From NCSC Mail Check to
Cloudflare Email Security
Cloudflare DMARC Management and Email Security provide comprehensive coverage for email authentication monitoring, moving from passive reporting to active defense.
Key Advantage
The transition from Mail Check to Cloudflare represents a move from "passive reporting" to "active defense". While Mail Check identified configuration issues, Cloudflare Email Security can actively block emails that fail DMARC or SPF checks at the mail flow level.
DMARC & Email Authentication Coverage
| Mail Check Feature | Technical Specification | Cloudflare Solution | Coverage |
|---|---|---|---|
| DMARC Aggregate Monitoring | Ingestion and visualization of RUA reports from receivers | DMARC Management (Beta) | Full Coverage |
| SPF Configuration Analysis | Verification of record syntax, IP ranges, and DNS lookup limits | DMARC Management & Security Insights | Full Coverage |
| DKIM Key Management | Validation of selector records and cryptographic alignment | DMARC Management | Partial (reporting focus) |
| Anti-Spoofing Policy Guidance | Feedback on progression from p=none to p=quarantine/reject | DMARC Management Dashboard | Full Coverage |
| Email Source Identification | Mapping of sending IP addresses to known SaaS and ISP providers | DMARC Management | Full Coverage |
| Forensic Reporting (RUF) | Detailed failure reports including message headers and body snippets | Not Currently Available | Gap |
| Historical Data Retention | Storage of authentication trends over time for audit | Cloudflare Security Center | Full Coverage |
What Cloudflare Provides
- Granular dashboard of all sending sources with automatic identification of legitimate services (Microsoft 365, Google Workspace, etc.)
- Consolidated insights within the same platform used for DNS management, enabling immediate record remediation
- Visual cues showing readiness for enforcement policy progression
- Active blocking of DMARC/SPF failures with Cloudflare Email Security
Current Gaps
- Forensic (RUF) Reporting: Cloudflare focuses on aggregate data for privacy. For detailed failure analysis, consider Red Sift or Sendmarc.
- BIMI Management: Manual DNS record entry only. For full BIMI support with logo verification, third-party tools are required.
Email Confidentiality: TLS, MTA-STS, and TLS-RPT
A significant portion of Mail Check's value was in email confidentiality controls—evaluating cipher strength, certificate validity, and MTA-STS implementation. Cloudflare addresses these through Email Security and the Workers developer platform.
| Confidentiality Feature | Technical Mechanism | Cloudflare Solution | Implementation |
|---|---|---|---|
| Inbound TLS Probe | Checking mail server support for STARTTLS and secure ciphers | Email Security & Security Insights | Continuous monitoring of TLS support for MX hostnames |
| MTA-STS Policy Hosting | Serving a policy file over HTTPS at a .well-known URI | Cloudflare Workers / Pages | Automated templates for hosting policy at the edge |
| MTA-STS DNS Signaling | Publishing _mta-sts TXT records to signal policy support | Cloudflare DNS | Managed via standard DNS dashboard |
| TLS Reporting (TLS-RPT) | Ingesting failure reports from senders (RFC 8460) | Email Security / Custom Workers | Parse JSON reports via Workers for custom dashboards |
| Partner TLS Enforcement | Dropping non-TLS mail from specific trusted domains | Email Security Partner Domain TLS | Configurable via Settings > Partner Domain TLS |
| Certificate Monitoring | Checking for expiration or weak signatures on MX servers | Security Insights | Alerts for invalid or aging TLS certificates |
MTA-STS with Cloudflare Workers
Hosting the MTA-STS policy file is a particularly strong use case for the Cloudflare developer platform. By deploying a Worker, your organisation can host the required mta-sts.txt file on Cloudflare's global network, ensuring high availability and automatic HTTPS—both mandatory for MTA-STS compliance.
This eliminates the need to maintain a separate, highly-available web server just for policy signaling.
See ready-to-deploy solutionsImplementation Quick Start
Enable DMARC Management
Navigate to your Cloudflare dashboard and enable DMARC Management (Beta) for all zones to begin collecting baseline authentication data.
Review Sending Sources
Analyse the automatically identified email sources. Verify legitimate services and flag any unauthorized senders failing SPF or DKIM alignment.
Deploy Email Security (Optional)
For active enforcement, deploy Cloudflare Email Security in your mail flow to block emails that fail authentication checks, regardless of recipient server settings.
Continue Your Assessment
Explore how Cloudflare replaces Web Check functionality, or review the complete gap analysis.