NCSC Mail Check Has Retired: What UK Organisations Should Do Now

What happened

In late 2025, the NCSC announced the retirement of both Mail Check and Web Check as part of their Active Cyber Defence 2.0 roadmap. These services, which have been available to UK organisations for over eight years, will no longer provide findings after 31 March 2026.

The NCSC's rationale is straightforward: the commercial market has matured. When Mail Check launched, few alternatives existed. Today, multiple providers offer equivalent or better functionality. The NCSC now focuses on areas where being part of GCHQ provides a unique advantage that the private sector cannot replicate.

Timeline of changes

Still available: Early Warning and DNS Check continue through your MyNCSC account. The NCSC also offers a free email security checker for quick one-off checks, though it does not provide ongoing monitoring.

Why this matters

Without ongoing DMARC monitoring, organisations lose visibility into:

• •Who is sending email on your behalf. DMARC aggregate reports (RUA) show every IP address that sends mail using your domain. Without them, you cannot detect unauthorised senders or shadow IT services.
• •Whether authentication is passing. SPF and DKIM can break silently when DNS records change, providers update their infrastructure, or new sending services are added. Without monitoring, failures go unnoticed.
• •Whether your domain is being spoofed. DMARC reports reveal phishing attempts using your domain. Without this data, attacks happen in the dark.
• •Progress towards enforcement. Moving from p=none to p=reject requires confidence that all legitimate mail passes authentication. Without data, you are guessing.

Our UK MSP DMARC Audit: Q1 2026 found that 95% of UK Managed Service Providers have a DMARC record, but only 36% have reached p=reject. The gap between having a record and enforcing it is where monitoring matters most.

Step-by-step migration guide

Whether you managed one domain or hundreds through Mail Check, here is how to maintain your email security visibility.

1. Audit your current setup

Before choosing a replacement, understand where you stand. Run each of your domains through a free DMARC Checker to see your current DMARC policy, SPF configuration, and overall grade. For a broader view covering SSL, DNS, DNSSEC, impersonation risk, and domain registration, use the Security Grade. You should also check your email transport security with our MTA-STS Checker and scan for impersonation risks with the Lookalike Domain Scanner.

Document each domain's current state:

• DMARC policy level (none, quarantine, or reject)
• Whether a RUA (aggregate reporting) address is configured
• SPF record and number of DNS lookups
• DKIM signing status
• Any alternate or parked brand domains

2. Choose a DMARC monitoring provider

Look for a provider that offers:

• DMARC aggregate report (RUA) processing and visualisation
• SPF and DKIM alignment monitoring
• Alerting when authentication fails or records change
• Support for multiple domains (especially if you are an MSP)
• EU data residency with a UK-based company

ShieldMarc was built specifically for this transition. We offer DMARC reporting, SSL monitoring, domain trust scoring, and domain security tracking in a single dashboard, with a free plan that requires no credit card.

3. Update your DMARC RUA address

If your DMARC record currently sends aggregate reports to a Mail Check address (or any NCSC endpoint), you need to update the rua= tag to point to your new provider. For example:

Most providers give you a unique RUA address during onboarding. Update the TXT record at _dmarc.yourdomain.com in your DNS.

Not sure what DMARC, RUA, or aggregate reports mean? Read our complete guide to DMARC.

4. Verify with a free check

After updating your DNS, allow 24-48 hours for propagation, then run your domain through the DMARC Checker again to confirm the new RUA address is in place and all records are valid. If you need to create a new DMARC record from scratch, use the DMARC Generator to build one with the correct policy and reporting address. Once reports start arriving, use the DMARC Report Viewer to inspect the raw XML in a human-readable format without uploading anything to a server.

5. Do not forget your other domains

Many organisations have parked, alias, or legacy domains that also need DMARC protection. Our UK MSP audit found that 80% of UK MSPs leave their alternate brand domains unprotected. Every domain you own can be used for spoofing. Non-sending domains should have:

Use the Security Grade tool to scan your domain across every security layer.

Specific guidance for MSPs

If you are a Managed Service Provider managing email security for multiple clients, the Mail Check retirement creates both a risk and an opportunity.

The risk:clients who relied on NCSC tooling may assume “someone is watching” when in fact nobody is. Proactively contact any client whose DMARC reporting pointed to an NCSC address.

The opportunity: DMARC monitoring is a natural addition to your managed security offering. It is a recurring service that directly protects your clients from impersonation and phishing, and the data it generates (authentication pass rates, sender inventory, policy compliance) provides clear reporting value.

ShieldMarc is built for multi-tenant management with per-organisation dashboards, domain grouping, and role-based access. See our pricing for MSP-friendly plans.

Migration checklist