NCSC Mail Check Has Retired: What UK Organisations Should Do Now

What happened

The NCSC announced the retirement of both Mail Check and Web Check as part of its Active Cyber Defence 2.0 roadmap. These services, which had been available to UK organisations for over eight years, stopped delivering findings on 31 March 2026.

The NCSC's published rationale is that there is now a wide commercial market for External Attack Surface Management (EASM) products that cover what Mail Check and Web Check provided, plus additional features. The announcement recommends transitioning to a commercial EASM product before retirement and points to the NCSC's own EASM buyer's guide. NCSC is refocusing on areas where being part of GCHQ provides an advantage that the private sector cannot replicate.

Timeline of changes

Still available: Early Warning and DNS Check continue through your MyNCSC account. The NCSC also offers a free email security checker for quick one-off checks, though it does not provide ongoing monitoring.

Why this matters

Without ongoing DMARC monitoring, organisations lose visibility into:

• •Who is sending email on your behalf. DMARC aggregate reports (RUA) show every IP address that sends mail using your domain. Without them, you cannot detect unauthorised senders or shadow IT services.
• •Whether authentication is passing. SPF and DKIM can break silently when DNS records change, providers update their infrastructure, or new sending services are added. Without monitoring, failures go unnoticed.
• •Whether your domain is being spoofed. DMARC reports reveal phishing attempts using your domain. Without this data, attacks happen in the dark.
• •Progress towards enforcement. Moving from p=none to p=reject requires confidence that all legitimate mail passes authentication. Without data, you are guessing.

Our UK MSP DMARC Audit: Q1 2026 (a sample of 192 UK Managed Service Providers, methodology published in the linked report) found that 95% have a DMARC record published, but only 36% have reached p=reject. The gap between having a record and enforcing it is where monitoring matters most.

Step-by-step migration guide

Whether you managed one domain or hundreds through Mail Check, here is how to maintain your email security visibility.

1. Audit your current setup

Before choosing a replacement, understand where you stand. Run each of your domains through a free DMARC Checker to see your current DMARC policy, SPF configuration, and overall grade. For a broader view covering SSL, DNS, DNSSEC, impersonation risk, and domain registration, use the Security Grade. You should also check your email transport security with our MTA-STS Checker and scan for impersonation risks with the Lookalike Domain Scanner.

Document each domain's current state:

• DMARC policy level (none, quarantine, or reject)
• Whether a RUA (aggregate reporting) address is configured
• SPF record and number of DNS lookups
• DKIM signing status
• Any alternate or parked brand domains

2. Choose a DMARC monitoring provider

Look for a provider that offers:

• DMARC aggregate report (RUA) processing and visualisation
• SPF and DKIM alignment monitoring
• Alerting when authentication fails or records change
• Support for multiple domains (especially if you are an MSP)
• EU data residency with a UK-based company

ShieldMarc was built specifically for this transition. We offer DMARC reporting, SSL monitoring, domain trust scoring, and domain security tracking in a single dashboard, with a free plan that requires no credit card.

3. Update your DMARC RUA address

If your DMARC record currently sends aggregate reports to a Mail Check address (or any NCSC endpoint), you need to update the rua= tag to point to your new provider. For example:

Most providers give you a unique RUA address during onboarding. Update the TXT record at _dmarc.yourdomain.com in your DNS.

Not sure what DMARC, RUA, or aggregate reports mean? Read our complete guide to DMARC.

4. Verify with a free check

After updating your DNS, allow 24-48 hours for propagation, then run your domain through the DMARC Checker again to confirm the new RUA address is in place and all records are valid. If you need to create a new DMARC record from scratch, use the DMARC Generator to build one with the correct policy and reporting address. Once reports start arriving, use the DMARC Report Viewer to inspect the raw XML in a human-readable format without uploading anything to a server.

5. Do not forget your other domains

Many organisations have parked, alias, or legacy domains that also need DMARC protection. Our UK MSP audit found that 80% of UK MSPs leave their alternate brand domains unprotected. Every domain you own can be used for spoofing. Non-sending domains should have:

Use the Security Grade tool to scan your domain across every security layer.

Specific guidance for MSPs

If you are a Managed Service Provider managing email security for multiple clients, the Mail Check retirement creates both a risk and an opportunity.

The risk:clients who relied on NCSC tooling may assume “someone is watching” when in fact nobody is. Proactively contact any client whose DMARC reporting pointed to an NCSC address.

The opportunity: DMARC monitoring is a natural addition to your managed security offering, and our guide on running DMARC as a managed service walks through how to operate it across a client base now that Mail Check is gone. It is a recurring service that directly protects your clients from impersonation and phishing, and the data it generates (authentication pass rates, sender inventory, policy compliance) provides clear reporting value.

ShieldMarc is built for multi-tenant management with per-organisation dashboards, domain grouping, and role-based access. See our pricing for MSP-friendly plans.

Migration checklist