NCSC Mail Check migration guide: what to do now it's gone
NCSC Mail Check retired on 31 March 2026. A step-by-step guide to migrating your DMARC and TLS reporting to a replacement, without overpaying.
The National Cyber Security Centre (NCSC) switched off Mail Check on 31 March 2026. If your organisation relied on it - and roughly 17,000 UK organisations were registered (NCSC) - you have lost your free window into who is sending email using your domain. This guide explains what was retired and when, what it means in practice, and exactly how to migrate to a replacement, step by step.
The short version: the configuration checker is the easy part to replace - plenty of free ones exist. The real loss is DMARC aggregate reporting. Until you re-establish it somewhere, you are blind to anyone spoofing your domain, and you cannot safely move to enforcement.
That blind spot is not hypothetical. When SealedMail analysed 198 major UK organisations in 2026, around 1 in 5 could still be spoofed (no DMARC, or DMARC left at p=none) - rising to 38% in healthcare and 32% across charities. These are large, well-resourced organisations; smaller ones tend to be more exposed, not less.
What Mail Check was
Mail Check launched in 2017 as part of the NCSC's Active Cyber Defence (ACD) programme. Its job was simple and valuable: help UK organisations - initially the public sector, later a much wider group - set up and monitor email authentication correctly. At its fullest it provided:
- DMARC aggregate reporting (RUA) - collecting the reports that providers such as Google and Microsoft send back about every message claiming to come from your domain.
- DMARC insights and DKIM checks - analysis of your DomainKeys Identified Mail signing setup.
- TLS reporting (TLS-RPT) - whether email reached you over encrypted connections.
- Configuration checks on SPF, DMARC policy records and inbound TLS.
It worked. By the NCSC's own account, 100% of UK central government departments reached strict DMARC enforcement by 2022, and over 80 million spoofed emails were blocked in a single 30-day period (NCSC Active Cyber Defence 6th Year Report).
What was retired, and when
The retirement happened in two stages, and it is worth being precise because many organisations only noticed the second:
24 March 2025 - reporting switched off. Mail Check stopped providing DMARC aggregate reporting, DMARC insights with DKIM checks, and TLS reporting. Anyone whose DMARC record pointed only at Mail Check stopped receiving usable data that day.
31 March 2026 - full retirement. Mail Check (and its sibling Web Check) were switched off entirely under the NCSC's Active Cyber Defence 2.0 strategy. The NCSC's position is that the commercial market has matured and government no longer needs to provide these tools.
What has actually been lost
The most important loss is the aggregate reporting. DMARC aggregate reports are the feedback loop of email authentication: they tell you which servers, anywhere in the world, are sending mail that claims to be from your domain, and whether it passed authentication. Without them you cannot see whether anyone is spoofing you; you cannot safely move your policy from monitoring (p=none) to enforcement (p=quarantine or p=reject) without risking blocking legitimate mail; and you lose the evidence trail that auditors, insurers and frameworks such as the NHS Data Security and Protection Toolkit increasingly expect.
A quick test: look at your domain's DMARC record. If the rua= address still points at mailcheck.service.ncsc.gov.uk, your reports are going nowhere.
The replacement options, honestly
The market broadly splits into three approaches. None is "best" in the abstract - it depends on whether you have someone who will read and act on the data.
| Approach | Best for | Watch out for | Typical cost |
|---|---|---|---|
| Self-serve dashboard | Teams with a technical person who will log in, interpret charts and act | Set up, looked at twice, never reopened | Low monthly |
| Enterprise / consultant platform | Large estates with many domains and complex sending | Priced and scoped well beyond most SMEs | High |
| Report-by-email (e.g. SealedMail) | Non-technical teams who want the data read, interpreted and explained | Fewer raw charts than a dashboard | GBP 49 / domain / month |
SealedMail is one credible option among several. If you have an in-house technical team that wants raw data, a self-serve tool may suit you better. If you want the reporting read and explained by a UK specialist in language a practice manager or compliance officer can act on, that is what SealedMail was built for - no dashboard, no logins, on a rolling monthly subscription with no minimum term.
How to migrate off Mail Check, step by step
Migrating is mostly a DNS exercise. You can do it in an afternoon.
- Find your current DMARC record. Check the TXT record at
_dmarc.yourdomain(use any DMARC checker, or our free health check below). Note therua=address - if it points only atmailcheck.service.ncsc.gov.uk, you currently have no working reporting. - Choose where reports will go. Pick a replacement from the table above. You will get a reporting address to publish.
- Update your DMARC
rua(andrufif used). Point it at your new provider's address. You can keep any existing addresses you still want reports sent to -ruaaccepts a comma-separated list. - Add TLS-RPT. Publish a
_smtp._tlsTXT record pointing at your provider so you also regain encryption-in-transit reporting - the part of Mail Check almost nobody replaces. - Do not jump straight to
p=reject. Keep your current policy, let two to four weeks of fresh reports come in, fix any legitimate senders failing SPF or DKIM, then progressp=none→quarantine→reject. See why p=none is not protecting you and getting to p=reject safely. - Cover parked and unused domains too. Publish
v=DMARC1; p=rejectandv=spf1 -allon every domain that never sends mail - attackers love a forgotten domain.
What "good" looks like
- DMARC at
p=rejecton every domain, including parked ones - SPF that ends in
-all(hard fail) - DKIM signing in place and aligned
- TLS-RPT and ideally MTA-STS published
- Aggregate reports actually read every week, not just collected
Frequently asked questions
Is NCSC Mail Check definitely gone?
Yes. DMARC and TLS reporting stopped on 24 March 2025, and the service was fully retired on 31 March 2026 along with Web Check. The NCSC has encouraged registered organisations to adopt alternative DMARC tools.
Do I have to pay to replace it?
No - free and open-source DMARC tooling exists. The question is whether someone in your organisation will install, run and interpret it. Paid services exist precisely because most organisations will not, and the reports are useless unless someone acts on them.
What happens if I do nothing?
Your DMARC policy keeps doing whatever it already does, but you lose all visibility - you cannot see spoofing, cannot safely tighten your policy, and lose the audit evidence. If your rua pointed only at Mail Check, you are already receiving no reports.
How long does migrating take?
The DNS changes take minutes. Re-establishing a clear picture of your mail takes two to four weeks of aggregate reports before you should tighten your policy.
If you are not sure where your domain stands today, SealedMail's Free Domain Health Check audits your SPF, DKIM, DMARC, MTA-STS, TLS-RPT, BIMI and blacklist status and emails you a clear, scored certificate - no sign-up, no sales call. For how SealedMail replaces Mail Check specifically, see our NCSC Mail Check alternative.
Founder of SealedMail and a UK email-security specialist in DMARC, SPF, DKIM and email authentication for regulated sectors. He personally reads the DMARC and TLS reports behind every SealedMail account and writes the company's plain-English guides. More from Shaun Cooke →
