Email Security and Simplification Project

Automatic email forwarding will no longer be allowed

A change to IT Regulations (as shown on the Compliance website) has been approved by University Council.  From 1 August 2023, the blanket forwarding or routing of email from a University email address to an external, non-University of Oxford, account is no longer allowed, except in exceptional circumstances.

You are still permitted to forward individual emails to external email accounts, but we ask you to consider carefully the implications of doing so.

Why is automatic email forwarding a problem?

  1. It’s a significant security risk: when you set all your email to forward to an external email address, you are circumventing the protections put in place to prevent our accounts being compromised, such as strong password rules and MFA (multi-factor authentication). This potentially enables unauthorised access to confidential University data because it could be much easier for hackers to break into your private email account than your Oxford University account.
  2. It’s a significant data handling risk: if emails are indiscriminately forwarded outside the University internal or confidential data may be unintentionally forwarded – for example, a commercial contract or sensitive personal data from a student or colleague. There is a range of responsibilities on the University and individuals regarding how we manage, share and secure personal data and we cannot achieve this if there is indiscriminate forwarding to external email providers.
  3. There’s a reputational risk that all our email will be marked as spam: when you forward all your email to an external email provider, junk mail and spam may also be forwarded. This can result in external email providers’ spam filters thinking that legitimate email from Oxford University is also spam. This could be cause problems when, for example, you are communicating with applicants or external participants in research projects.
  4. It can result in an accidental breach of contract: there are recent examples of research sponsors and collaborators taking a dim view of receiving a response from a non University of Oxford email account. All institutions are improving their security and have expectations that we will do the same. Data sharing agreements may include expectations around the handling of data. A reply from a non-University account could amount to a breach of contract.

What has changed?

IT Services has made changes to the automatic email forwarding function in line with the change to IT regulations:

  • The email forwarding self-service function is no longer available. You are still able to manually forward individual emails, in compliance with IT regulations
  • Support documentation is available on the IT Help website to help you manage your email, in compliance with IT regulations
  • A process to request an exception to the regulation has been implemented  - this will be in exceptional circumstances only and will require the approval of the Chief Information Officer

What do I need to do?

If you did not have automatic forwarding set up from your email, nothing will have changed for you.

If you were automatically forwarding your University emails to an external account, this has now been switched off and your emails have not been forwarded since 1 August.  Please check your University email account.

Frequently Asked Questions

FAQs about the change in IT regulation prohibiting blanket email forwarding