The National Cyber Security Centre (NCSC) has announced that its Web Check and Mail Check services will be retired on 31 March 2026. This marks the end of nearly a decade of free scanning and monitoring offered by the UK Government for common web and email security threats and vulnerabilities. Organisations will need to have an alternative in place before the end of March when findings and alerts from Web Check and Mail Check will cease.

Since 2017, Web Check and Mail Check have supported UK organisations in identifying email security weaknesses, website misconfigurations, and exposed or vulnerable services. However, the External Attack Surface Management (EASM) landscape has evolved significantly in the intervening years. Whilst the free government tools were intentionally simple, EASM platforms now provide more sophisticated monitoring such as: continuous mapping of internet-facing assets and analysis of vulnerabilities; monitoring configuration drift across domains, certificates, and services; assessing email security controls and configuration. They also address modern risks and threats that have developed since Web Check and Mail Check were established.

Given the depth and breadth of these platforms, the NCSC states that continued operation of Web Check and Mail Check duplicates capabilities which are available (and more comprehensively so) elsewhere. They are thus refocusing resources on other projects.

What action do you need to take?

Organisations will need to transition to other tools. It is strongly recommended to adopt an EASM solution in advance of the NCSC’s retirement date on 31 March 2026. It is crucial that organisations continue to monitor attack surfaces, domain reputations, email compliance, and other potential vulnerabilities.

We provide ongoing vulnerability scanning services as well as offering penetration testing for comprehensive reviews. For email compliance alone, we provide reputation monitoring, compromise monitoring (including dark web), and managed support for all the key compliance standards: Domain-based Message Authentication, Reporting, and Conformance (DMARC), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF). You can read more about DMARC and why you need it to prevent spoofing, phishing, and misdelivery in this article.

Please get in touch to add proactive security services and monitoring for your organisations. You can also find out about our suite of Cyber Security services here.