Do the NCSC Guidelines Apply to Me?
The NCSC email security best practice recommendations have become a vital checklist for organisations keen to keep their emails secure. In fact, the NCSC recommends a multi-layered approach to protect against phishing, which includes training employees to recognize phishing emails and the filtering or blocking of incoming phishing emails. This is where an on-premise or virtual gateway appliance and security awareness training both come into play.
Other measures proposed by the NCSC include making it harder for an email from organisations' domains to be spoofed by employing anti-spoofing controls: DMARC (Domain-based Message Authentication, Reporting and Conformance), DKIM (DomainKeys Identified Mail), and SPF (Sender Policy Framework).
Beyond a DMARC policy, the NCSC’s Cyber Assessment Framework (CAF) recommends policy of Reject (“p=reject”). However, the NCSC requires an additional protocol called Mail Check, which helps public organisations and/or those in the third sector ward off email spoofing by providing the ability to assess email security compliance. It's also important to note that the Government Digital Service (GDS) requires that all government departments adopt DMARC with the strongest DMARC policy of Reject too. Per NCSC’s statistics as of 2023, only 2,700+ organizations had implemented Mail Check, and 24,000+ domains had been registered, with an enforcement rate of 60% of domains being protected by a reject policy.
But when implementing free solutions that lack visibility, we often find domains getting pushed to Reject prematurely – which potentially leads to more damage than good with legitimate business-critical email being blocked.1
Adding More Urgency with Updated Guidelines
The NCSC just released a major change to the requirements for DMARC in November 2024: As of 24th March 2025, the NCSC will stop providing DMARC Aggregate Reporting so Mail Check users requiring reporting will need to switch to a complementary tool. For this reason alone, it’s becoming increasingly important for organisations to augment with other DMARC solutions to reach 100% enforcement of a policy of Reject.
If you’re left asking yourself–what is DMARC Aggregate Reporting (RUA)? The answer is it is a crucial step to understanding your email environment and preventing attackers from abusing your email domains. But more importantly, it underscores why you need an additional solution that can provide this and more. This is where Fortra's Agari DMARC Protection can be the perfect fit. But why should you trust Fortra to offer the DMARC protection services you need? Because Fortra’s Agari was one of the original co-founders of the DMARC protocol back in 2012!
To clarify, Mail Check will continue to automatically scan your email domains and alert you on:
- DMARC policy, policy strength, and errors
- SPF policy, policy effectiveness, and errors
- MTA-STS policy, policy strength, and errors
- Inbound TLS (e.g., certificate validity, encryption cyphers)
However, Mail Check will no longer provide:
- DMARC Aggregate Reporting, DMARC Insights and related DKIM Checks
- TLS Reporting (TLS-RPT)
1 NCSC Annual Review 2023, p. 9: https://www.ncsc.gov.uk/collection/annual-review-2023/resilience
2 MyNCSC Help Centre, p. 1: https://www.ncsc.gov.uk/collection/myncsc-help-centre/mail-check-update
Mail Check's Functionalities vs. Agari DMARC Protection's Coverage
Here is how the coverage of the updated guidelines will fall when the guidelines change on 24th March 2025:
| Functionality | Mail Check | Fortra’s Agari DMARC Protection |
| Enforcement / Reject Rate | 60% (per NCSC data from early 2023) | Helps retain 100% enforcement of domains protected by a DMARC policy of Reject, “p=reject” – the higher the percentage, the better the solution is at protecting its customers’ domains. |
DMARC Forensic (RUF) Reporting (typically only offered in a limited handful of DMARC solutions) | No | Yes – inclusive with licence cost. Agari DMARC Protection will continue to provide DMARC Aggregate (RUA) reporting, which you will lose with Mail Check come 24th March 2025! You’ll also benefit from deeper visibility of RUF data to understand the spoofs your brand is facing. These insights can be used to protect organisations and their customers/partners from malicious attacks (e.g., user training and improved threat indicators), and use the threat feed to export suspicious URLs used in spoofing attacks. |
| Dedicated Professional Services | No | Fortra’s Agari Professional Services provide a dedicated consultant – a Subject Matter Expert in all things DMARC and email authentication – to assist and guide customer’s with onboarding, solution configuration, and DMARC implementation plans. This is important, as DMARC has many nuances and can be difficult to understand with reports alone. Analysis from both the solution and the experts are key in reaching a policy of Reject, “p=reject” (e.g., for domain spoofing protection). |
| Intelligence and Analysis | No | Agari DMARC Protection provides intelligence and analysis in three main ways: 1.Agari’s 14 years of experience and expertise with DMARC, with 30k+ customers*, monitoring 227k+ domains*, all improving our intelligence and providing comparative analysis with organisations in your region and sector. 2.Fortra’s curated ‘Threat Brain’, bringing together AI, machine learning, EDR, and threat intelligence from a wide range our security solutions (not just email intelligence). 3.External threat feeds, for wider visibility. *Comparatively in 2023, Mail Check provided to 2.7k customers and protected 24k+ domains. |
| Authentication Standard Errors/Improvements | Mail Check will continue to “highlight any configuration mistakes, and guide you through improvements.” 1 | Agari DMARC Protection parses the authentication data, highlights it, and sends email alerts for any errors and recommends potential improvements to each customer (e.g,. PermError SPF , DKIM key rotations, etc.) It also provides granular tools to build, edit, and improve your records to implement in your DNS, updated and error-free (e.g., EasySPF Builder). 1 https://www.ncsc.gov.uk/information/mailcheck# |
| Hosting (Dynamic Records) | No | Yes – inclusive with licence cost. Reduce administration burden by continuing to manage one or all authentication records, and gain from added security benefits, such as error prevention and obfuscation of privileged data (authorised email sources). |
| BIMI (Brand Indicators for Message Identification) | No | Yes – inclusive visibility and tooling with licence cost. BIMI is a post-Reject value proposition with adopters including AOL and Yahoo. BIMI will allow for compliant mailbox providers to utilise an organisation’s logo to be displayed in their mail interface, adding an extra layer of trust between them and their customers / business partners. |
Along with Mail Check, Email Security Check follows. It helps users confirm if their domains are being used in spoofing attacks and ensures privacy, but that’s a blog for another day.
For more information on Agari DMARC Protection can safeguard your organisation once NCSC's latest guidelines go into effect this March, book a demo with one of our experts today.
