Frequently asked questions

SealedMail is a UK-based email security monitoring service. It receives the DMARC and TLS reports that email providers generate about your domain, interprets them, and sends you one plain-English report every Monday telling you who has been sending email in your name, whether it was legitimate, and whether anything needs your attention. No dashboard, no software, no jargon.

No. SealedMail only receives DMARC and TLS reports, which contain technical metadata about your email flows - sending server IP addresses, authentication results (SPF/DKIM/DMARC), and message counts. They never contain your email content, subject lines, attachments, or the addresses of the people you email. SealedMail has no access to your mailbox and cannot read your mail.

One person: Shaun Cooke, a UK-based email security specialist, trading as SealedMail. The same person built the service, reads the data, writes your reports and answers your emails. You can read more on the About page.

SealedMail is not regulated by a financial or sector regulator - it is a supplier to regulated businesses, not a regulated entity itself. Here is an honest summary of our current credentials:

• ICO registration: Registered with the ICO.
• UK GDPR compliant: SealedMail maintains a Record of Processing Activities, publishes a full Privacy Policy, and handles all customer data on UK-based infrastructure under UK GDPR.
• UK-hosted infrastructure: All customer data is processed and stored in the UK, on SealedMail's own infrastructure.
• Cyber Essentials: Application in progress. We will display the official badge once certification is confirmed.
• Professional Indemnity insurance: In place; certificate available on request.

A supplier Due Diligence Pack is available on request - covering data handling, sub-processors, security posture, and compliance documentation. Email [email protected].

Monday to Friday, 09:00-17:00 UK time. There is no out-of-hours support - that's stated plainly rather than implied otherwise. Reports are generated and delivered on schedule regardless; service hours apply to support and health check processing.

Email [email protected], or use the form on the Contact page. Queries received during service hours get an initial reply the same working day.

On servers located in the United Kingdom, on SealedMail's own infrastructure, under UK GDPR. Operational email is handled via Zoho's EU data centres, covered by the UK's adequacy regulations. Full details are in the Privacy Policy.

One thing: update two DNS records for your domain - your DMARC record and your TLS-RPT record - using the details in your welcome email. It's about five minutes' work for anyone who manages DNS, and the Getting Started guide walks you through it step by step if that person is you.

No. Monitoring is completely passive. You add our address as a reporting destination (the rua tag) in your DMARC record, which only tells mailbox providers where to send aggregate reports. It does not sit in your mail flow and cannot block, delay, or reject legitimate email. Your mail works exactly as before, and you simply start receiving reports on it.

DMARC reports are generated by mailbox providers and usually start arriving within 24 to 48 hours of your DNS change taking effect. Your first weekly report summarises whatever has come in by then, and coverage builds over the following days as more providers report in.

Your DMARC record lives in your domain's DNS, under the name _dmarc. You add SealedMail's reporting address (provided at sign-up) to the rua= part of that record. Your welcome email contains the exact text to copy and paste - for both an existing record and creating one from scratch.

The same way, with a record named _smtp._tls. Your welcome email contains the exact copy-and-paste text. If you've never had a TLS-RPT record, you'll be creating a new one - also covered in the welcome email and the Getting Started guide.

Reply to your welcome email once you've made the changes and SealedMail will verify both records and confirm. DNS changes can take a few hours to propagate, so don't worry if confirmation isn't instant. New subscriptions are also spot-checked manually, so a problem won't go unnoticed even if you don't reply.

Forward your welcome email to whoever manages your domain - your IT provider, web designer, or your domain registrar's support team. Almost all registrars will make the changes for you if you send them the details. And if you get stuck, email [email protected] with a screenshot; no question is too basic.

No. SealedMail works at whatever policy you currently have - none, quarantine or reject. Adding SealedMail changes where the reports go, not how your email is treated. Over time, your weekly reports will tell you when it's safe to move to a stronger policy, but that decision and that change remain yours.

You keep it. You're only adding SealedMail's address to the reporting part of the record (or replacing a defunct one, such as a retired Mail Check address). Everything else in your record stays exactly as it is.

RUA reports are aggregate reports - summaries of all email activity for your domain, sent by receivers daily. They're the foundation of DMARC monitoring and what SealedMail processes. RUF reports are per-message failure reports containing detail about individual emails; for privacy reasons most major receivers no longer send them, which is why SealedMail's service is built on RUA data - the data that actually arrives.

