Your charity wants to stop fraudsters spoofing your domain to donors and beneficiaries — and you may have relied on NCSC Mail Check, which has now closed.
The NCSC's email-security and anti-spoofing guidance instructs UK organisations — charities included — to publish DMARC and progress to p=reject. Two 2026 realities make this pressing for charities: the NCSC retired its free Mail Check service on 31 March 2026, so charities that used it for aggregate-report visibility now need a replacement; and charity-sector cyber risk is tracked in the UK government's annual Cyber Security Breaches Survey, which consistently finds charities targeted by phishing. The requirement to monitor didn't go away with the free tool — only the free tool did. Source: NCSC — Email security and anti-spoofing · GOV.UK — Cyber Security Breaches Survey · verified 2026-07-18.
p=none with a live rua= address) and read the reports before tightening.rua= tag to a replacement now — an unread address is the same as no monitoring.p=reject so donors can't receive mail that spoofs your exact domain.Usually not by name — HIPAA, most legal-sector rules and UK charity guidance don't cite DMARC specifically. But they require protecting communications and preventing impersonation, and DMARC is the standard technical control that regulators, insurers and auditors expect you to use to meet that.
No, not if you start correctly. A p=none policy is monitoring only and changes nothing about delivery. You only move to quarantine or reject after aggregate reports confirm every legitimate sender already passes — so real mail is never caught by surprise.
Yes. The DNS side is a handful of records added once. The ongoing part is reading aggregate reports, which a plain-English monitoring tool does for you instead of leaving you to parse XML. Start with the free check below to see where you stand.