Email Security and Simplification Project

A change to IT Regulations (as shown on the Compliance website) has been approved by University Council.  From 1 August 2023, the blanket forwarding or routing of email from a University email address to an external, non-University of Oxford, account is no longer allowed, except in exceptional circumstances.

You are still permitted to forward individual emails to external email accounts, but we ask you to consider carefully the implications of doing so.

Why is automatic email forwarding a problem?

1. It’s a significant security risk: when you set all your email to forward to an external email address, you are circumventing the protections put in place to prevent our accounts being compromised, such as strong password rules and MFA (multi-factor authentication). This potentially enables unauthorised access to confidential University data because it could be much easier for hackers to break into your private email account than your Oxford University account.
2. It’s a significant data handling risk: if emails are indiscriminately forwarded outside the University internal or confidential data may be unintentionally forwarded – for example, a commercial contract or sensitive personal data from a student or colleague. There is a range of responsibilities on the University and individuals regarding how we manage, share and secure personal data and we cannot achieve this if there is indiscriminate forwarding to external email providers.
3. There’s a reputational risk that all our email will be marked as spam: when you forward all your email to an external email provider, junk mail and spam may also be forwarded. This can result in external email providers’ spam filters thinking that legitimate email from Oxford University is also spam. This could be cause problems when, for example, you are communicating with applicants or external participants in research projects.
4. It can result in an accidental breach of contract: there are recent examples of research sponsors and collaborators taking a dim view of receiving a response from a non University of Oxford email account. All institutions are improving their security and have expectations that we will do the same. Data sharing agreements may include expectations around the handling of data. A reply from a non-University account could amount to a breach of contract.

What has changed?

IT Services has made changes to the automatic email forwarding function in line with the change to IT regulations:

• The email forwarding self-service function is no longer available. You are still able to manually forward individual emails, in compliance with IT regulations
• Support documentation is available on the IT Help website to help you manage your email, in compliance with IT regulations
• A process to request an exception to the regulation has been implemented  - this will be in exceptional circumstances only and will require the approval of the Chief Information Officer

What do I need to do?

If you did not have automatic forwarding set up from your email, nothing will have changed for you.

If you were automatically forwarding your University emails to an external account, this has now been switched off and your emails have not been forwarded since 1 August.  Please check your University email account.

• Here are instructions for setting up your email client to read your Oxford University email
• See guidance for logging into your Oxford University email on the web
• You can set up a consolidated view of multiple email accounts in the same client. This allows you to manage both your University email account and your external and/or personal email account in a single place, easily navigating between multiple accounts.  See the IT Help website for more information. General guidance on how to add an email account to Outlook is available from Microsoft Support

Frequently Asked Questions

FAQs about the change in IT regulation prohibiting blanket email forwarding