Every Monday, by email, covering the previous week.

Three things, all in plain English: what happened - who sent email as your domain, from where, and whether it authenticated; what it means for your business; and whether anything needs your attention. It also includes a refreshed health check of your domain's full email authentication setup (DMARC, SPF, DKIM, MTA-STS, TLS-RPT, BIMI and blacklist status), confirming nothing has drifted.

Reply to it. You'll get an answer from the person who wrote it, the same working day. If something in a report regularly needs explaining, the report format gets improved - plain English is the product.

The report will tell you. Findings come with context: what was observed, what it most likely is, and what kind of action it points to (often none; sometimes a DNS fix; occasionally something to raise with your IT provider). SealedMail won't make changes for you - it's a reporting service - but you'll never be left with a red flag and no explanation.

Yes, any time - email [email protected]. The report goes to whoever you nominate: you, a colleague, your compliance officer, your IT provider, or several of them.

Yes. Each domain is its own subscription at £49 per month and gets its own weekly report. Monitor as many as you need, and cancel any of them independently.

A complete point-in-time audit of one domain's email authentication: DMARC, SPF, DKIM (where discoverable), MTA-STS, TLS-RPT, BIMI and blacklist status - delivered as a scored certificate with every item explained in plain English.

Health checks are processed personally within service hours (Monday - Friday, 09:00 - 17:00 UK time), on the next available working day. It's not an instant automated scan - you're getting an expert's check, and the result reads like it.

A formatted certificate delivered by email, with a clear overall score and a plain-English explanation of each item - the same standard of audit included in every subscriber's weekly report.

Yes. No sign-up, no payment details, no follow-up sales call, and your details aren't added to any mailing list. The health check is how SealedMail demonstrates what it does; if it's useful, you'll know where to find the subscription.

You won't need to - every weekly report includes a refreshed health check. But if you want a check on a domain you don't subscribe for, request away.

No. The health check tells you clearly what was found and what kind of fix each issue needs, but SealedMail never changes your DNS or your systems. The full terms are on the health check terms page.

BIMI displays your verified logo next to your emails in inboxes like Gmail - a nice trust signal, not a security control. It requires DMARC at an enforcement policy first, plus (for Gmail and Apple Mail) a certificate costing roughly £700-£1,500 per year, with a registered trademark needed for the main certificate type. For most businesses it's poor value until everything else is in place - and often after that too. SealedMail checks it in every health check, explains it honestly, and doesn't sell it.

£49 per domain, per month. That's the whole pricing structure - no tiers, no volume limits, no setup fee.

No. It's a rolling monthly subscription. Cancel any time and the service runs to the end of your paid period.

By card, monthly in advance, through Stripe. SealedMail never sees or stores your card details.

SealedMail is not VAT registered, so no VAT is charged. £49 is the complete price.

Yes - each domain is a separate £49/month subscription, added (and cancelled) independently.

Email [email protected], or use the Stripe customer portal linked in your billing emails. Cancellation takes effect at the end of your current billing period. Details in the Cancellation and Refund Policy.

Your account data is kept for 30 days after your subscription ends, then permanently deleted (billing records are kept for 6 years, as HMRC requires). Remember to remove SealedMail's addresses from your DNS records after cancelling. Full details in the Privacy Policy.

Not for partial months. If the service has materially failed - say, a missed report not made good - a partial refund may be given at SealedMail's discretion. If SealedMail ever discontinues the service, you get reasonable notice and a pro-rata refund automatically.

DMARC is the standard that controls what happens to email claiming to come from your domain. It tells receivers what to do with messages that fail authentication - deliver, quarantine or reject - and sends you reports about everything it sees. Without it, anyone can send email as your domain and you'll never know. There's a full plain-English guide on the What is DMARC? page.

A list, published in your DNS, of the servers allowed to send email for your domain. Receivers check it on every message. A common pitfall: each third-party service you use consumes DNS lookups, and beyond ten, SPF silently breaks.

A cryptographic signature added to your outgoing email, proving it genuinely came from your domain and wasn't altered in transit. SPF says where mail may come from; DKIM proves it wasn't forged. DMARC builds on both.

A standard that forces email arriving at your domain to use encryption, or not be delivered - like HTTPS, but for the conversations between mail servers. It stops attackers stripping away encryption to read mail in transit.

