Sending text messages securely
If you need to contact your users by text message, you must:
- do it securely
- use a provider that can support the number of text messages you want to send
Choose an SMS aggregator service
The supplier should use a Tier 1 SMS aggregator for direct access to mobile networks and better performance. You can consider using more than one aggregator for improved resilience.
The supplier should also:
- provide delivery receipts
- provide failover and technical support
- encrypt all data in transit and at rest
- work with you on information assurance activities
You may also need to check your supplier can send messages to overseas phone numbers if that’s relevant for your service.
There should be no additional charges for sending messages abroad.
Set up a sender ID
To send text messages to users, you must set up a sender ID. This is a name or number that identifies you as the sender of a text message.
Always text users from this sender ID. This means that if you send multiple messages to a user, they’ll receive them in a single thread.
If you want your users to be able to reply to your text messages, you should use a full length UK mobile phone number or a shortcode.
Shortcodes are 5 to 6 digit phone numbers that generally only work in the UK, but can be memorable and useful for advertising campaigns.
Phone numbers and alphanumeric strings
You can choose a full UK mobile phone number as your sender ID. This will allow users to reply to your text messages, but they may have to pay to do this. You must also be able to read any text messages that you receive.
You can also use an alphanumeric string up to 11 characters long, for example ‘HMRC’. Doing this means your users will be able to easily identify who sent the text message. However, they won’t be able to send a reply, so don’t use one if you plan to receive messages.
If you choose a shortcode as your sender ID, you can use it to send messages from different services so that users only receive texts from one number.
If you want to do this and allow users to reply, you must create a mechanism that will distribute messages to the right service team (for example, by asking users to include a keyword).
You must not use a shared shortcode that can be used by any non-government organisations as it could leave your service and its users vulnerable to fraud.
Dealing with delivery errors
Permanent and temporary delivery failures happen when the service provider can’t reach your users.
Permanent failures mean the phone number you are sending your message to is broken or doesn’t exist. You should check delivery receipts regularly and remove these numbers from your database to reduce delivery costs.
Temporary failures mean a mailbox may be full or the service provider is unable to reach your users at a specific time. You should consider whether it would be helpful to send a reminder or contact the user in a different way.
You should work with your service provider to regularly test the messaging integration with your service.
Most providers will provide ways to smoke test the integration without sending real messages.
Checking the format and content of your messages
You should follow the guidance on when and how to write text messages to make sure yours are clear and informative for users.
You may also find the following guides useful:
- Published by:
- Technology community (technical architecture)
- Last update:
Guidance first published