Browse and search developer information

NHSmail Considerations


There are certain considerations that must be noted when setting up your application to work with NHSmail. These are listed below.

Authentication policy

With the exception of LDAP, all protocols require an authenticated connection using the full NHSmail email address (as the username) and the accompanying NHSmail password. Additionally, the ‘from’ address of all sent emails must match the email address of the sending account.

If your application does not support authentication, then NHSmail provides a solution that will allow your application to transmit the email through a relay server. A mail relay server uses the SMTP protocol to forward emails from another server or application to its destination. NHSmail currently hosts a relay service that can be used by any NHSmail

user. The server, or application, which you intend to send mail to the relay service, must reside within the Transition Network / HSCN or GSI networks to work successfully.

Please note, emails containing any patient or confidential data must be sent via NHSmail only. Non-patient and confidential data, such as alerts, should be sent through the relay service. Emails sent through the relay service and NHSmail will be virus and spam checked.

Please refer to the ‘connection details’ section in this document for more information on setting up a connection to the relay server.

For further help please contact the relay helpdesk on 0333 200 4333 or by email at:

Password policy

NHSmail has been designed as a secure service and as such passwords must be kept secure and not shared1. If your application is configured to store an NHSmail password, access to the application must be strictly controlled and audited to prevent unauthorised access to the NHSmail account which could have patient/sensitive data within it. If the application is used to exchange patient data it must be treated as a clinical system with the appropriate controls/security mechanisms in place, as per your local governance and clinical safety policies.

Caching or ‘banking’ the passwords of multiple NHSmail accounts is strictly forbidden. If multiple NHSmail passwords are stored in a single application and that application becomes compromised, the security and integrity of many NHSmail accounts will be put at risk.

The NHSmail email account used by your application must adhere to the NHSmail password policy (a standard active directory complex password policy):

  • Password must NOT include your username (pre-fix of your email address)
  • It must contain a mix of three out of the following four character types:
    • uppercase letters (A-Z)
    • lowercase letters (a-z)
    • numbers (0-9)
    • symbols (!”£$%^&*)
  • It must be 8 or more characters long
  • It cannot be any of your four previous passwords
  • Spaces or commas cannot be used
  • It must be changed every 90 days

Lockout policy

You must be aware of the constraints of the NHSmail lockout policy when integrating your application:

  • The account must be active and in an unlocked state to work with your application
  • If the account is locked or disabled then you will need to contact your Local Administrator (LA)
  • You have twelve attempts to enter the password correctly before the account is locked
  • If the email account is disabled your application will not work. If this is the case you will need to speak to your LA.

Spam policy

There are two forms of spam checks that are completed with NHSmail to NHSmail messages:

  1. Trend Micro Anti-Spams checks performs in-transit scanning on messages and may take active-action such as removing malicious attachments, or putting mail that is likely to be spam into the junk email folder of the recipient.
  2. Microsoft Exchange has a built in anti-spam content filtering system. If it classifies a message as spam it will put messages into the recipient’s junk email folder.

More information can be found in the NHSmail cyber security guide that can be found under the ‘General Guidance’ heading of the policy and guidance section of the NHSmail support pages.


The NHSmail helpdesk is available 24/7/365 to support clients recommended for use with NHSmail and can be contacted on 0333 200 1133 or Information about supported clients can be found in the NHSmail desktop client configuration guide. This can be found under the ‘Outlook Desktop Guidance’ heading of the policy and guidance section of the NHSmail support pages.

Support for a self-coded application will not be provided by the NHSmail helpdesk. Advice will be given around connection types, but application/coding issues will need to be diagnosed by your local support team.