Government organisations urged to boost email security


The Government Digital Service (GDS) has issued guidelines aimed at tightening up email security within government organisations.

The emphasis of the new guidelines is very much focused on encryption, verification and assurance, providing answers to some of the most commonly raised questions within government.

In a blog post, Nick Woodcraft said that by collaborating across government the GDS is not only setting a standard for what email security should look like, but one that is interoperable and easy to use. Guidelines issued include:



The GDS says that, while several encryption standards exist, only Transport Layer Security (TLS) has the required high adoption and low burden on the end-user. TLS protects email in transit between email services, and government organisations are being encouraged to ensure it is used in any email exchanges over the internet including, as far as possible, when talking to people outside government.



Preventing spoofed or phishing emails is key for providing greater confidence that an email is genuine. The GDS recommends providing verification by Domain-based Message Authentication, Reporting and Conformance (DMARC).

DMARC uses a combination of open standards like DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF), and reporting to help an organisation understand how it’s email domains are being used or misused. It also allows you to set a policy telling other organisations how to treat email that does not appear to come from you.

DMARC is widely implemented in banking and online services, and the National Crime Agency is working with industry to use it for fraud prevention. We hope that by using it in government we will encourage its adoption country-wide.



Although TLS and DMARC are widely supported open protocols, the nature of the Simple Mail Transfer Protocol (SMTP) on which email is built makes it difficult to get assurance about their implementation. To provide this the GDS is building a tool to monitor TLS and DMARC use across government, providing a way to check if a service is secure.

The tool is already in alpha and going through user testing. We’re making it available to a limited number of people this week to help iron out any issues before going live.



detailed guide has been published explaining what government organisations need to do to securely send and receive email over the internet. It also provides guidance on legacy domains, such as and

Related reading