NCSC to retire Web Check and Mail Check

Summary

The National Cyber Security Centre (NCSC) will retire its Web Check and Mail Check services on 31 March 2026. These services, which have helped organisations identify internet-facing misconfigurations and email security issues since 2017, will be phased out because the external attack surface management (EASM) market now offers a wide range of commercial products that cover and extend their functionality.

The NCSC advises organisations to adopt a commercial EASM product before the retirement date and has published a buyer’s guide to help choose the right solution. Early Warning and DNS Check findings will continue to be delivered via MyNCSC, and the NCSC recommends subscribing to its “Check your cyber security” email checks for anti-spoofing and email privacy verification.

Key Points

Web Check and Mail Check will stop delivering findings from 31 March 2026.
Early Warning and DNS Check subscriptions will still receive findings through MyNCSC.
The EASM market has matured; commercial products now offer broader coverage and extra features beyond Web Check and Mail Check.
The NCSC has published an EASM buyer’s guide to help organisations choose suitable products.
Key EASM features to consider: visibility and insight, security analysis, and supporting functions such as dashboards and workflow tools.
The NCSC recommends subscribing to its Check your cyber security service for email anti-spoofing and email privacy checks.
Retirement aligns with the ACD 2.0 roadmap so NCSC can reallocate resources to other resilience initiatives.

Context and relevance

This change reflects eight years of market evolution in external attack surface management. Organisations that relied on NCSC’s free checks need to plan migration to commercial EASM tools — especially larger and public-sector organisations with complex internet-facing estates. The buyer’s guide and ACD 2.0 research are practical starting points to assess vendors and required features.

Why should I read this?

Heads up — if your organisation uses NCSC’s Mail Check or Web Check, you’ve got a deadline. You’ll need to pick and deploy an alternative before 31 March 2026 or stop getting those automated findings. This write-up saves you the legwork: it tells you why the services are ending, what will keep running, and where to look next (EASM buyer’s guide + NCSC email checks).

Author

Hannah E — Service Owner: MyNCSC, Early Warning and Vulnerability Checking Services. Published on 6 November 2025. Punchy and practical: treat this as a service-change alert and a prompt to start procurement or testing of an EASM product now.