Mail Check closed — what now

Your organisation used NCSC Mail Check for DMARC, SPF and DKIM reporting. The service was retired on 31 March 2026, and you need to know what to put in its place.

Check your domain first — 10 seconds, free, no signup.
See your DMARC policy, SPF lookup count and every issue explained in plain English.
Run the free check →

What this means

The NCSC retired both Mail Check and Web Check on 31 March 2026, describing the move as part of its ACD 2.0 roadmap: it now delivers only where the cyber-security market can't, and an eight-year-old market of external attack-surface and email-security tools can now do what Mail Check did. Crucially, the NCSC did not tell organisations to stop monitoring — its own “Choose an anti-spoofing management tool” page states that a number of open-source and commercial tools help you make sense of the data your email security controls generate, and recommends using one. So the task didn't go away; only the free government dashboard did. Source: NCSC — Choose an anti-spoofing management tool · verified 2026-07-17

What to do instead

Step 1. Repoint your DMARC rua= reporting address to a live tool — until you do, the reports Mail Check used to read now go nowhere.
Step 2. Keep the DMARC record itself exactly as it was: retiring Mail Check changes nothing about your published policy.
Step 3. Pick a replacement that works on your existing DNS with a standard TXT record — you don't need to migrate DNS or delegate anything to switch reporting.
Step 4. Run a free check on your domain first (below) so you know your current SPF/DKIM/DMARC state before you choose a tool.

Frequently asked

Did the NCSC tell us to stop using DMARC?

No. The NCSC retired the Mail Check tool on 31 March 2026, but its email-security and anti-spoofing guidance stayed live and still recommends publishing DMARC and monitoring your reports — it simply expects you to use an open-source or commercial tool to do it now.

Do we have to migrate our DNS to switch tools?

No. DMARC reporting is controlled by the rua= tag in a single DNS TXT record. Moving from Mail Check to another tool is a one-line change to that record — your DNS stays where it is, with no delegation.

Will switching reset the progress we made toward p=reject?

No. Your DMARC policy lives in your own DNS record, not inside Mail Check. Retiring the tool or changing your reporting address doesn't touch the policy you already reached.

Don't want to babysit DNS records?
DMARCKeeper monitors your reports, names every sender, and walks you to full p=reject protection.
Start free monitoring →