Email Security - Frequently Asked Questions
FAQs about the change in IT regulation prohibiting blanket email forwarding
How do I move my emails back to my University account?
See the IT Help website: How to move emails back to my University account.
How do I set up my email account?
Here are instructions for setting up your email client to read your Oxford University email and here is guidance to your accessing your Oxford University email on the web
What do I do if I have automatic email forwarding set to multiple email accounts?
The automatic forwarding of emails to multiple accounts is no longer supported, even if you are forwarding to internal, University of Oxford, email addresses. You can continue to auto-forward emails to individual internal email addresses.
How can I check that I'm complying with the new IT regulation?
Anyone who uses IT facilities provided by the University must comply with the IT regulations relating to the use of Information Technology Facilities, known as the "IT Regs" or the "IT Rules". These deal with matters such as who may use University facilities and for what purposes, access to data, and what constitutes misuse of facilities. Please also refer to IT Regulations & Policies and to your academic departments and other units to familiarise yourself with your department’s and college’s rules for use of facilities under their control. Your IT manager will be able to advise further.
Where can I see the new policy?
The new regulation is incorporated within the IT Regulations on the Compliance website. The regulation was first published in the Gazette. 4 May 2023.
How can I check whether I had set up automatic email forwarding on my University account?
It is not possible to check whether you had automatic email forwarding set up on your account before it was switched off.
I am a visiting academic who will be at Oxford for only a few months, can I forward my Oxford email to my home institute email?
No, this is against the new IT Regulation.
You will need to set up your Oxford email on your email client or access it via the web.
We understand this may cause some inconvenience, but it is essential to help keep our data secure.
I believe my external email provider is secure - can I continue forwarding all my email to it?
No, this is against the new IT Regulation. Even if you consider it to be secure, there is not the same assurance provided to the University by the provider that the email service meets the University's baseline information security controls. In addition, there may remain a risk of University data being sent outside UK. University data held in an external, private email account may prevent the University properly responding to Freedom of Information or Subject Access Requests.
Will I still be allowed to forward individual emails to a different account?
Yes, this is still allowed. However, we would encourage everyone to think carefully before forwarding any email. Email forwarding can be useful, but can also pose a security risk due to the potential disclosure of internal or confidential information.
Here are a few things to keep in mind before forwarding an email:
- Remove other email addresses, headers and commentary from all the other forwarders. You want to only forward the important part or content of the email that you think is valuable
- Try and type a brief comment to the person you are sending it to at the top of your forwarded email
- Respect privacy - if you must forward to more than one person, maybe put your email in the “To: field” and all the others in the “BCC: field” to protect their email addresses from being published to those they do not know
Will I still be able to automatically forward emails from my secondary account?
No, you are no longer allowed to forward all email from any Oxford email account to an external email account. You can, if you want, forward all email to another Oxford email account, but not to multiple Oxford email accounts.
I prefer not to use Microsoft Outlook, can I use other email clients?
Yes you can. Here is guidance for setting up email clients to read your Oxford email.
Will I still be able to selectively forward emails to external accounts?
Yes, you are still able to forward selected emails to external accounts. You are responsible for ensuring you do not forward confidential information or data for which the University is the data controller, unless with permission. You can continue to forward individual emails and may also create rules in Outlook on the Web to automatically forward a subset of emails, in line with the University’s data protection policy. See guidance on the IT Help website.
Can I automatically forward my emails from my Oxford University account to an account at another university?
No, another university account is an external account and so it falls within the new IT regulation.
I don't like using the Outlook web interface, can I continue forwarding all my email to a different web-based client, such as Gmail?
No, forwarding email to a service like Gmail is against the IT Regulations.
You need to set up your Oxford email on an email client or access it via the web.
Can I keep my Oxford email live if I've published a paper with my Oxford email address on it?
You are advised to use ORCID rather than put your Oxford University email address on papers.
Will IMAP and POP still be available?
Yes, there are no plans to switch these off so you can continue to access your email using them.
Does this apply to sub-domains of @ox.ac.uk, such as @admin.ox.ac.uk?
Yes, this change in regulation applies to all sending email addresses that have "ox.ac.uk" at the end.
Can I continue to use email forwarding from generic mailboxes to allow my team to manage queries?
If the third-party has a contract in place with the University and a valid Third Party Security Assessment (TPSA) this might be classed as an exception but would have to go through the process and be approved by the Chief Information Officer (CIO).
