Change to IT Regulations to prevent blanket email forwarding

University Council has approved a change in IT Regulations (Gazette, 4 May 2023): from 1 August 2023, the automatic forwarding or routing of email from a University email address to an external, non-University of Oxford account will no longer be allowed, except in exceptional circumstances.

You will still be able to forward individual emails to external email accounts, but you should consider carefully the implications of doing so.

Why is automatic email forwarding a problem?

Automatic email forwarding is a significant security risk because when you set all your email to forward to an external email address, you are circumventing the protections put in place to prevent University accounts from being compromised, such as the requirement for strong password rules and MFA (multi-factor authentication).

It’s also a major personal data handling risk: if all your emails are being forwarded out of the University, you might unintentionally be forwarding emails that contain internal or confidential data - for example, a commercial contract with a research sponsor or personally sensitive correspondence from a colleague or student.

We recognise that this change to email forwarding may present an inconvenience for a number of people across the University, but the key driver is to ensure that the University maintains appropriate control over personal data for which it is legally responsible.

What do I need to do?

If you are automatically forwarding your University emails to an external account you should disable this before 31 July 2023, preferably before the Summer vacation, otherwise it will be automatically switched off on 1 August.

Further information

For more information, please see the Email Security project webpage - this includes instructions for switching off automatic email forwarding and FAQs.

Please contact your local IT team for further help or email the project team.