Blog post

Improving email security

Created:  15 Sep 2017
Updated:  15 Sep 2017
Author:  Richard C
Securing email

Today we've added new guidance to our website, advising on two aspects of email security: the protection of email traffic as it passes between servers and anti-spoofing controls. 

The guidance is intended to help IT teams verify that appropriate email security controls are in place and correctly configured on their domains. The guidance comes in two parts, the first giving top level recommendations and the second, technical implementation advice for administrators.

Lessons from the public sector

Email spoofing is a technique used by criminals in support of phishing campaigns or more targeted attempts to breach an organisation. The adversary's aim of sending a spoofed email is normally to trick a user into visiting a website to divulge information or infect their device with malware. 

In the UK public sector we've been working hard to implement anti-spoofing controls on our domains. Many other organisations have followed in the footsteps of HMRC in adopting controls like SPF, DKIM and DMARC, and as a result it's getting more difficult to spoof an email from their domains. We've still got a long way to go to implement these controls on all of our domains. It's likely to be months if not years before I'm fully satisfied, but it's great to reference the many good examples from the public sector when talking to colleagues from industry.

As well as implementing anti-spoofing controls there has been an increase in support for TLS on the email servers used by the public sector. The vast majority of public sector email servers now support the reception of email using TLS, and we'll be helping organisations responsible for those that don't put that right.

Let us know what you think

The advice we are publishing today is derived from some of the lessons we've learned in the public sector. Our friends at the Government Digital Service have helped us distill this into something that should be useful for many other sectors. We want to keep this guidance current and accurate, and as part of that we're keen to learn from your experience too. So, if you have any feedback, please feel free to comment below or send us your feedback.


Phil Ashby - 01 Oct 2017
I'd be interested to know your thoughts on the use of digital signatures for emails (S/MIME or PGP or ...). This is a technology I used heavily when I worked in the security area of a major Telco, but I rarely see outside those sort of environments. I questioned my bank a couple of years ago about the use of digital signatures on the communications they send regularly to customers, and was told that it's difficult as they outsource marketing work and cannot outsource key material.. what about government?
Doktor Jon - 26 Oct 2017
I have suggested it before, but .... if there was a campaign to encourage all household name businesses and organisations to refrain from placing ANY active hyperlinks in their emails, the general public would over time accept that if they do receive an email with a "click on this" or "click here for more information" statement, the underlying message is .... DON'T!
If an email has links with which it's replete, do the sensible thing and hit the delete!
Rob Whitelock - 06 Dec 2017
Not sharing your email login with your staff would be a good start.
NCSC Communications Team - 31 Aug 2018
This blog is now closed to comments.

Was this blog post helpful?

We need your feedback to improve this content.

Yes No