Can we have bounce emails set up for people who have left including a forwarding address?
No, there are no plans within the project to support such scenarios. However, a user could set an auto-reply, informing senders of any new address, which will continue to operate whilst the mailbox is still enabled.
Can I automatically forward emails to an internal mailing list or to internal email addresses?
Yes, you can only automatically forward emails to a single internal email address or mailing list. But, automatic forwarding to multiple internal email addresses is no longer supported.
Instead, you should consider one of these three options:
- As an owner or delegate, you could set up a SYMPA mailing list to which emails can be forwarded. Guidance on how to do this is available on the IT Help website. If you take this action, you should develop a process to ensure the mailing list is regularly checked and updated.
- As the mailbox owner or delegate, you can set a rule within Outlook on the web to forward emails to multiple internal, University of Oxford, email addresses. Guidance is available on the IT Help website
- As the mailbox owner or delegate, you can give others enhanced access to the account so they can view email traffic themselves without it having to be forwarded. For guidance, see the IT Help website
What will happen to my account when I leave the University?
Please see Finishing IT Use - Nexus365.
As an undergraduate (UG) or postgraduate (GR or GT) student, previously you were advised to set up a forwarding email address for the period after you finish but before your email account is closed. That advice has now changed. You will be able to access your email account for 3 months after you finish at Oxford and you will need to access your email account directly, as you currently do.
For staff and other students, as before, access to your email account will cease after 1 day.
What happens to my account if I’m retiring?
If you are in receipt of a University pension you are entitled to apply for a retiree’s card and may be able to retain access to your email and some IT facilities. See the Retiree’s card information for further information. If you do not apply for a retiree’s card your accounts will all expire as outlined for staff above.
From 1 August 2023, if you are given a retiree's email address (@retired.ox.ac.uk) you will not be allowed to forward this to an external, personal email address under the new IT regulation. If you have a retiree’s email address and are already automatically forwarding emails to an external email address, you can continue to do so. However, you will not be able to set up a new auto forward, for example if your personal email address changes.
If you have retired but have been allocated a department or college email address it is assumed that you are continuing to participate in University activities (for example, teaching or research). As such, you will not be permitted to forward all your email to an external, non-University, account and any automatic forwarding you currently have set up will will be switched off on 1 August.
What if I have a specific requirement to retain the automatic email forwarding functionality?
Exceptions can be granted in exceptional circumstances and require approval by the Chief Information Officer.
There are no guidelines for exceptions as each case will be considered independently. See more information on the IT Help website. As an end user you should contact your local IT support (if in an academic department or a college) or the central IT Service Desk for advice in the first instance. Note that they cannot request an exception on your behalf.
What happens once I’ve completed the Exception Form?
Your exception request will need to be approved. See more information about the exemption process on the IT Help website.
What do I do if I don’t have enough storage space for my emails on Outlook and so need to forward my emails?
You should speak to your local IT support about your mailbox or you can manage your mailbox by deleting or archiving old, large emails. For more advice, please see Managing your mailbox size for more information.
I work off-site with intermittent email connection so I need to forward my email to make sure I can access it, can I keep doing this?
No, you will need to access your Oxford University email either via the web or set it up on an email client on your laptop, computer or phone.
What does 'internal' and 'external' mean? Does 'internal' just mean Nexus365 email?
Internal means any email containing "ox.ac.uk", whether Nexus email or not - this regulation applies to all Oxford University email.
In addition, the following domains are considered internal to the University, for forwarding purposes:
- said.oxford.edu
- ouem.co.uk
- oup.com
- newcollegeschool.org
- oxfordna.org
- oxforduchina.org
- oxfordujapan.org
Does this change in regulation apply to units that provide their own email and routing?
Yes this is a University-wide change in policy, so administrators of mail services that are not centrally managed should no longer allow their users to indiscriminately auto-forward their emails to non-Oxford accounts.
What is the risk to the University in allowing external forwarding?
We have explained the risks on the project webpage - Why is automatic email forwarding a problem?
I don't handle sensitive information so why can't I automatically forward my emails?
You may not formally handle sensitive data, but you may still be sending and receiving information that could be classified as confidential or internal. This might include a commercial contract with a research sponsor or personally sensitive correspondence from a colleague or student. It would be a potential data breach for this sort of information to leave the University email system.