NCSC Mail Check Migration Tool
NCSC Mail Check retired on 31 March 2026. Run the equivalent posture check on your domain against MCSS B3 controls — DMARC, SPF, MTA-STS, TLS-RPT, DNSSEC — entirely from your browser.
Why this tool exists
The UK National Cyber Security Centre retired its Mail Check service on 31 March 2026, leaving public-sector teams without a free, government-backed way to verify their email authentication posture against the Minimum Cyber Security Standard (MCSS). This tool mirrors what Mail Check measured — DMARC, SPF, inbound TLS, and DNSSEC — and maps each result back to the specific MCSS B3 control it satisfies. If you need just the DMARC half of the picture, the DMARC Record Checker goes one level deeper, with MTA-STS handled separately by its own checker.
Every check runs in your browser via Cloudflare DoH. Nothing is sent to our servers and nothing is stored. The tool is free to use without registration.
Mail Check → DMARCguard feature parity
| NCSC Mail Check | DMARCguard equivalent |
|---|---|
| DMARC, SPF, TLS posture for a domain | This tool plus Domain Health Check |
| Weekly compliance summary email | Weekly compliance digest on the paid tier |
| MCSS compliance status | MCSS B3 control mapping above + downloadable PDF on the paid tier |
| DMARC aggregate report ingestion | Free 7-day DMARC report ingest trial when you sign up |
| Sub-domain discovery | Sub-domain inventory on the paid tier (ships separately) |
| Multiple domain dashboard | Multi-domain dashboard with per-org role-based access |
The MCSS B3 controls we check
MCSS section B3 lays out five email-security controls. The grid above maps each one to a concrete DNS check on your domain. The standard itself is published by the Government Security Group and applies to all UK central-government departments. Local authorities, NHS trusts, and arm's-length bodies typically use it as a baseline too.
| Control | What it requires |
|---|---|
B3.1 — DMARC | Domain publishes a DMARC record with a policy of reject. Quarantine and none are accepted as transitional positions but should not be the end state. |
B3.2 — SPF | Domain publishes an SPF record terminated with ~all or -all. |
B3.3 — MTA-STS | Inbound mail is delivered over TLS with a published policy that forbids cleartext fallback. |
B3.4 — TLS-RPT | Domain publishes a TLS-RPT record so other senders can report TLS negotiation failures back to a contact. |
B3.5 — DNSSEC | Authoritative DNS is signed and validated. Without DNSSEC, every record above can be spoofed in transit. |
What this tool does not replace
Mail Check ingested DMARC aggregate reports from every receiver and summarised who was sending email as your domain. That capability is in DMARCguard's paid product, not in this free tool — the in-browser checks here look only at DNS posture, not at actual mail flow. If you were using Mail Check for report ingestion, the migration path is to add your domain to DMARCguard and re-point the rua= tag in your DMARC record.
Read the complete UK · NCSC guide to learn more.
Get the full picture with DMARCguard
Continuous monitoring, aggregate report parsing, and actionable insights for all your email authentication protocols.
Start Free