DMARC implementation: Time is running out

The end of Mail Check and a new era of responsibility

With the NCSC retiring Mail Check and Web Check, UK public sector organizations must urgently implement and enforce DMARC (Domain-based Message Authentication, Reporting, and Conformance) to protect against domain spoofing and phishing. Delaying action risks compliance failures, security breaches, and loss of public trust.

All UK public sector organizations should have robust alternatives to Mail Check and Web Check in place, with DMARC properly implemented and enforced. This marks a significant shift, as the NCSC transitions from providing centralized email security monitoring to placing full responsibility on individual organizations.

The withdrawal of Mail Check is not just a technical change; it’s a call to action. As the NCSC states, “By 31 March 2026, organizations should have alternatives to Mail Check and Web Check in place.” The time to act is now, not when the deadline looms.

Why DMARC is critical for government domain protection

DMARC is the gold standard for protecting domains from spoofing and phishing. For government organizations, the stakes are especially high:

• Domain spoofing: Attackers can impersonate government domains to trick citizens, steal data, or spread misinformation.
• Phishing and BEC: Business Email Compromise (BEC) and phishing attacks are responsible for a significant portion of cyber incidents, with BEC alone accounting for 17-22% of all social engineering attacks in recent years.
• Public trust: A single successful spoofing attack can erode public confidence in digital government services.

The NCSC is unequivocal: “DMARC is a key control for preventing domain spoofing and email-based impersonation.” Without DMARC enforcement, government domains remain vulnerable to exploitation, risking both operational integrity and public trust.

What must organizations do?

• Assess current Mail Check/Web Check dependencies
• Review the NCSC’s buyer’s guide for external attack surface management (EASM) and DMARC solutions
• Select and implement commercial alternatives
• Test and validate new solutions well before the March 2026 deadline

“Plan your migration. Give yourself adequate time to implement and configure your chosen solution before the March 2026 deadline.” — NCSC

The risks of delaying DMARC implementation

Implementing DMARC is not a quick fix, especially for large or complex organizations. The process typically involves:

1. Discovery and assessment (1–3 months): Mapping all legitimate email sources, including internal systems and third-party vendors.
2. Monitor mode (1–6 months): Deploying DMARC in “p=none” mode to gather data and identify issues without impacting delivery.
3. Incremental enforcement (1–6 months): Gradually tightening the policy to “quarantine” and then “reject,” ensuring legitimate emails aren’t blocked.
4. Full enforcement (3–12+ months): Achieving “p=reject” for maximum protection. 

Delaying action increases risks such as continued exposure to spoofing and phishing because monitoring mode (p=none) does not block malicious emails. Compliance failures are also a risk because missing the deadline can result in regulatory penalties and reputational damage. Operational disruption can also result due to rushed implementations, which often lead to misconfigurations and legitimate email being blocked.

DMARC implementation can take months, and the loss of Mail Check’s reporting means organizations must act now to maintain visibility and compliance.

Moving from monitoring to enforcement: A step-by-step approach

• Step 1. Comprehensive discovery: Inventory all systems and vendors sending email on your behalf, including shadow IT and legacy systems.
• Step 2. Authentication configuration: Ensure all legitimate senders are properly configured with SPF and DKIM.
• Step 3. Start with monitoring (p=none): Collect DMARC reports to identify unauthorized senders and misconfigurations.
• Step 4. Incremental enforcement: Move to “p=quarantine” (optionally using the ‘pct’ tag to phase in enforcement), then to “p=reject” once confident.
• Step 5. Continuous monitoring: Regularly review DMARC reports, update records for new senders, and monitor subdomains.

Mimecast’s DMARC expertise: Practical guidance for public sector teams

With the expiry of Mail Check, many UK public sector organizations are seeking robust, user-friendly alternatives. Mimecast’s DMARC Analyzer, as shown in a recent Mimecast webinar, offers:

• Advanced visibility: Forensic-level reporting and analytics that go beyond basic DMARC monitoring, providing actionable insights.
• Managed services: Reduces internal workload and accelerates implementation, allowing IT teams to focus on other priorities.
• SPF complexity management: Handles SPF record limits, ensuring efficient domain authentication.
• Proven public sector success: Real-world case studies demonstrate improved DMARC visibility, reporting, and enforcement for government clients.

Mimecast DMARC Analyzer 2.0 is due for release on Jan. 28, 2026. DMARC Analyzer not only replaces Mail Check’s capabilities, but also enhances them, supporting public sector organizations through every stage of DMARC implementation. Watch the on-demand webinar.

Act now to secure your organization’s future

The NCSC’s retirement of Mail Check and Web Check is a watershed moment for UK public sector cybersecurity. DMARC is no longer optional; it’s a strongly recommended, critical control for protecting government domains and public trust.

Don’t wait until the last minute. Start your DMARC journey today, leverage expert partners like Mimecast, and ensure your organization is ready for the March 31, 2026, deadline. The security of your domain and the trust of the citizens you serve depends on it. By acting now to implement and enforce DMARC for the UK public sector.

Learn more about Mimecast DMARC Analyzer here.