Can my organisation use Domain-based Messages Authentication Reporting and Conformance (DMARC)?

Domain-based Messages Authentication Reporting and Conformance (DMARC) builds upon SPF and DKIM, and adds a reporting functionality. DMARC is an additional TXT DNS record, and can take a variety of options. The managed domain of nhs.net has DMARC enabled.

A *.nhs.uk organisation can set up a DMARC record by creating an internet facing DNS TXT record in a format similar to the following:

_dmarc.<organisation>.nhs.uk TXT v=DMARC1; p=reject; rua=mailto:<feedbackemailaddress> 

As there are various flags/options around DMARC, please review DMARC.org for options for specific configuration.

How can a local organisation configure Sender Policy Framework (SPF)?

The NHSmail service has protective DNS records using Sender Policy Framework (or SPF). SPF can be used to assist with anti-spoofing as well as overall assist with IP ratings related to deny-listing. If a local organisation wishes to implement SPF for their own MX record, they can create a single record referencing the domain nhs.net.

To have an entry for your organisations *.nhs.uk domain you submit a request to the NHS England DNS team to update your DNS record (dnsteam@nhs.net) with a new DNS record of type “TXT” with the following information:

v=spf1 include:_spf.nhs.net ~all 

or, more specifically, v=spf1 include:_spf.nhs.net ip4:<IP1> ip4:<IP2> -all (where, IP1 and IP2 are a local organisations MTAs).

The above TXT record will inherit the configuration from the master nhs.net SPF record (which would be updated with any changes to IP for the Email Gateway service). For other information and guidance regarding SPF please refer to the Open SPF Project.

Should our organisation set a permissive or restrictive SPF record (~all vs –all)?

The decision to use an SPF record for your organisations *.nhs.uk domain is highly recommended and encouraged.

• ~all is a softfail SPF record, typically this setting allows messages to be delivered.

• -all is a restrictive SPF record, it would be recommended to use softfail as a test before implementing restrictive SPF.

The most important thing for SPF, is to get the record correct when creating it, otherwise sending/receiving email can be restricted. There are several SPF testing tools (such as MX Toolbox – mxtoolbox) for testing SPF records. Ensure testing is done before and after implementation confirming mailflow is not impacted by new SPF records.

See the public SPF project for more details on SPF: Open SPF Project.

Note once set other systems such as internet based marketing services that pretend to send from your system will get email rejected if they set the from address to be that of your nhs.uk domain.

Can my organisation use Domain Key Identifiable Mail (DKIM)?

Domain Key Identifiable Mail (DKIM) is used to sign outgoing message content. If an organisation wishes to use DKIM to sign or check mail, please refer to DKIM support pages on dkim.org. The signing of outbound mail from the HSCN would be the responsibility of HSCN organisations.

How to resolve email delay issues relating to Sender Policy Framework (SPF) records?

Once the sender’s SPF records have been updated and are following any recommended guidelines, the issue with delivery to Gmail and likely any other domain with issues relating to SPF records should be resolved. This issue can happen due to the recipient domain checking the SPF records and the records being incorrect/incomplete and if the SPF entries are not correct, then it has to guess whether the senders are authorised to send from the sending domain which can cause issues such as the delays sometimes seen with emails to Gmail or other recipients.

In the first instance, the sender’s SPF records should be checked to ensure the references to @nhs.net and anything else that the sending @nhs.uk trust would require in their SPF entry (if the sender is @nhs.uk). Correct SPF entries are essential to ensure any email delivery issues that could cause disruption are avoided.