NCSC is retiring Mail Check and Web Check: What you need to know

The UK National Cyber Security Centre (NCSC) has confirmed that Mail Check and Web Check will be retired on March 31, 2026. For almost a decade, these free services have helped organizations spot issues in email authentication and identify common web vulnerabilities.

Their retirement doesn’t signal a relaxation of standards. Instead, it reflects a shift in responsibility. Businesses will still need to prevent domain impersonation, stop spoofed email from reaching customers and employees, and maintain a secure web presence. They will simply no longer have Mail Check and Web Check to lean on.

If your company relies on Mail Check for visibility into Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting, and Conformance (DMARC), Mail Transfer Agent Strict Transfer Security (MTA-STS), or Transport Layer Security (TLS) – or if Web Check contributes to your domain monitoring – now’s the time to plan your transition.

Mail Check was designed as an entry point. Platforms like Sendmarc provide the visibility, automation, and real-time insights that teams need to maintain protection.

What is Mail Check?

Mail Check is an NCSC service created to help organizations assess their email security compliance. It focuses on four essential protocols: SPF (which specifies which sources are allowed to send on behalf of your domain), DMARC (which defines what happens when emails fail authentication), TLS (which encrypts the connection between email servers), and MTA-STS (which enforces encrypted delivery).

Until March 2025, Mail Check also offered DMARC aggregate reporting, DomainKeys Identified Mail (DKIM) checks, and TLS Reporting (TLS-RPT). This meant teams could identify every sender using their domain, verify their DKIM setup, and diagnose problems with encrypted email delivery.

These features were removed on March 24, 2025, leaving Mail Check with no reporting capabilities or insight into DKIM configuration.

Web Check complements Mail Check by analyzing websites for vulnerabilities. It has helped teams identify invalid certificates, redirects from HTTP to HTTPS, insecure cookies, gaps such as missing security.txt files, and more.

These lightweight assessments have been particularly helpful for businesses without dedicated external attack surface management (EASM) tooling.

Together, Mail Check and Web Check helped improve cyber hygiene across the UK. Their retirement, however, signals a move toward more capable, market-driven solutions.

Why are Mail Check and Web Check being retired?

The NCSC’s decision is rooted in its Active Cyber Defence (ACD) 2.0 roadmap. The agency has stated that it will only provide services that can’t be effectively delivered by the cybersecurity market or that drive up resilience at scale. Email authentication monitoring and web-scanning tools no longer fall within that scope.

This update means the NCSC can focus its resources on new initiatives to improve the UK’s cyber infrastructure – while companies transition to dedicated tools that provide deeper protection.

What the retirement means for your security

The impact of Mail Check and Web Check retirement depends on how heavily your organization relies on them today. In most cases, it creates two clear risks.

The first is reduced oversight of SPF, DMARC, MTA-STS, and TLS. Mail Check currently highlights configuration issues that could break legitimate email or increase your exposure to spoofing. Once the service retires, misconfigurations may persist unnoticed.

The second is the removal of Web Check’s EASM tooling. Without it, issues such as invalid certificates and unpatched software become harder to spot.

These challenges aren’t unsolvable – but they do require attention. If you’re a Mail Check user, you need a plan to keep track of your domain configuration when the NCSC retires the service.

Book a demo with Sendmarc to see how you can maintain visibility, protect your domain from impersonation, and strengthen your email security posture ahead of the 2026 deadline.