DMARC for healthcare and NHS organisations: the DSPT connection

If you manage a GP surgery, dental practice, care home or any organisation that handles NHS patient data, you already know the Data Security and Protection Toolkit (DSPT). Once a year it asks you to evidence, in writing, that your organisation takes data security seriously - and email security sits inside that.

This guide explains where Domain-based Message Authentication, Reporting and Conformance (DMARC) fits in, why healthcare organisations are attractive targets for email impersonation, and how to handle this without a technical background. No jargon without explanation, promise.

Why healthcare organisations are targeted

Email impersonation works best where three things combine: trusted sender identities, time pressure, and valuable payloads. Healthcare has all three.

An email that appears to come from a GP surgery gets opened. Patients trust it implicitly - appointment changes, test results, repeat prescription confirmations. Suppliers trust it too: practices order from pharmacies, equipment suppliers and locum agencies by email every day. And the data behind it all - patient records - is among the most sensitive any UK organisation holds, with the Information Commissioner's Office (ICO) enforcement that follows a breach to match.

A criminal does not need to breach your clinical system to exploit this. If your domain is unprotected, they can simply send email as you - to patients ("your appointment has moved; confirm your details here"), or to your suppliers and staff. Your systems are never touched; your name does the work. That is the specific gap DMARC closes.

What the DSPT expects

The DSPT is a contractual requirement under the NHS Standard Contract for organisations handling NHS patient data or using NHSmail, and applies to CQC-registered providers. Within its data security standards, the toolkit references email security controls - including DMARC, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) - named directly in the DSPT assessment guidance (Standard 6, assertions 6.2.8-6.2.9) and reflecting NCSC (National Cyber Security Centre) email security guidance.

Larger (Category 1) organisations now complete the DSPT against the NCSC's Cyber Assessment Framework, which sets a higher bar still on email authentication.

Two practical clarifications that save practice managers a lot of confusion:

If your organisation only ever sends email from NHSmail (an @nhs.net address), the email authentication for that domain is handled centrally - you are not expected to evidence spam and phishing controls for NHSmail itself. The DSPT question, for you, is largely answered upstream.

If your organisation also sends from its own domain - yourpractice.co.uk for the website contact address, patient newsletters, the dental plan billing system, a private clinic arm - then that domain is your responsibility, and it is exactly the kind of detail a DSPT review or ICO investigation looks at. Many practices use both without realising the second one is theirs to secure.

What DMARC actually does - in one paragraph

DMARC is a single line of text published in your domain's settings (its DNS - the public directory that tells the internet where your website and email live). It instructs every receiving mail server in the world: if an email claims to be from our domain and cannot prove it, reject it. It also sends you reports showing every source, worldwide, that is sending email in your name. Setting it up requires no new software, no changes to how staff work, and no interruption to your existing email. A full plain-English walkthrough is here: What is DMARC?.

The evidence problem - and how reports solve it

The DSPT does not just ask whether controls exist; it asks you to evidence them, year after year. This is where most practices struggle: the IT supplier set something up in 2021, nobody is sure what, and the annual submission involves an awkward email asking them to confirm it still works.

A monitored DMARC setup turns this around. Every week, SealedMail subscribers receive a written report, in plain English, confirming:

• the domain's DMARC, SPF and related records remain correctly configured;
• what email was sent in the domain's name that week, from where, and whether it authenticated;
• whether anything unusual appeared - explained in practical terms, not codes.

When DSPT season arrives, the evidence is already in your inbox: a dated, continuous record of monitoring. The same reports serve for CQC conversations, ICO due diligence and cyber insurance renewals.

One honest caveat, because precision matters in this sector: SealedMail reports and explains. We do not make changes to your systems or DNS, we do not guarantee deliverability, and a DMARC policy does not protect against every email threat (it does not stop look-alike domains or a compromised mailbox). It removes the cheapest, most scalable attack - exact impersonation of your domain - and gives you documented visibility.

Where practices usually stand today

Of the healthcare domains we check, the common findings are remarkably consistent: no DMARC record at all; a record at p=none - monitoring mode, which blocks nothing (see Why DMARC p=none is not protecting you); or reports pointing at an address nobody reads, sometimes the NCSC's Mail Check service, which was retired on 31 March 2026.

None of these states will show up as a problem day to day. All of them leave the practice's name available to anyone who wants to borrow it.

A sensible first step

Find out which state your domain is in. SealedMail's Free Domain Health Check audits SPF, DKIM, DMARC, MTA-STS, TLS-RPT, BIMI and blacklist status and emails you a scored certificate written in plain English - suitable for dropping straight into your DSPT evidence folder. It is free, with no sign-up and no sales follow-up.

If you then want continuous monitoring with a weekly report a practice manager can actually read, that is SealedMail's core service: £49 per domain per month, monthly rolling, no contract, UK-based, with support during UK business hours (Monday to Friday, 09:00-17:00).