NCSC Mail Check Replacement
Free replacement for NCSC Mail Check (retired March 2026). Check your domain against NCSC email security guidance — DMARC, SPF, DKIM, MTA-STS, TLS-RPT, and STARTTLS.
About NCSC Mail Check
NCSC Mail Check was the UK National Cyber Security Centre's free email security checking service. It checked DMARC, SPF, DKIM, MTA-STS, and TLS configuration for UK domains. The service was retired on 31 March 2026.
What does this tool check?
- DMARC: Record presence, policy strength (p=reject recommended), aggregate reporting
- SPF: Record validity, DNS lookup count (max 10), all mechanism strength
- DKIM: Selector validation for common providers (Google, Microsoft, etc.)
- MTA-STS: Policy presence and enforcement mode
- TLS-RPT: Reporting configuration for TLS delivery failures
- STARTTLS: TLS support on MX hosts
NCSC Email Security Guidance
NCSC recommends all UK organisations implement DMARC with p=reject, SPF with -all, DKIM signing, MTA-STS in enforce mode, and TLS-RPT reporting. These controls protect against email spoofing, phishing, and man-in-the-middle attacks on email delivery.
UK Cyber Assessment Framework (CAF)
The CAF is the UK government's framework for assessing cyber security. Email authentication maps to several CAF objectives including B4 (Data Security), C1 (Security Monitoring), and D1 (Response and Recovery). SpoofSentry provides continuous compliance evidence for CAF-aligned organisations.