On 31 March 2026, the NCSC switched off two tools that thousands of UK organisations had relied on for almost a decade. Mail Check and Web Check — free services that monitored email authentication and web security since 2017 — are gone. No wind-down period. No free tier. Just off.
If your organisation used either service, you now have a visibility gap. This post explains what that gap looks like, what the NCSC recommends as a replacement, and how to choose the right one.
What did Mail Check and Web Check actually do?
It’s worth being precise, because many organisations used these tools without fully understanding their scope — which matters when you’re deciding what to replace them with.
Web Check scanned your internet-facing domains for common web vulnerabilities. It flagged things like expired or misconfigured TLS certificates, insecure redirects, missing security headers, and outdated software configurations. It was lightweight, non-intrusive, and ran against your domain without requiring any engineering involvement.
Mail Check focused on email authentication. It assessed whether your domains were correctly configured with SPF, DKIM, DMARC, and MTA-STS — controls that make it much harder for attackers to impersonate your domain in phishing attacks. For many organisations, it was the only thing checking whether their email security posture was sound.
Together, they provided a basic but useful external view of two critical attack surfaces: your web presence and your email domains.
Why did the NCSC retire them?
The short answer: the commercial market has grown up. When the NCSC launched these tools in 2017, very few affordable options existed for organisations to monitor their external attack surface. That’s no longer true.
The NCSC’s position — set out in its ACD 2.0 roadmap — is that it will only provide services where the commercial market can’t deliver. External attack surface management (EASM) is now a mature category with commercial tools available at every price point. So the NCSC stepped back, freeing its resources for things only government can do.
This is a reasonable position. It also means that 17,000 UK organisations that relied on free government tools now need to find, evaluate, and procure commercial alternatives.
Who is affected — and what does the gap actually look like?
The NCSC’s own figures put the number of Mail Check and Web Check users at around 17,000 UK organisations. These were predominantly public sector bodies, NHS trusts, local authorities, regulated businesses, and SMBs without dedicated security teams — organisations for whom a free, government-backed tool was exactly right.
The gap isn’t just about losing a tool. It’s about losing continuous, automated visibility into your external attack surface. Without a replacement:
- Your TLS certificates can expire or be misconfigured without anyone noticing until a customer reports it.
- Your email domains can drift out of DMARC compliance, reopening the door to spoofing attacks.
- New subdomains, APIs, and cloud assets can appear on your external perimeter without being monitored.
- Exposed credentials or API keys — common in modern development workflows — go undetected.
What does the NCSC recommend instead?
The NCSC has published a buyer’s guide for EASM tools to help organisations evaluate commercial options. Rather than recommending a like-for-like replacement for Mail Check and Web Check, it explicitly recommends upgrading to a full External Attack Surface Management (EASM) platform — a category that goes considerably further than either free tool.
According to the NCSC’s guidance, a good EASM platform should provide three things:
- Insight and visibility — the ability to discover and monitor all your internet-facing assets, not just your primary domain. Subdomains, cloud services, APIs, forgotten infrastructure.
- Security analysis — active checking of identified assets for misconfigurations, vulnerabilities, email security issues, and exposed services. Not a tick-box score — specific, actionable findings.
- Supporting functions — dashboards, downloadable reports, workflow features that make findings accessible to non-specialists and easy to act on.
What should UK organisations look for in a replacement?
If you’re evaluating options, a few additional considerations matter beyond the NCSC’s three criteria:
- No engineering involvement required. Mail Check and Web Check worked because any IT manager could use them. Your replacement should be the same — scan from the outside, no source code access, no internal agents.
- Continuous monitoring, not point-in-time scans. Your attack surface changes daily. A tool that runs a scan once a month will miss the API key exposed on Tuesday and rotated on Thursday — but not before someone found it.
- UK data residency. If you’re in a regulated sector or public body, ask where your data is hosted and who can access it. US-hosted platforms may have different data sovereignty implications.
- Credentials and PII exposure, not just web vulnerabilities. Web Check looked at your web presence. Modern threats increasingly involve exposed credentials, API keys, and PII leaked through developer tools, public repositories, and third-party breaches. A modern EASM platform should cover all of this.
- Accessible findings. Security reports shouldn’t require a CISO to interpret. If a tool can’t explain a finding in plain language with a clear remediation step, it won’t get acted on.
How DataShielder replaces NCSC monitoring — and goes further
DataShielder is a UK-native EASM platform built for exactly this transition. It continuously monitors your external attack surface for exposed credentials, PII, and API key exposure — without needing source code access, engineering involvement, or security expertise to operate.
Where Mail Check flagged email authentication issues and Web Check flagged web vulnerabilities, DataShielder covers the full modern external attack surface: domains, subdomains, APIs, developer toolchains, and third-party exposure. Findings are delivered in plain language, not security jargon.
It runs as a self-serve SaaS platform, meaning you can be scanning within minutes of signing up — no sales call required, no lengthy onboarding. For organisations needing deeper investigation or discreet executive-level intelligence, a concierge service is also available.
What should UK organisations do right now?
Whether you replace NCSC tools with DataShielder or another provider, the priority is simple: close the gap. Every week without external monitoring is a week in which something could change on your attack surface without anyone noticing.
A practical checklist for the next two weeks:
- Confirm whether your organisation was a Mail Check or Web Check user — and identify who was responsible for reviewing findings.
- Review your current TLS certificate expiry dates and DMARC configuration status immediately. These are the most time-sensitive issues the NCSC tools were flagging.
- Evaluate at least one commercial EASM platform using the NCSC’s buyer’s guide criteria as your framework.
- Start with your primary domain. Most platforms — including DataShielder — let you run an initial scan before committing to a subscription.