Blog post

Helping secure public sector email with Mail Check

Created:  29 Oct 2018
Updated:  29 Oct 2018
Author:  Liam G
Part of:  Government strategy
Mail Check v2

The NCSC's Mail Check service helps public sector email administrators improve and maintain the security of their email domains by preventing spoof email.

In this blog I want to update you with a few facts and figures on the progress we've made protecting public sector email.

I also want to mention a few upcoming features and give a brief plug for the service as a helping hand for public sector bodies looking to comply with the Minimum Cyber Security Standard.

Central Government roll-out

Mail Check works by assessing an email server's configuration and providing guidance on the implementation of various email security protocols, most notably, Domain Messaging Authentication Reporting and Conformance (DMARC).

Since earlier this year, Mail Check has been available to the public sector, but in these early stages we've had a particular focus on central government. The service helps users get a clear picture of how secure their email configuration is at the moment, but perhaps more importantly, we've also been showing how organisations can improve and maintain their security posture.

Security in numbers

It's worth noting that we can actually show Mail Check making a difference, helping government departments achieve a more secure DMARC configuration.

The diagram below shows the situation before and after Mail Check. Less blue is better

Mail Check improvement to DMARC filtering

Source: DMARC policies for a subset of .gov.uk domains.

The charts above show that gov.uk domains using Mail Check are much more likely to reach a DMARC policy of ‘reject’ or ‘quarantine' (blocking). One of these two is required to protect recipients from spoofed email from domains.

Mail Check adoption

Though we can demonstrate positive results from the use of Mail Check, there are still plenty of other public sector bodies to be brought on board.

Since February 2018:

  • User numbers have grown from 17 to just under 1000, with more coming on board each day

  • 89% of central government departments are now using Mail Check 

  • 77% of these have implemented at least a basic DMARC policy 

Whilst we've prioritised central government thus far, we'll be expanding our focus to better support local government too in the coming months.

DMARC - You've got to have standards 

Recently, the government released the Minimum Cyber Security Standard. This details expected standards for cyber security in government departments. The document talks of outcomes, such as 'taking steps to detect common cyber attacks' and for government, achievement of these outcomes is expected. 

One of the standards covered is DMARC, and here comes my plug: Mail Check will simplify adoption and tuning of this important standard.

Get started in just one step

It's simple and risk-free to get started with DMARC. A DMARC policy of ‘none’ is used purely for monitoring, it makes no changes to email flow but gives domain owners the information needed to adjust their SPF and DKIM configurations, until all legitimate mail senders are properly authenticated. At this point you can begin updating your configuration to improve deliverability of genuine email whilst stopping spoofed email reaching end users.   

Implementing DMARC on your non-email sending domains - such as legacy domains or those you have defensively registered - is of equal importance, and should be carried out in parallel with the implementation on your email sending domains. Just because you know that you don't send email from those domains, doesn't mean that 'victims' don't. 

Sign up here

Mail Check's original focus was the DMARC protocol, but we've been busy extending the functionality of the service, introducing DKIM analysis, and testing email server configuration for Transport Layer Security (TLS). And there are more features in the pipeline following our ongoing user research. 

If you have a public-sector email address you can sign up for an NCSC account and access the service.

If you do not have an email address accepted by the service but believe you should have access, get in touch with us at mailcheck@digital.ncsc.gov.uk 

For further information on Mail Check and DMARC, check out our video below.  

Liam G
Head of Rollout, Mail Check 

2 comments

Tom Carr - 13 Nov 2018
Great blog, Liam. Really insightful and will be of use as the Home Office is comes on board
Husman Mahmood - 16 Nov 2018
Really insightfull - great work Liam

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No