DMARC for UK charities — protect donors from spoofed emails

Your charity wants to stop fraudsters spoofing your domain to donors and beneficiaries — and you may have relied on NCSC Mail Check, which has now closed.

Check your domain first — 10 seconds, free, no signup.
See your DMARC policy, SPF lookup count and every issue explained in plain English.
Run the free check →

What this means

The NCSC's email-security and anti-spoofing guidance instructs UK organisations — charities included — to publish DMARC and progress to p=reject. Two 2026 realities make this pressing for charities: the NCSC retired its free Mail Check service on 31 March 2026, so charities that used it for aggregate-report visibility now need a replacement; and charity-sector cyber risk is tracked in the UK government's annual Cyber Security Breaches Survey, which consistently finds charities targeted by phishing. The requirement to monitor didn't go away with the free tool — only the free tool did. Source: NCSC — Email security and anti-spoofing · GOV.UK — Cyber Security Breaches Survey · verified 2026-07-18.

What to do about it

Step 1. Publish DMARC (start at p=none with a live rua= address) and read the reports before tightening.
Step 2. If you used Mail Check, repoint your rua= tag to a replacement now — an unread address is the same as no monitoring.
Step 3. Work up to p=reject so donors can't receive mail that spoofs your exact domain.
Step 4. Use the free check below to see your current SPF/DKIM/DMARC state on whatever DNS host you already use — no migration needed.

Frequently asked

Does my sector legally require DMARC by name?

Usually not by name — HIPAA, most legal-sector rules and UK charity guidance don't cite DMARC specifically. But they require protecting communications and preventing impersonation, and DMARC is the standard technical control that regulators, insurers and auditors expect you to use to meet that.

Will publishing DMARC block our own staff or member email?

No, not if you start correctly. A p=none policy is monitoring only and changes nothing about delivery. You only move to quarantine or reject after aggregate reports confirm every legitimate sender already passes — so real mail is never caught by surprise.

We're small and have no IT team — is this realistic?

Yes. The DNS side is a handful of records added once. The ongoing part is reading aggregate reports, which a plain-English monitoring tool does for you instead of leaving you to parse XML. Start with the free check below to see where you stand.

Don't want to babysit DNS records?
DMARCKeeper monitors your reports, names every sender, and walks you to full p=reject protection.
Start free monitoring →