Why this matters now
For over a decade, UK public sector bodies relied on NCSC Mail Check to monitor their DMARC posture. Mail Check was free and integrated into the NCSC Active Cyber Defence programme. NCSC retired the service on 31 March 2026 and recommended commercial replacements; that has left a gap most organisations have not yet filled.
The risk is not theoretical. NHS trusts are one of the most phished organisations in the UK, and council email is regularly spoofed for benefit fraud, invoice scams, and impersonation of elected officials. Without active DMARC monitoring, an organisation has no visibility into who is sending mail in their name. A policy of p=none or no DMARC record at all is an open door to spoofing.
Public DNS lookups against major NHS-facing and council domains regularly find p=none, no DMARC record at all, or sub-domains uncovered by any enforcement policy. We documented examples in a private responsible-disclosure report shared with the relevant teams and do not republish individual domains here. The pattern is visible to anyone running their own DNS audit and should be treated as the assumed baseline rather than the exception.
What a public sector DMARC platform needs to do
The core technical capability required is identical to any other DMARC service: receive aggregate reports, parse them, identify legitimate and illegitimate senders, and guide the organisation from p=none to enforcement. What distinguishes a public sector suitable tool is everything around the edge:
- EU or UK data residency for the core data plane, not US. Aggregate reports contain sending IP addresses, message counts, and authentication results. Under a strict reading of GDPR and NHS Digital data handling guidance, this is operational data that should not leave European jurisdiction. Default EU hosting (with the option of a dedicated UK hosted environment for organisations that require it) is a far simpler DPIA than a US platform operating under the CLOUD Act. Where buyers also require that optional AI-assisted analysis stays in Europe, EU AI routing is available on request.
- Minimised US subpoena exposure. Post Schrems II, UK public sector buyers are increasingly sensitive to whether a supplier is subject to the US CLOUD Act. A UK owned supplier with European infrastructure removes that concern for the primary data plane. Optional AI features route to third-party large-language-model providers in the US under no-training API terms; these can be disabled or kept inside Europe for enterprise customers who need the narrowest possible US footprint.
- Transparent pricing. Public sector procurement under thresholds like the Digital Marketplace (G Cloud) or direct contract award requires clear, published pricing. Sales led quote on request pricing is a real barrier.
- Multi domain support at realistic prices. A typical NHS trust holds 20 to 50 domain names across legacy acquisitions, service sub brands, and parked variants. Pricing models that charge per domain punish exactly the organisations that need the most protection.
- Parked and alias domain handling. Most domains in a public sector portfolio do not send mail. They need a
p=rejectpolicy from day one, not a twelve week ramp. Tools that treat every domain identically waste effort.
The minimum compliant baseline
Before picking a tool, it helps to know what good looks like. The minimum baseline we recommend for any public sector body is:
- Every owned domain has a DMARC record. Including parked and alias domains. No exceptions.
- Active sending domains are at quarantine or reject.
p=noneis a starting point, not an endpoint. See our guide on choosing between quarantine and reject for the decision. - Parked and alias domains are at p=reject from day one. With strict alignment and
sp=reject. - SPF records resolve within the 10 lookup limit. Broken SPF is one of the most common reasons legitimate mail fails DMARC alignment.
- DKIM is signed with 2048 bit keys and rotated annually. Weaker keys are still accepted by most receivers but no longer considered best practice.
- Aggregate reports are monitored weekly. Either by staff or automatically by the chosen platform. DMARC is only useful if someone is reading the reports.
- MTA-STS and TLS-RPT are deployed. Particularly for health and central government where messages may carry sensitive attachments. See our MTA-STS and TLS-RPT guide.
Mapping to NHS DCB1596 (Secure Email Standard)
NHS England's Secure Email Standard, catalogued as DCB1596, sets out the minimum technical controls expected of any email service handling NHS correspondence. The standard is the document NHS Digital procurement teams check first when evaluating a DMARC platform. The table below maps the authentication-related clauses of DCB1596 to the controls our recommended baseline already enforces. Buyers should always check the live DCB1596 specification on digital.nhs.uk for the version current at the time of procurement, and request a mapping document for any specific clause that is critical to your DPIA or accreditation.
| DCB1596 area | What the standard requires | Control in our baseline |
|---|---|---|
| Sender authentication | SPF, DKIM and DMARC published on every sending domain. | SPF with ~all on active senders, 2048-bit DKIM rotated annually, DMARC with rua= reporting and report-driven progression to p=reject. |
| Subdomain coverage | Subdomains must not be a route around the parent policy. | Explicit sp=reject on every active and parked domain; sp= weaker than p= flagged as a control failure in the dashboard. |
| Transport security | TLS in transit, with policy enforcement and reporting. | MTA-STS published in enforce mode and TLS-RPT enabled on every sending domain; non-compliance surfaces in TLS-RPT failure reports. |
| DNS integrity | DNS records protected from tampering where the registrar supports it. | DNSSEC monitoring across every monitored domain; CAA records advised for any domain that issues TLS certificates. |
| Operational monitoring | Authentication and policy posture reviewed regularly. | Aggregate reports parsed continuously; weekly digest plus alerts on policy regressions, key rotations and new unauthorised sending sources. |
| Data residency | Data handling that withstands NHS DPIA scrutiny. | EU hosting by default; UK-hosted dedicated environment available on request; AI features can be disabled or routed to EU model endpoints. |
| Audit and accountability | Demonstrable controls and audit trail. | Tenant isolation, full audit log of policy changes and operator actions, mappable to the controls listed in any procurement questionnaire. |
DCB1596 is the technical floor, not the ceiling. The baseline above meets or exceeds the authentication-related clauses, but broader DCB1596 areas (mailbox-level access controls, attachment handling, end-user training) sit outside any DMARC platform's scope and must be covered by the surrounding mail service and security programme.
