Beta This is new guidance. Complete our quick 5-question survey to help us improve it.
How to email your users
If you need to email your service’s users, you must do so in a way that makes sure they get your emails and protects them from spam and phishing.
Meeting the Digital Service Standard
If your service uses email, you must set it up in a way that works and protects users from spam to meet the following points:
You’ll have to discuss how you’ve done this at your service assessments - this could include any decisions you made about emailing users.
Use a specialist service provider
You should use a specialist service provider for sending emails, and consider using GOV.UK Notify.
Create an email address
To email users, you must set up an email address on the service.gov.uk domain, for example:
Talk to your department IT team or service provider to set up an email address on the service.gov.uk domain.
You must only email your users from this email address, not your department or agency or any other domain.
Allow users to reply to you
You must create an email address which your users can reply to, and you must read their messages.
You can receive user replies in either of the following ways:
- by allowing users to reply directly
- by setting a reply-to address
Protect your users
When contacting your users, you must:
- leave out sensitive information, like bank details
- avoid making requests for personal information, like a user’s date of birth
- only send links which point to the GOV.UK domain and show the URL in full
- avoid including redirects in any links (eg tracking)
- avoid sending attachments with emails
- include the user’s first name and surname in the body of the email to make phishing more difficult
- analyse your DMARC reports to check the phishing attacks that have been made against your domain, and continuously improve your email delivery
You must also set up the following technology to protect users from spam and make your real emails less likely to be caught by spam filters:
- Sender Policy Framework (SPF) or DomainKeys_Identified_Mail (DKIM)
- DMARC and Transport Layer Security (TLS) on the sending domain
Dealing with delivery errors
Don’t keep sending mail to email addresses that you know are broken or don’t exist.
Testing your email delivery
You must implement automated testing and monitoring to ensure that your email sending is reliable.
The level of reliability you need depends on:
- what your service does and how critical email is to the service
- the development phase you’re in - in alpha you won’t need as much reliability as when the service is live
Types of checks you need
The types of checks you need to achieve your chosen level of reliability depend on how you’re sending emails.
If you’re using GOV.UK Notify or another managed email service provider, it may be enough to carry out a combination of:
- monitoring checks on your integration with the external services
- automated tests that verify the integration with the third party API
If you need to be more confident of reliability, you can set up full end to end tests which check both the integration of your service and the eventual delivery to the recipient.
Checking the format and content of your email
You should periodically use tools to manually check:
- the email looks normal and is easy to read in all email and webmail clients
- the email successfully delivers to popular email clients
There are a variety of commercial tools you can use to manually check emails.
How to write emails
You should use plain English when talking to users.
Check the patterns for notifications to see examples of the wordings you should use when contacting users.
- Published by:
- Technology community (technical architecture)
- Last update:
Guidance first published