This guidance applies to all email domains that public sector organisations run on the internet. It also helps ensures that public sector organisations exchanges email securely with other public sector organisations. Protecting emails in transit makes it difficult for domains to be spoofed.

All public sector emails must be kept secure by:

• encrypting and authenticating email in transit by supporting Transport Layer Security (TLS) and Domain-based Message Authentication, Reporting and Conformance (DMARC) as a minimum

• making sure the recipient protects the data you send to them

• making email security invisible to end users as far as practically possible

Encryption and authentication only work if both the sender and the recipient use them.

The Government Digital Service recommends protecting email by:

• forcing TLS when sending to .gov.uk

• forcing TLS when sending to any other domains that supports it if the local risk profile requires it

• using extra encryption services if needs be