A realistic rollout plan for a typical trust or council
Large deployments fail when they are planned as a single twelve month project. The approach that actually works is short cycles on a prioritised domain list:
| Week | Focus | Outcome |
|---|---|---|
| 1 | Inventory every owned domain across the organisation, including parked and alias domains. | Complete domain list, classified by active / alias / parked. |
| 2 | Publish p=reject on every parked and alias domain with strict sub domain policy. | Instant protection on 70 to 80 percent of the portfolio. |
| 3 | Publish p=none with aggregate reporting on every active sending domain. | Full visibility of who is sending mail in your name. |
| 4 to 8 | Catalogue legitimate senders, fix SPF and DKIM misconfigurations, onboard third party senders (payroll, surveys, case management). | Alignment rate above 98 percent on the primary sending domain. |
| 9 | Move primary domain to p=quarantine once parsed reports show every legitimate sender aligned and no unresolved unauthorised sources. Keep reading reports. | First enforcement on active mail. |
| 11 | Move to p=reject with sp=reject only after at least two consecutive weeks at quarantine with above 98 percent alignment and no new unauthorised sources surfaced in aggregate reports. | Primary domain fully enforced. |
| 12+ | Repeat the process on secondary sending domains one at a time. | Portfolio wide enforcement. |
Twelve weeks is a realistic target for an organisation that has never run DMARC before, but the schedule is indicative. The actual gate at every step is report cleanliness, not the calendar. Trusts and councils with existing Mail Check experience often move faster because the discovery work is already done. Estates with many third party senders move slower because each newly surfaced sender needs SPF or DKIM fixed before progression. Do not advance a policy on a fixed week if the reports still show unresolved unauthorised sources.
Procurement considerations
Public sector buying is different from private sector buying, and the things that matter for a DMARC tool reflect that. Key questions to answer before selecting a supplier:
- Where is data stored? Ask for a specific data centre location, not a region. UK or EU only is the minimum bar.
- Is the supplier subject to the US CLOUD Act? If yes, a data processing impact assessment (DPIA) becomes significantly more complex.
- Does the platform support Cyber Essentials and Cyber Essentials Plus audits? Look for suppliers that publish their own posture openly. ShieldMarc does not currently hold third-party certifications and says so plainly. Certification (starting with Cyber Essentials, then SOC 2 or ISO 27001 depending on customer demand) is a first-order goal as the business scales, and the engineering posture is already being built with those frameworks in mind. The live controls, tenant isolation, minimal personal-data handling and vendor assessment documentation are all described on our Trust page.
- What is the total cost of ownership across 20 to 50 domains? Per domain pricing can make DMARC prohibitively expensive at public sector scale.
- Is there a free tier or trial? Proving value before raising a purchase order shortens the buying cycle dramatically.
- Can the platform onboard the organisation without consulting fees? Many legacy providers bundle mandatory professional services that double the year one cost.
Why we built ShieldMarc for this
ShieldMarc is a modern DMARC platform built from scratch in 2026. We are UK based, with EU hosted infrastructure, and dedicated UK hosted environments are available on request for organisations that require strict UK data residency. Flat rate pricing, no per domain fees. We take DMARC reports for every owned domain, parse and classify every sender, and guide organisations from p=none to enforcement on a realistic timeline.
The platform covers DMARC, SPF, DKIM, MTA-STS, TLS-RPT, DNSSEC, CAA, and certificate monitoring in a single subscription. Parked and alias domains are detected automatically and held to a separate restrictive baseline. AI assisted threat evaluation separates genuine phishing from legitimate bulk mail, so the reports you read every week are signal, not noise.
Public sector specific details we care about:
- UK owned and operated. Not a reseller of a US platform.
- Default EU hosting under GDPR and UK data protection law for all core monitoring data, databases and reporting pipelines. No core monitoring data is processed in or exported to the US.
- Dedicated UK hosted environment available on request for organisations with strict UK residency requirements.
- Optional AI features (for example Explain with AI and AI review) route to third-party large-language-model providers in the US under API-only, no-training terms, and only when an operator explicitly invokes them. EU AI routing is available on request for enterprise and public sector customers who require the narrowest possible US footprint. See our Trust page and Privacy Policy for the full sub-processor list.
- Flat rate pricing that does not punish multi domain portfolios.
- Free tier and free tools for public interest responsible disclosure work.
Next steps
- Run a baseline scan of your primary domain with our free Security Grade check. It evaluates DMARC, SPF, DKIM, MTA-STS, TLS-RPT, DNSSEC, and more in a single scan.
- Check your existing DMARC record with the DMARC Checker. Particularly useful to confirm whether sp is set.
- Read our NCSC Mail Check retirement guide for a longer view of the policy context.
- Inventory every owned domain before starting rollout. This is the step most organisations skip and regret.
A UK owned replacement for Mail Check
ShieldMarc is a UK owned DMARC platform with EU hosted infrastructure, built for organisations that need to replace NCSC Mail Check without compromising on data residency or pricing. UK hosted environments are available on request for organisations with strict UK residency requirements. See our Mail Check migration page or create a free account to start protecting your first domain in under two minutes.