Active Cyber Defence: Mail Check and Web Check transition with Ciaran Martin and Rahul Powar

On 31st March 2026, NCSC's Mail Check and Web Check services will be switched off. For thousands of UK public sector organisations, that means losing all visibility into their email authentication posture overnight.

Red Sift CEO and co-founder Rahul Powar sat down with Ciaran Martin, the former CEO of the National Cyber Security Centre (NCSC) who helped create the Active Cyber Defence programme, to talk about what's changing, why it matters, and what organisations need to do before the deadline. Here's what came out of that conversation.

Mail Check wasn't built to last forever. It was a direct response to a measurable crisis.

When the NCSC first looked at the scope of domain spoofing across the UK government, the picture was alarming. As Ciaran Martin explained during the webinar: "The 16th most spoofed brand in the world that we could find was HMRC, and it was the number one most spoofed brand in the UK."

DMARC enforcement fixed that. Within one year of HMRC's implementation, 500 million spoofed emails were blocked before they ever reached a British citizen's inbox. Mail Check scaled that approach across the public sector, offering free, accessible tooling to organisations that couldn't have done it alone.

But the programme was always designed as a temporary intervention. The goal was always to get to a point where commercial providers could take over and the government could focus its capabilities on the more sophisticated end of the threat landscape. That point has arrived.

Red Sift analysed gov.uk domains ahead of the webinar. The headline finding is that around 50% of gov.uk domains are at DMARC reject, which Rahul described as "surprisingly high" by global standards. The NCSC's push over the last nine years has genuinely moved the needle.

But 22% of gov.uk domains still aren't fully compliant. And of the 3,540 domains currently reporting only to Mail Check, a significant portion will lose all visibility into their mail traffic the moment the service goes dark.

That's the real risk. It's not just organisations that haven't reached DMARC enforcement yet. It's organisations that are already at reject or quarantine, but will have no way of knowing if a configuration change breaks something. A new CRM platform, a third-party sender, a DNS update. Any of those could cause legitimate emails to fail authentication with no alert and no report.

As Ciaran Martin put it: "Who owns our email authentication now that the NCSC doesn't? That's a vital question for organisations to answer in the next 40 days."

The urgency isn't just about a deadline. The threat environment is meaningfully worse than it was when Mail Check launched.

The UK had a bad 2025. Ransomware attacks caused serious economic and social damage. Nation-state actors, particularly in the context of Volt Typhoon, are targeting everyday organisations, not just critical infrastructure. And AI tools are making it easier and cheaper for attackers to probe for basic vulnerabilities at automated scale.

Email authentication is a foundational control. Without it, every other security layer has to work harder and attackers have an easier route in. This is not the moment for a cliff-edge drop-off in coverage.

Mail Check provided solid baseline reporting, compliance dashboards, and remediation guides. What it never got around to was keeping pace with the standards that have developed since it launched.

MTA-STS, BIMI, continuous intelligent monitoring, real-time alerting, and asset inventory management all sit outside what Mail Check ever offered. Commercial solutions can deliver all of that, and for organisations already at enforcement, the priority is making sure monitoring continues without interruption.

Red Sift is available on G-Cloud 14 and offers a fully managed DMARC product alongside standalone software subscriptions for organisations that want the equivalent of Mail Check with the functionality it was never able to build.

If you don't know where your domains stand right now, start there.