assurance you need based on your own data and your own risk profile.
You need to understand possible risks when sharing information with other organisations and take steps to help protect your data. There are a number of approaches you can take to protect data including:
- checking to make sure the recipient has independent accreditation that shows good security practice such as Cyber Essentials Plus or ISO 27001
- asking the recipient organisation about their cyber security practices using the 10 steps to cyber security guidance
- creating a data-sharing agreement between your organisations
- relying on the reasonable expectation that the organisation you send data to will protect the data as required by legal or regulatory requirements like GDPR or the NIS Directive
- using additional encryption methods described above to protect the data in transit and at rest so you do not have to get any security information from the recipient
Make email security invisible to end users
Email security should be invisible to the end user as far as possible. Users should have the option to mark sensitive information if needed but not have to make complex technical decisions about sending data.
Do not make security difficult for users as they may find less secure work-arounds. Provide guidance so users:
- can continue to work with minimal disruption
- understand and can act on error or bounce-back messages
- know who to contact if things go wrong
- know if they have permission to send information by an insecure route if a secure route fails
Further email security guidance
For more information about email security, see:
- Set up government email services securely
- Changing government email: migrating from .gsi
- NCSC guidance on TLS
- Government policy on email security
- Email security standards
- Minimum Cyber Security Standard
- Sender Policy Framework
- Technology Code of Practice
- Protect domains that don’t send email
- Sending emails from your service domain