Email security for charities
Weekly plain-English monitoring that tells your charity whether anyone is sending email as your domain - protecting donors, beneficiaries and the reputation everything depends on.
Start your free health checkUK data · UK servers·UK GDPR compliant·ICO registered·Professionally insured·Cyber Essentials in progressRegulatory alignment - Charity Commission guidance
The Charity Commission treats cybercrime and fraud as notifiable serious incidents. Email impersonation, where fraudsters send emails appearing to come from your charity, is a documented route to donor fraud. DMARC monitoring provides evidence that you are actively monitoring for this risk, relevant to trustees' duty of care and Charity Commission reporting obligations. Source: Charity Commission guidance
The risk: trust is the asset, and the attack surface
Charities run on trust, and email fraud converts that trust into money - someone else's. A fake donation appeal "from" your charity during an emergency campaign. An email to your finance volunteer "from" the CEO, asking for an urgent transfer. An invoice "from" a supplier with new bank details. The sector's exposure is documented: between November 2023 and October 2024 the Charity Commission opened 603 fraud cases and 99 cybercrime cases, with phishing the most common type of cyber-enabled fraud (Charity Commission, 2024).
For a charity the damage is layered: lost funds, a serious incident report to the Commission, possible ICO involvement - and donors who hesitate next time, because the last email "from you" wasn't.
Where the Charity Commission stands
The Charity Commission does not mandate DMARC. Its guidance - developed with the NCSC - advises charities to protect themselves against cybercrime and fraud, and trustees carry the duty to manage the charity's resources responsibly, which includes its digital identity. Serious incidents, including significant fraud, must be reported to the Commission.
The practical reading for trustees: knowing whether your charity's email identity is being abused is part of managing a foreseeable, well-documented risk - and a monitoring trail is far easier to stand behind than "we had no way of knowing".
What a SealedMail report shows a charity
Every Monday, in plain English: who sent email as your domain, whether it was genuine, and whether anything needs attention. If a fraudulent appeal went out under your name, your report describes it in terms a trustee board can act on - not a chart, not raw data. It also keeps watch over your legitimate senders: the fundraising platform, the newsletter tool, the volunteer-management system - so your genuine appeals authenticate properly and reach inboxes instead of spam folders.
For trustee meetings, the weekly reports give the board a dated, readable record that this risk is actively managed - useful for the annual return narrative, insurer questionnaires and funder due diligence alike.
Why charities choose SealedMail
Affordable and flat. £49 per domain, per month, everything included - a figure a small charity can budget without a procurement exercise.
No technical capacity required. Most charities have no IT team. SealedMail assumes exactly that: one DNS change at the start, then one readable email a week.
No upselling - genuinely. Requesting the free health check triggers no sales calls and no mailing list. The same restraint applies throughout the service.
£49 per domain, per month·No contract - cancel any time·UK-based·Support Mon-Fri 09:00-17:00
Start with the free health check
A scored, plain-English audit of your charity's domain - SPF, DKIM, DMARC, encryption reporting and blacklist status. Free, no obligation, no follow-up pressure.
