NHS
Email migrated from @nhs.net to @nhs.scot during the year 2021 at a cost of £2.5M as per FOI.
The question then needs to be asked, why don’t ALL other NHS domain names have DMARC records defined to effectively prohibit their use and thereby minimise their potential for fraud/misuse?
Key table:
| Key | DMARC (Anti-spoofing) | MTA-STS (Email privacy) |
|---|---|---|
| N/A | N/A Doesn't apply to DMARC. For any domain defined DMARC should also be defined irrespective of whether or not it is being used for email. | If no MX (Mail eXchange) records are defined then there is no requirement to define MTA-STS. |
 | Red signifies no DMARC record can be found either directly applying to or inherited by the domain. | Red signifies no MTA-STS record can be found. |
 | Amber signifies a DMARC record exists but is suboptimal either because it has been inherited or because it has policy set to 'none' defined or both. | Amber signifies MTA-STS record has been defined but is not set to 'enforce' the policy. |
 | Green signifies a DMARC record has been defined which directly applies to the domain with a strong policy (i.e. does not contain a policy of 'none'). | Green signifies MTA-STS record is defined and set to 'enforce' the policy. |
| Description | Domain | Email Security | DMARC | MTA-STS |
|---|---|---|---|---|
| Old email domain for NHS Scotland | nhs.net |  | | |
| New email domain for NHS Scotland | nhs.scot | | | |
It’s good that the email domain has been standardised across the Scottish NHS. This strong identity isn’t just for branding, it also enhances security so that people learn what domains to trust. The domain names for the 14 NHS Boards are all over the place. One being xx.net, one xx.co.uk, some xx.scot.nhs.uk, some xx.com, some xx.scot and even a couple xx.org
Not only have the individual boards failed to achieve any consistency of naming standards, but they have also failed to implement adequate DMARC protection for those domain names.
NHS Scotland has 14 regional NHS Boards
| NHS Board | Website | Email Security | DMARC | MTA-STS |
|---|---|---|---|---|
| Ayrshire & Arran | https://nhsaaa.net | | | N/A |
| Borders | https://www.nhsborders.scot.nhs.uk | | | N/A |
| Dumfries & Galloway | https://www.nhsdg.co.uk | | | |
| Fife | https://www.nhsfife.org | | | N/A |
| Forth Valley | https://nhsforthvalley.com | | | N/A |
| Grampian | https://www.nhsgrampian.org | | | |
| Greater Glasgow & Clyde | https://www.nhsggc.scot | | | |
| Highland | https://www.nhshighland.scot.nhs.uk | | | |
| Lanarkshire | https://www.nhslanarkshire.scot.nhs.uk | | | |
| Lothian | https://www.nhslothian.scot | | | |
| Orkney | https://www.ohb.scot.nhs.uk | | | |
| Shetland | https://www.nhsshetland.scot | | | |
| Tayside | https://www.nhstayside.scot.nhs.uk | | | |
| Western Isles | https://www.wihb.scot.nhs.uk | | | |
NHS Scotland also has some Special NHS Boards
| NHS Board | Website | Email Security | DMARC | MTA-STS |
|---|---|---|---|---|
| Public Health Scotland | https://publichealthscotland.scot | | | |
| Healthcare Improvement Scotland | https://www.healthcareimprovementscotland.scot | | | |
| NHS Education for Scotland | https://www.nes.scot.nhs.uk | | | |
| NHS National Waiting Times Centre | https://www.nhsgoldenjubilee.co.uk https://www.nhscfsd.co.uk | | | N/A N/A |
| NHS 24 | https://www.nhs24.scot | | | |
| Scottish Ambulance Service | https://www.scottishambulance.com | | | |
| The State Hospitals Board for Scotland | https://www.tsh.scot.nhs.uk | | | |
| NHS National Services Scotland | https://www.nss.nhs.scot | | | N/A |
Other domains significant to NHS Scotland
| Description | Domain | Email Security | DMARC | MTA-STS |
|---|---|---|---|---|
| High profile NHS website | nhsinform.scot | | | |
| Golden Jubilee National Hospital | gjnh.scot.nhs.uk | | | |
| NHS Research Scotland | nhsresearchscotland.org.uk | | | |
| Health Scotland - now superseded by Public Health Scotland website | healthscotland.scot | | | |
| Scottish National Blood Transfusion Service (SNBTS) | scotblood.co.uk | | | |
| Description | Domain | Email Security | DMARC | MTA-STS |
|---|---|---|---|---|
| Used on official headed paper printed letters from NHS Lanarkshire | nhslanarkshire.org.uk | | | N/A |
| Re-directs to the primary website address | nhslanarkshire.scot | | | N/A |
| Used for email addresses such as info@lanarkshire.scot.nhs.uk in printed leaflets | lanarkshire.scot.nhs.uk | | | |
| Appears to be the primary website address | nhslanarkshire.scot.nhs.uk | | | |
Other Government domains for comparison
| Description | Domain | Email Security | DMARC | MTA-STS |
|---|---|---|---|---|
| Domain used for MP's email addresses | parliament.uk | | | |
| Domain used for MSP's email addresses | parliament.scot | | | |
| Domain used for Government email addresses such as the Cabinet Secretary for Health and Social Care | gov.scot | | | |
| National Cyber Security Centre - yes, they do follow their own advice! | ncsc.gov.uk | | | |
Hospice Care
| Description | Domain | Email Security | DMARC | MTA-STS |
|---|---|---|---|---|
| Palliative Care Scotland | palliativecarescotland.org.uk | | | |
| Accord Hospice, Paisley | accord.org.uk | | | |
| Ardgowan Hospice, Greenock | ardhosp.co.uk ardgowanhospice.org ardgowanhospice.org.uk | | | |
| Ayrshire Hospice, Ayr | ayrshirehospice.org | | | |
| Bethesda Hospice, Stornoway | bethesdahospice.co.uk hotmail.com nhs.net | | | |
| Highland Hospice, Inverness | highlandhospice.org.uk highlandhospice.org | | | |
| Marie Curie Hospice, Edinburgh & Glasgow | mariecurie.org.uk | | | |
| St Andrew's Hospice, Airdrie | st-andrews-hospice.com | | | |
| St Columba's Hospice, Edinburgh | stcolumbashospice.org.uk | | | |
| St Margaret of Scotland Hospice, Clydebank | smh.org.uk | | | |
| St Vincent's Hospice, Johnstone | svh.co.uk | | | |
| Strathcarron Hospice, Denny | strathcarronhospice.net | | | |
Little wonder the NHS has been subjected to numerous data breaches given the obvious failings in IT governance.