Understand government secure email policy and improve email security.
Read this guidance if you need an overview of how to improve email security and configure:
If you need to configure email services securely, read the detailed implementation guidance on how to set up government email services securely.
Important: If you currently use a gsi-family domain name (gsi.gov.uk, gse.gov.uk, gcsx.gov.uk or gsx.gov.uk) you must replace it with a government domain like gov.uk, gov.scot, llyw.cymru or gov.wales by March 2019.
How to secure email
You must secure government email by:
Using Transport Layer Security (TLS) 1.2 or later when sending or receiving email.
Using Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework(SPF) and Domain-Keys Identified Mail(DKIM) to help protect your domain from spoofing.
Secure email connections for government email
The diagram below shows cloud- and PSN-based email services using TLS. Each service requires a TLS connection to exchange email. Services look up information in public domain name system (DNS) records to route and verify email.
Transfer sensitive information
You should only use message-based encryption like PGP or S/MIME occasionally for transfer of sensitive information as it’s inefficient and provides a poor user experience. If you are regularly exchanging sensitive information in this way you should explore alternative approaches, such as secure file transfer or other digital services.
To read more about securing email, the following links may be useful:
- Configure email services securely
- Changing government email: migrating from .gsi
- NCSC guidance on TLS
- Government policy on email security
- Email security standards
Email any questions about this guidance to email@example.com.