TLS reporting: receiving servers tell you when they couldn't deliver email to you securely. Without it, encryption failures - including interception attempts - happen silently. With it, SealedMail sees them and flags them in your weekly report.

p=none - monitor only: you get reports, but spoofed mail is still delivered. p=quarantine - failures go to spam. p=reject - failures are blocked outright. None is the right starting point; reject is the destination, reached safely by reading the reports along the way.

Usually one of: SPF or DKIM failing for one of your sending services, a DMARC misalignment, a blacklisted domain or server, or reputation issues from sending patterns. DMARC reports reveal which - it's one of the most common things a first SealedMail report uncovers. The free health check is a quick way to rule the configuration causes in or out.

Spoofing is sending email with a forged "from" address - your actual domain, not a look-alike. Email's original design never verified the from line, so spoofing is trivially easy without protection. DMARC at an enforcement policy stops unauthenticated exact-domain spoofing; DMARC reporting shows you the attempts. (Honest scope: DMARC doesn't stop look-alike domains or hacked mailboxes - different problems, different controls.)

It depends on the sector, and SealedMail will only ever tell you precisely. Explicitly required: UK central government departments and in-scope suppliers (Minimum Cyber Security Standard - DMARC at quarantine or reject). Referenced within compliance frameworks: NHS organisations and suppliers via the Data Security and Protection Toolkit. Recommended in regulator guidance: legal (SRA), accountancy (ICAEW/ACCA), charities (Charity Commission). Consistent with obligations but not named: financial services (FCA SYSC, Consumer Duty). The sector pages cover each in detail.

Yes. SealedMail acts as a data processor for the report data it handles on your behalf, and a data processing agreement is available on request. Our sub-processors are listed in our Privacy Policy, and a supplier Due Diligence Pack covering data handling, sub-processors, security posture, and compliance documentation is available on request. Email [email protected].

Indirectly but genuinely. UK GDPR requires appropriate technical measures to protect personal data, and email impersonation is a well-documented route to breaches. Monitoring your domain's email identity is a reasonable, demonstrable measure - and the weekly reports document that you're taking it.

Yes. The NHS DSPT names SPF, DKIM and DMARC directly in its assessment guidance (Standard 6, 6.2.8-6.2.9): SPF and DKIM records should be implemented and DMARC enforced on inbound email, and SealedMail's weekly reports and health checks are formatted to file as evidence of those controls being monitored on your domain. One caveat given honestly: these are provided by default by NHSmail, so if you use NHSmail exclusively the toolkit says you do not need to monitor them - SealedMail's value is your own domain (your website and practice email). Source: NHS DSPT assessment guide (6.2.8-6.2.9)

Because client-account fraud usually starts with an email that appears to come from a solicitor - and when it uses your actual domain, neither you nor your client can spot it without DMARC. The SRA's cyber guidance recommends DMARC as a control, and firms have faced regulatory and insurance consequences after email-enabled fraud. The law firm page covers this fully.

Yes, twice over. The free health check tells you your current position before you answer the questionnaire; the weekly reports then evidence ongoing monitoring of DMARC, SPF and DKIM - exactly the controls underwriters ask about - at renewal.

Yes - they're designed for it. Every weekly report and health check certificate is dated, consistent and written in plain English, so it can go straight from your inbox into an audit file, a DSPT submission, a due-diligence response or a board pack.

The National Cyber Security Centre retired it. DMARC aggregate reporting, DKIM checks and TLS reporting were withdrawn on 24 March 2025, and the entire service was switched off on 31 March 2026, as part of the NCSC's strategy of handing mature capabilities to the commercial market.

Visibility, mainly: nobody is receiving your DMARC reports any more, so spoofing attempts are invisible and progressing your policy safely is impossible. You also lost DKIM and TLS reporting insight (gone since March 2025) and the evidence trail those reports provided for CAF and DSPT purposes.

It replaces what Mail Check did - DMARC report collection, DKIM checks, TLS reporting - and goes further: a weekly plain-English written report instead of a dashboard, plus MTA-STS, blacklist and BIMI checks Mail Check never covered. The honest differences: Mail Check was free and government-run; SealedMail is £49/domain/month and run by one named UK expert. The Mail Check alternative page has a full comparison.

No. You're changing where the reports are sent - replacing the retired Mail Check address with SealedMail's - not your policy. Your email is treated exactly as before; the only difference is that someone is reading the reports again.