Policy 540: Email and Directory Services, requires that OIT establish standards governing the security, confidentiality, integrity, and availability of state email systems. This policy was published April 4, 2018.

Standard 540S1: Email Security Configuration, defines best practices for securing the environment around state email systems. Mail flow is to be secured using TLS (Transport Layer Security) 1.2 or higher. TLS version 1.0 and 1.1 use weaker encryption technologies and will soon be unsupported by most major software and service vendors. These standards call for the implementation of DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting and Conformance) for protection against spoofing. Auditing and reporting requirements are addressed as are disabling risky protocols and services.


Risks addressed in these documents include:

  • Protecting the confidentiality and integrity of information transmitted via email over public networks.
  • Ensure encryption technologies used meet validated standards for security.


View or Download:

DRAFT Standard 540S1: Email Security Configuration