NCSC Mail Check Replacement

About NCSC Mail Check

NCSC Mail Check was the UK National Cyber Security Centre's free email security checking service. It checked DMARC, SPF, DKIM, MTA-STS, and TLS configuration for UK domains. The service was retired on 31 March 2026.

How this check works

This tool runs a multi-protocol scan similar to the retired NCSC Mail Check: it queries DMARC, SPF, and common DKIM selectors via DNS, fetches MTA-STS and TLS-RPT records, and tests STARTTLS support on MX hosts. Each protocol is scored individually, then combined into an overall assessment.

Limitations: DKIM checking is limited to common selectors (google, s1, selector1, selector2) — custom selectors require the DKIM Checker tool. STARTTLS testing connects from our server location and may differ from other sending locations. This tool does not replicate NCSC Mail Check exactly — it is an independent implementation covering the same protocol areas.

What does this tool check?

• DMARC: Record presence, policy strength (p=reject recommended), aggregate reporting
• SPF: Record validity, DNS lookup count (max 10), all mechanism strength
• DKIM: Selector validation for common providers (Google, Microsoft, etc.)
• MTA-STS: Policy presence and enforcement mode
• TLS-RPT: Reporting configuration for TLS delivery failures
• STARTTLS: TLS support on MX hosts

NCSC Email Security Guidance

NCSC recommends all UK organisations implement DMARC with p=reject, SPF with -all, DKIM signing, MTA-STS in enforce mode, and TLS-RPT reporting. These controls protect against email spoofing, phishing, and man-in-the-middle attacks on email delivery.

UK Cyber Assessment Framework (CAF)

The CAF is the UK government's framework for assessing cyber security. Email authentication maps to several CAF objectives including B4 (Data Security), C1 (Security Monitoring), and D1 (Response and Recovery). SpoofSentry provides continuous compliance evidence for CAF-aligned organisations.