SearchLanguageMobile menu
OGCIO

Procedures to verify authenticity of Government e-mails

To enable the verification of the authenticity of e-mails received from the Government, Sender Policy Framework (SPF) protocol has been fully adopted by all Government e-mail domains and DomainKeys Identified Mail (DKIM) protocol is also enabled for most of the Government bureaux/departments. These two protocols allow mail server of e-mail recipient to verify the authenticity of e-mail sender and record the verification result in the mail header for mail recipients to inspect. Members of the public receiving e-mails purported being sent from the HKSAR Government may verify the authenticity of senders by reading the verification results of SPF and DKIM in the e-mail headers. If any of the verification is confirmed positive, the public can be more confident that the e-mails are really coming from the sending domain.

Below is an example of the header information of e-mails sending from OGCIO:

SPF verification result

Example of SPF verification result

The above information indicates that the e-mail passes the SPF verification and is confirmed sending from “ogcio.gov.hk”.

DKIM verification result

Example of DKIM verification result

The above information indicates that the e-mail is digitally signed by the domain key of “ogcio.gov.hk” and passes the DKIM verification.

Currently, some web mail service providers offer handy client interfaces to present SPF and DKIM verification results, such as:

SPF and DKIM verification summary

The “mailed-by” information indicates that the e-mail is sent from “ogcio.gov.hk” and passes the SPF verification.

The “Signed by” information indicates that the e-mail is digitally signed by “ogcio.gov.hk” and passes the DKIM verification.