DMARC for the NHS and UK Public Sector: A Post Mail Check Guide

The retirement of NCSC Mail Check has left hundreds of NHS trusts, local councils, and gov.uk organisations looking for a replacement. This guide explains what public sector bodies actually need from a DMARC platform, why data residency matters more than it used to, and how to run a procurement compliant rollout without starting from scratch.

Why this matters now

For over a decade, UK public sector bodies relied on NCSC Mail Check to monitor their DMARC posture. Mail Check was free, UK hosted, and integrated into the NCSC Active Cyber Defence programme. Its retirement has left a gap that most organisations have not yet filled.

The risk is not theoretical. NHS trusts are one of the most phished organisations in the UK, and council email is regularly spoofed for benefit fraud, invoice scams, and impersonation of elected officials. Without active DMARC monitoring, an organisation has no visibility into who is sending mail in their name. A policy of p=none or no DMARC record at all is an open door to impersonation.

The responsible disclosure work we have done at ShieldMarc found that a significant proportion of NHS facing domains are either at p=none, unprotected entirely, or have sub domains that are not covered by any enforcement policy.

What a public sector DMARC platform needs to do

The core technical capability required is identical to any other DMARC service: receive aggregate reports, parse them, identify legitimate and illegitimate senders, and guide the organisation from p=none to enforcement. What distinguishes a public sector suitable tool is everything around the edge:

EU or UK data residency, not US. Aggregate reports contain sending IP addresses, message counts, and authentication results. Under a strict reading of GDPR and NHS Digital data handling guidance, this is operational data that should not leave European jurisdiction. Default EU hosting (with the option of a dedicated UK hosted environment for organisations that require it) is a far simpler DPIA than a US platform operating under the CLOUD Act.
No US subpoena exposure. Post Schrems II, UK public sector buyers are increasingly sensitive to whether a supplier is subject to the US CLOUD Act. A UK owned supplier with European infrastructure removes that concern. Where data must stay inside UK borders, a dedicated UK hosted environment is available on request.
Transparent pricing. Public sector procurement under thresholds like the Digital Marketplace (G Cloud) or direct contract award requires clear, published pricing. Sales led quote on request pricing is a real barrier.
Multi domain support at realistic prices. A typical NHS trust holds 20 to 50 domain names across legacy acquisitions, service sub brands, and parked variants. Pricing models that charge per domain punish exactly the organisations that need the most protection.
Parked and alias domain handling. Most domains in a public sector portfolio do not send mail. They need a p=reject policy from day one, not a twelve week ramp. Tools that treat every domain identically waste effort.

The minimum compliant baseline

Before picking a tool, it helps to know what good looks like. The minimum baseline we recommend for any public sector body is:

Every owned domain has a DMARC record. Including parked and alias domains. No exceptions.
Active sending domains are at quarantine or reject. p=none is a starting point, not an endpoint. See our guide on choosing between quarantine and reject for the decision.
Parked and alias domains are at p=reject from day one. With strict alignment and sp=reject.
SPF records resolve within the 10 lookup limit. Broken SPF is one of the most common reasons legitimate mail fails DMARC alignment.
DKIM is signed with 2048 bit keys and rotated annually. Weaker keys are still accepted by most receivers but no longer considered best practice.
Aggregate reports are monitored weekly. Either by staff or automatically by the chosen platform. DMARC is only useful if someone is reading the reports.
MTA-STS and TLS-RPT are deployed. Particularly for health and central government where messages may carry sensitive attachments. See our MTA-STS and TLS-RPT guide.

A realistic rollout plan for a typical trust or council

Large deployments fail when they are planned as a single twelve month project. The approach that actually works is short cycles on a prioritised domain list:

Week	Focus	Outcome
1	Inventory every owned domain across the organisation, including parked and alias domains.	Complete domain list, classified by active / alias / parked.
2	Publish p=reject on every parked and alias domain with strict sub domain policy.	Instant protection on 70 to 80 percent of the portfolio.
3	Publish p=none with aggregate reporting on every active sending domain.	Full visibility of who is sending mail in your name.
4 to 8	Catalogue legitimate senders, fix SPF and DKIM misconfigurations, onboard third party senders (payroll, surveys, case management).	Alignment rate above 98 percent on the primary sending domain.
9	Move primary domain to p=quarantine once parsed reports show every legitimate sender aligned and no unresolved unauthorised sources. Keep reading reports.	First enforcement on active mail.
11	Move to p=reject with sp=reject.	Primary domain fully enforced.
12+	Repeat the process on secondary sending domains one at a time.	Portfolio wide enforcement.

Twelve weeks is a realistic target for an organisation that has never run DMARC before. Trusts and councils with existing Mail Check experience can typically complete the same journey in six to eight weeks because the discovery work is already done.

Procurement considerations

Public sector buying is different from private sector buying, and the things that matter for a DMARC tool reflect that. Key questions to answer before selecting a supplier:

Where is data stored? Ask for a specific data centre location, not a region. UK or EU only is the minimum bar.
Is the supplier subject to the US CLOUD Act? If yes, a data processing impact assessment (DPIA) becomes significantly more complex.
Does the platform support Cyber Essentials and Cyber Essentials Plus audits? Look for suppliers that publish their own posture.
What is the total cost of ownership across 20 to 50 domains? Per domain pricing can make DMARC prohibitively expensive at public sector scale.
Is there a free tier or trial? Proving value before raising a purchase order shortens the buying cycle dramatically.
Can the platform onboard the organisation without consulting fees? Many legacy providers bundle mandatory professional services that double the year one cost.

Why we built ShieldMarc for this

ShieldMarc is a modern DMARC platform built from scratch in 2026. We are a UK company with EU hosted infrastructure, and dedicated UK hosted environments are available on request for organisations that require strict UK data residency. Flat rate pricing, no per domain fees. We take DMARC reports for every owned domain, parse and classify every sender, and guide organisations from p=none to enforcement on a realistic timeline.

The platform covers DMARC, SPF, DKIM, MTA-STS, TLS-RPT, DNSSEC, CAA, and certificate monitoring in a single subscription. Parked and alias domains are detected automatically and held to a separate restrictive baseline. AI assisted threat evaluation separates genuine phishing from legitimate bulk mail, so the reports you read every week are signal, not noise.

Public sector specific details we care about:

UK owned and operated. Not a reseller of a US platform.
Default EU hosting under GDPR and UK data protection law. Never processed in or exported to the US.
Dedicated UK hosted environment available on request for organisations with strict UK residency requirements.
Flat rate pricing that does not punish multi domain portfolios.
Free tier and free tools for public interest responsible disclosure work.

Next steps

Run a baseline scan of your primary domain with our free Security Grade check. It evaluates DMARC, SPF, DKIM, MTA-STS, TLS-RPT, DNSSEC, and more in a single scan.
Check your existing DMARC record with the DMARC Checker. Particularly useful to confirm whether sp is set.
Read our NCSC Mail Check retirement guide for a longer view of the policy context.
Inventory every owned domain before starting rollout. This is the step most organisations skip and regret.

A UK owned replacement for Mail Check

ShieldMarc is a UK owned DMARC platform with EU hosted infrastructure, built for organisations that need to replace NCSC Mail Check without compromising on data residency or pricing. UK hosted environments are available on request for organisations with strict UK residency requirements. See our Mail Check migration page or create a free account to start protecting your first domain in under two minutes.