Beta This is new guidance. Complete our quick 5-question survey to help us improve it.

  1. Service manual
  2. Technology
  3. Sending emails from your service domain

If you need to email your users, you must do it in a way that is reliable and protects them from spam and phishing.

Meeting the Digital Service Standard

If your service uses email, you must set it up in a way that works and protects users from spam to meet the following points:

You’ll have to discuss how you’ve done this at your service assessments - this could include any decisions you made about emailing users.

Use a specialist service provider

You should use a specialist service provider for sending emails, and consider using GOV.UK Notify. Your service provider should:

Create an email address

To email users, you must set up an email address on the service.gov.uk domain, for example:

  • info@servicename.service.gov.uk
  • servicename@notifications.service.gov.uk

Talk to your department IT team or service provider to set up an email address on the service.gov.uk domain.

You must only email your users from this email address and not from your department, agency or any other domain.

Allow users to reply to you

You must create an email address that your users can reply to, and you must read their messages.

You can receive user replies by either:

  • allowing users to reply directly
  • setting a reply-to address

Protect your users

When contacting your users, you must:

  • leave out sensitive information, like bank details
  • avoid making requests for personal information, like a user’s date of birth
  • only send links which point to the GOV.UK domain and show the URL in full
  • avoid including redirects in any links - for example, tracking
  • avoid sending attachments with emails
  • include the user’s first name and surname in the body of the email to make phishing more difficult
  • enable Domain-based Message Authentication, Reporting and Conformance (DMARC) to stop someone spoofing your domain
  • use Government Digital Service (GDS) guidance on securing government email to setup DMARC and TLS on your service.gov.uk domains

Dealing with delivery errors

Don’t keep sending mail to email addresses that you know are broken or don’t exist.

Testing your email delivery

You must implement automated testing and monitoring to make sure your email sending is reliable.

The level of reliability you need depends on:

  • what your service does and how critical email is to the service
  • the development phase you’re in - in alpha you won’t need as much reliability as when the service is live

Types of checks you need

The types of checks you need to achieve your chosen level of reliability depend on how you’re sending emails.

If you’re using GOV.UK Notify or another managed email service provider, it may be enough to carry out a combination of:

  • monitoring checks on your integration with the external services
  • automated tests that verify the integration with the third-party application programming interface (API)

If you need to be more confident of reliability, you can set up full end-to-end tests which check both the integration of your service and the eventual delivery to the recipient.

Checking the format and content of your email

You should periodically use tools to manually check:

  • email looks normal and is easy to read in all email and webmail clients
  • email successfully delivers to popular email clients

There are a variety of commercial tools you can use to manually check emails.

How to write emails

You should use plain English when talking to users.

Check the patterns for notifications to see examples of the wordings you should use when contacting users.

Published by:
Technology community (technical architecture)
Last update:

Included more detailed advice on protecting users, including guidance on DMARC and SPF records.

  1. Guidance first published