Navigating the Retirement of NCSC Mail Check and Web Check

The countdown is in its final days. On 31 March 2026, the NCSC will decommission two of its most widely used Active Cyber Defence (ACD) services: NCSC Mail Check and Web Check. [NCSC Announcement]

For nearly a decade, these services have provided a vital “safety net” across the UK’s digital estate. However, the NCSC’s pivot toward ACD 2.0 signals a fundamental shift in responsibility. The government is stepping back from providing basic “hygiene” tools, urging organisations to adopt more sophisticated, commercial-grade protection that can keep pace with 2026’s AI-driven threat landscape.

At ET Works, we are helping our clients navigate this transition, ensuring that the NCSC Mail Check retirement is viewed not as a loss of visibility, but a resilience upgrade.

The MyNCSC Legacy: What is Being Decommissioned?

Both Mail Check and Web Check provided essential “outside‑in” intelligence across three domains: authentication, encryption, and web hygiene.

1. Mail Check (The Email Hygiene Anchor)

Mail Check allowed organisations to monitor how their domains were being used (and abused) across the internet. Its core technical suggestions included:

• DMARC Implementation: Providing a central dashboard for RUA (aggregate) reports to help teams understand if their SPF and DKIM records were functioning correctly.
• Anti-Spoofing Controls: Identifying when unauthorised third parties were attempting to send mail on behalf of a legitimate government or corporate domain.
• Privacy in Transit: Tracking the adoption of MTA-STS and TLS to ensure email content was encrypted while moving between servers.

Note: Crucially, while Mail Check provided the data, it did not provide the enforcement. Many organisations remained stuck in “monitoring” mode. We explored the technical risks of staying in this passive state in our deep-dive on DMARC and Email Security.

2. Web Check (The Vulnerability Scanner)

Web Check performed regular “outside-in” scans of public-facing web services. Its key focus areas included:

• Certificate Health: Monitoring for expired, revoked, or cryptographically weak SSL/TLS certificates.
• Server Misconfigurations: Spotting outdated software versions (e.g., WordPress or Apache) with known CVEs.
• Security Header Analysis: Checking for the presence of headers like Strict-Transport-Security and X-Content-Type-Options to mitigate common web-based attacks.

The Technical Shift: Why Now?

The NCSC’s decision is backed by their Active Cyber Defence 2.0 – ASM Experiment. Their findings were telling: commercial External Attack Surface Management (EASM) tools discovered significantly more “Shadow IT” than the NCSC’s internal tools could.

The experiment highlighted a critical flaw in legacy scanning: while Web Check was excellent at scanning known assets, it struggled to keep pace with the rapid sprawl of cloud-native environments and SaaS integrations. Commercial EASM solutions, the professional alternative following the NCSC Mail Check retirement, proved more adept at Asset Attribution—using advanced graph technology to find “orphaned” subdomains or cloud storage buckets.

The NCSC’s new EASM Buyer’s Guide now categorises the requirements for modern defence into four distinct stages:

• Discovery: Finding every asset, including cloud instances and subdomains.
• Inventory: Maintaining an up-to-date, dynamic list of what you own.
• Analysis: Understanding the risk associated with each asset.
• Remediation: Actively fixing vulnerabilities via automated workflows.

Moving Beyond “Hygiene”

The most significant risk in the NCSC Mail Check retirement is the “Identity Gap.” While reporting could tell you if a domain was spoofed, it was blind to Business Email Compromise (BEC)—where an attacker uses legitimate credentials to log in as a real user.

At ET Works, we help our clients replace the NCSC functions with three core technical components:

Component 1: Managed Identity Threat Detection (ITDR)
Modern security requires “looking inside the tenant.” Where Web Check looked at the code, ITDR looks at the context. We utilise advanced detection to spot Impossible Travel Logins, Session Token Theft, and Rogue OAuth Applications.

Component 2: Automated Email Authentication & Enforcement
Mail Check provided reports; modern enterprise tools provide enforcement. To move to a p=reject status safely, we help organisations manage SPF Flattening and real-time DMARC management.

Component 3: Human Layer Security (HLS)
We focus on securing the human layer to prevent Advanced Phishing and Accidental Data Loss (DLP)—critical risk factors that infrastructure scans alone cannot mitigate.

Next Steps

As we move into April 2026, the “safety net” of MyNCSC is being replaced by the “shield” of Managed Resilience. We strongly recommend reviewing our previous deep-dive on DMARC and Email Security to understand why moving to enforcement is the only viable path forward.

Is your organisation prepared for the MyNCSC transition?

Contact ET Works today for a strategic review of your current external attack surface and identify the most suitable replacement components.