Search Information Security site


Guidance for Use of Personal Accounts or Redirection for University Email

Conditions of Email Forwarding

You are strongly advised NOT to redirect or auto-forward email sent to your UVA-provided email address(es) to personal, non-UVA email service(s).

If you wish to use a personal email account for your University work activities, or redirect a University account to a personal email account, you MUST agree to ALL of the following (for more guidance, please consult ITS Webpage on email forwarding):

  1. You agree to provide access to or copies of all email received or sent concerning University business to the University if requested in accordance with the Freedom of Information Act, internal investigations or audits, subpoena, search warrant or other legal actions.
  2. You agree to turn over to department supervisor/chair all emails sent or received concerning University business when your employment relationship with the University has ended.
  3. You agree to retain all email received or sent concerning University matters in accordance with the University Records retention and disposition schedules on the Records Management Office website.
  4. You agree you will not transmit highly sensitive data via email in accordance with the University Data Protection Standards or student data protected under FERPA.
  5. You agree to comply with all University IT policies.
  6. You agree to take full responsibility for the security, back-up and management of all email sent or received concerning University business or transactions held within the email account.

Hazards of Forwarding Emails

Redirecting your UVA email to a personal, non-UVA email account exposes you and UVA to the following hazards:

  • It removes any guarantee of security and privacy for sensitive University business-related information that may be contained within email text or attachments.
  • It leaves no official records in the University system. If a demand for such records is made in litigation or under the Virginia Freedom of Information Act (FOIA), you may be required to search within, or provide access to, your personal email account for University business records to be recovered.
  • It makes it impossible for UVA technical staff to assist with technology issues related to your outside email provider's services, including the recovery of emails lost due to the provider’s service failures.
  • If you correspond with government agencies (e.g., NSF, NIH),  you will not receive their emails if you have auto-forwarded your email elsewhere. 
    Recently we learned that the National Science Foundation (NSF), National Institutes of Health (NIH) and other government agencies have implemented the email validation system DMARC (Domain-based Message Authentication, Reporting and Conformance), acting on an operational directive from the Department of Homeland Security. The system enhances email delivery reliability and strengthens efforts to combat phishing and increase mail confidence by instructing receiving domains to reject messages not delivered directly by the sending domain. More information about NSF's experience with DMARC can be found on NSF's website at
  • As more external partners implement DMARC, those who have established auto-forwarding to send their emails to another account (e.g., Gmail) may not receive the forwarded email. These delivery requirements are established by the sending domain. Delivery failures cannot be corrected by UVA ITS.  


Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security Office will evaluate the report and provide a full investigation.

Complete Report Form