If you need to email your users, you must do it in a way that is reliable and protects them from spam and phishing.
Use a specialist service provider
You should use a specialist service provider for sending emails, and consider using GOV.UK Notify. Your service provider should:
- send and receive email using Transport Layer Security (TLS), where available
- use DomainKeys Identified Mail (DKIM) to sign outbound email
- provide a hostname or IP range for you to include in your Sender Policy Framework (SPF) record
Create an email address
To email users, you must set up an email address on the service.gov.uk domain, for example:
Talk to your department IT team or service provider to set up an email address on the service.gov.uk domain.
You must only email your users from this email address and not from your department, agency or any other domain.
Allow users to reply to you
You must create an email address that your users can reply to, and you must read their messages.
You can receive user replies by either:
- allowing users to reply directly
- setting a reply-to address
Protect your users
When contacting your users, you must:
- leave out sensitive information, like bank details
- avoid making requests for personal information, like a user’s date of birth
- only send links which point to the GOV.UK domain and show the URL in full
- avoid including redirects in any links - for example, tracking
- avoid sending attachments with emails
- include the user’s first name and surname in the body of the email to make phishing more difficult
- enable Domain-based Message Authentication, Reporting and Conformance (DMARC) to stop someone spoofing your domain
- use Government Digital Service (GDS) guidance on securing government email to setup DMARC and TLS on your service.gov.uk domains
Dealing with delivery errors
Don’t keep sending mail to email addresses that you know are broken or don’t exist.
Testing your email delivery
You must implement automated testing and monitoring to make sure your email sending is reliable.
The level of reliability you need depends on:
- what your service does and how critical email is to the service
- the development phase you’re in - in alpha you won’t need as much reliability as when the service is live
Types of checks you need
The types of checks you need to achieve your chosen level of reliability depend on how you’re sending emails.
If you’re using GOV.UK Notify or another managed email service provider, it may be enough to carry out a combination of:
- monitoring checks on your integration with the external services
- automated tests that verify the integration with the third-party application programming interface (API)
If you need to be more confident of reliability, you can set up full end-to-end tests which check both the integration of your service and the eventual delivery to the recipient.
Checking the format and content of your email
You should periodically use tools to manually check:
- email looks normal and is easy to read in all email and webmail clients
- email successfully delivers to popular email clients
There are a variety of commercial tools you can use to manually check emails.
How and when to write emails
There’s a separate guide to planning and writing emails.
Included more detailed advice on protecting users, including guidance on DMARC and SPF records.
Guidance first published