Skip to main content

Part of Data Security Standard 6 - Responding to incidents

Email server software (6.2.6 - 6.2.9)

Previous Chapter

Blocking web malicious content (6.2.5)

Current Chapter

Current chapter – Email server software (6.2.6 - 6.2.9)

View all

Next Chapter

Acting upon known vulnerabilities (6.3.1 - 6.3.5)
Page contents

Dependent on your organisation and whether you manage your own email system, you should have some form of ‘email gateway’ which is generally a central system that protects against these email-borne threats.

If your organisation’s mail system is NHSmail exclusively, you do not have the requirement to monitor as this is managed on your behalf.

In addition to the requirements for server grade anti-virus and malware solutions (where appropriate and dependent on the size and structure of your organisation), it is recommended that email systems include specific features that offer additional protection, such as:

  • quarantine of possibly infected files
  • mass mailing protection
  • secured access to logs and quarantined files for audit purposes
  • generic attachment filtering
  • email content and attachment inspection
  • controls to prevent the forwarding of infected emails

Organisations should consider the requirement to implement controls to disallow all attachments - apart from those specified on an ‘allowed list’. This should be relatively easy to implement and maintain (for example, what business need is there for attachment type a, b or c to be received or transmitted?).

Your chosen solution should allow reporting, particularly:

  • volume of spam mails
  • volume of emails being filtered
  • number of phishing emails reported by staff per month.

DMARC, DKIM and SPF (6.2.8 - 6.2.9)

Your email service provider must implement Domain-based Message Authentication Reporting and Conformance (DMARC), Domain Keys Identified Mail (DKIM) and Sender Policy Framework (SPF) records should be implemented to make email spoofing more difficult.

DMARC should be enforced on all inbound email. These features are provided by default by NHSmail.

You have implemented on your email, DMARC, Domain Keys Identified Mail (DKIM) and Sender Policy Framework (SPF) for your organisation's domains to make email spoofing difficult.

Spam, spam everywhere but not a bite to eat

You should have a spam and filtering email filter in place. These can either be inbuilt with the email server product or a different third party offering.

Ultimately the goal is to reduce spam and spear-phishing. There is always a balance between how aggressive you filter spam as very low tolerance setting will lead to false positives (such as genuine mail being classified as spam) and vice versa.

This guide does not go into the detail of implementation (for DMARC, DKIM and SPF) as the NCSC have a comprehensive guide.

Last edited: 27 September 2022 11:12 am

Previous Chapter

Blocking web malicious content (6.2.5)

Next Chapter

Acting upon known vulnerabilities (6.3.1 - 6.3.5)

Chapters

  1. Data Security Standard 6 - Responding to incidents
  2. Incident reporting (6.1.1)
  3. The incident reporting system (6.1.1)
  4. Incident management system (6.1.1)
  5. An informed and empowered audience (6.1.1)
  6. Notifying local leaders, national bodies and individuals of a data breach (6.1.2, 6.1.3)
  7. End point anti-virus (6.2.1 - 6.2.9)
  8. Always on, always connected, always up to date (6.2.3 - 6.2.4)
  9. Blocking web malicious content (6.2.5)
  10. Email server software (6.2.6 - 6.2.9)
  11. Acting upon known vulnerabilities (6.3.1 - 6.3.5)
  12. NHS Cyber Alerts Service (6.3.2)
  13. Repeat data security incidents (6.3.5)
  14. Monitoring (6.3.4)
  15. Fraud (6.3.4)