DMARC monitoring for healthcare
Weekly plain-English monitoring of your domain's email security, written for practice managers, with reports that drop straight into your Data Security and Protection Toolkit evidence file.
Start your free health checkUK data · UK servers·UK GDPR compliant·ICO registered·Professionally insured·Cyber Essentials in progressRegulatory alignment - NHS DSPT
The NHS Data Security and Protection Toolkit names SPF, DKIM and DMARC directly in its assessment guidance (Standard 6, 6.2.8-6.2.9): these records should be implemented and DMARC enforced on inbound email, provided by default by NHSmail. SealedMail's weekly reports are formatted to serve as dated evidence that these controls are actively monitored, ready to support your DSPT submission. Source: NHS DSPT assessment guide (6.2.8-6.2.9)
The risk: patient trust, exploited by email
Healthcare organisations are high-value targets for a simple reason: patients act on emails from their GP surgery, dental practice or care provider without hesitation. An email "from the practice" asking a patient to confirm details, follow a link or make a payment carries automatic trust - which is precisely why criminals send them. For the organisation, the consequences stack up: a reportable data breach, ICO involvement, disruption to NHSmail access, and a failed Data Security and Protection Toolkit (DSPT) submission that puts NHS contracts at risk.
And unlike a break-in, email impersonation is invisible by default. Unless someone is receiving and reading your domain's DMARC reports, attempts to send email as your practice simply aren't seen by anyone on your side.
Where the requirements stands
Healthcare has the most concrete email security expectations of any UK sector. The NHS Data Security and Protection Toolkit - a contractual requirement for organisations handling NHS patient data and for CQC-registered providers - aligns with NCSC guidance on email security, which recommends DMARC, SPF and DKIM. Larger (Category 1) organisations now complete the DSPT against the NCSC Cyber Assessment Framework, which expects DMARC at its strictest setting.
One honest caveat SealedMail will always give you: if your organisation uses NHSmail only, NHSmail handles much of this for you centrally - the monitoring need applies to your own domain, the one on your website and your practice email.
What a SealedMail report shows a practice
Every Monday, in language written for a practice manager - not an IT contractor: who sent email as your domain, whether it was legitimate, and whether your authentication records (the things the DSPT asks about) remain correctly configured. Each report includes a refreshed health check of DMARC, SPF, DKIM and the rest, so configuration drift is caught in days rather than discovered at submission time.
Come DSPT season, you're not scrambling to evidence email security: you have fifty-two dated, plain-English reports demonstrating continuous monitoring.
Why healthcare providers choose SealedMail
Written for practice managers. No dashboard, no jargon, no dependence on whoever "does the IT" - the report explains itself.
DSPT-ready evidence. Weekly reports and health check certificates formatted to file directly as toolkit evidence.
UK data handling. Reports are processed on UK infrastructure under UK GDPR - an answer your IG lead will appreciate.
£49 per domain, per month·No contract - cancel any time·UK-based·Support Mon-Fri 09:00-17:00
Check your practice domain - free
The free health check audits your domain against every major email authentication standard and scores it, in plain English. Many practices discover gaps they can fix the same week.
