Sending emails from your service

If you need to email your users, you must do it in a way that is reliable and protects them from spam and phishing.

Use a specialist service provider

You should use a specialist service provider for sending emails, and consider using GOV.UK Notify. Your service provider should:

Create an email address

To email users, you must set up an email address on the domain, for example:


Talk to your department IT team or service provider to set up an email address on the domain.

You must only email your users from this email address and not from your department, agency or any other domain.

Allow users to reply to you

You must create an email address that your users can reply to, and you must read their messages.

You can receive user replies by either:

  • allowing users to reply directly
  • setting a reply-to address

Protect your users

When contacting your users, you must:

  • leave out sensitive information, like bank details
  • avoid making requests for personal information, like a user’s date of birth
  • only send links which point to the GOV.UK domain and show the URL in full
  • avoid including redirects in any links - for example, tracking
  • avoid sending attachments with emails
  • include the user’s first name and surname in the body of the email to make phishing more difficult
  • enable Domain-based Message Authentication, Reporting and Conformance (DMARC) to stop someone spoofing your domain
  • follow the guidance on securing government email to set up DMARC and TLS on your domains

Dealing with delivery errors

Do not keep sending mail to email addresses that you know are broken or do not exist.

Testing your email delivery

You must implement automated testing and monitoring to make sure your email sending is reliable.

The level of reliability you need depends on:

  • what your service does and how critical email is to the service
  • the development phase you’re in - in alpha you will not need as much reliability as when the service is live

Types of checks you need

The types of checks you need to achieve your chosen level of reliability depend on how you’re sending emails.

If you’re using GOV.UK Notify or another managed email service provider, it may be enough to carry out a combination of:

  • monitoring checks on your integration with the external services
  • automated tests that verify the integration with the third-party application programming interface (API)

If you need to be more confident of reliability, you can set up full end-to-end tests which check both the integration of your service and the eventual delivery to the recipient.

Checking the format and content of your email

You should periodically use tools to manually check:

  • email looks normal and is easy to read in all email and webmail clients
  • email successfully delivers to popular email clients

There are a variety of commercial tools you can use to manually check emails.

How and when to write emails

There’s a separate guide to planning and writing emails.

Last update:

Included more detailed advice on protecting users, including guidance on DMARC and SPF records.

  1. Guidance first published