Securing government email

Understand government secure email policy and improve email security.

Read this guidance if you need an overview of how to improve email security and configure:

If you need to configure email services securely, read the detailed implementation guidance on how to set up government email services securely.

Important: If you currently use a gsi-family domain name (,, or you must replace it with a government domain like,, or by March 2019.

How to secure email

You must secure government email by:

  1. Using Transport Layer Security (TLS) 1.2 or later when sending or receiving email.

  2. Using Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework(SPF) and Domain-Keys Identified Mail(DKIM) to help protect your domain from spoofing.

Secure email connections for government email

The diagram below shows cloud- and PSN-based email services using TLS. Each service requires a TLS connection to exchange email. Services look up information in public domain name system (DNS) records to route and verify email.

Secure email connections for government email

Transfer sensitive information

You should only use message-based encryption like PGP or S/MIME occasionally for transfer of sensitive information as it’s inefficient and provides a poor user experience. If you are regularly exchanging sensitive information in this way you should explore alternative approaches, such as secure file transfer or other digital services.

Further reading

To read more about securing email, the following links may be useful:

Email any questions about this guidance to

Published 24 August 2016
Last updated 18 April 2018 + show all updates
  1. The approach to email security is changing and we have removed the need to pass an assessment.
  2. In this version of the guidance, CTS has: * changed and removed wording throughout the document to make it easier to understand * moved technical detail into the set up guide * changed the document title in line with GDS style * restructured the document around the three aspects of encryption, anti-spoofing, and assessment * removed references to ADSP as it is no longer used widely enough to be valuable
  3. First published.