NCSC Mail Check alternative
The National Cyber Security Centre fully retired Mail Check on 31 March 2026. If your organisation relied on it for DMARC reporting, the reports haven't stopped being generated - they've stopped being read. SealedMail picks them up.
What happened, and when
24 March 2025
The first cuts
The NCSC withdrew Mail Check's DMARC aggregate reporting (RUA), DMARC insights and DKIM checks, and TLS reporting (TLS-RPT). From that date, Mail Check offered only basic SPF/DMARC policy checks and inbound TLS checks - no reporting, no DKIM insight.
31 March 2026
Full retirement
Mail Check (and Web Check) were switched off entirely, as part of the NCSC's Active Cyber Defence 2.0 strategy. The NCSC has encouraged the roughly 17,000 organisations registered with Mail Check to adopt alternative DMARC tools.
What organisations have lost
If Mail Check was your DMARC tooling, you have lost:
- Visibility. Nobody is receiving or reading your DMARC aggregate reports. Spoofing attempts against your domain are now invisible to you.
- Safe progress towards enforcement. Without report data, moving to p=quarantine or p=reject risks blocking your own legitimate email - and staying at p=none provides no protection.
- DKIM and TLS insight. Gone since March 2025.
- Evidence. For organisations assessed against the NCSC Cyber Assessment Framework or the NHS DSPT, the reporting that evidenced your email security controls has stopped.
What SealedMail provides in its place
Mail Check provided
DMARC aggregate report (RUA) collection
SealedMail provides
DMARC aggregate report (RUA) collection - every report, every receiver
Mail Check provided
TLS-RPT collection (until March 2025)
SealedMail provides
TLS-RPT collection and anomaly flagging
Mail Check provided
DKIM checks (until March 2025)
SealedMail provides
DKIM checks in every weekly health check
Mail Check provided
A dashboard requiring interpretation
SealedMail provides
A weekly plain-English report requiring none
Mail Check provided
SPF/DMARC policy checks
SealedMail provides
Full weekly health check: DMARC, SPF, DKIM, MTA-STS, TLS-RPT, BIMI, blacklists
Mail Check provided
Free, for eligible organisations
SealedMail provides
£49 per domain, per month - fixed, no tiers
And one thing Mail Check never offered: interpretation. Mail Check showed the data to those who knew how to read it. SealedMail reads it for you and tells you, in plain English, what it means and whether to act.
Switching takes two DNS records
- Subscribe - you'll receive SealedMail's RUA and TLS-RPT addresses for your domain.
- Update your DMARC record - replace the retired Mail Check reporting address with SealedMail's RUA address. (Your existing DMARC policy - none, quarantine or reject - stays exactly as it is. Switching report destinations changes nothing about how your email is treated.)
- Add or update your TLS-RPT record - restoring the TLS visibility that ended in March 2025.
Reports start flowing within days; your first weekly report arrives the following Monday.
An honest note on differences
Mail Check was free and government-run; SealedMail is a paid commercial service run by one named UK expert. Mail Check served technical users with a dashboard; SealedMail serves everyone with a written weekly report (see a sample) and includes broader checks (MTA-STS, blacklists, BIMI) that Mail Check didn't cover. If your organisation has a security team that wants raw data and dashboards, other commercial tools may fit better - the NCSC has published buyer's guidance. If you want the reports read, understood and explained, that's what SealedMail is for.
