From NCSC Mail Check to
Cloudflare Email Security
Cloudflare DMARC Management and Email Security provide comprehensive coverage for email authentication monitoring, moving from passive reporting to active defense.
Key Advantage
The transition from Mail Check to Cloudflare represents a move from "passive reporting" to "active defense". While Mail Check identified configuration issues, Cloudflare Email Security can actively block emails that fail DMARC or SPF checks at the mail flow level.
DMARC & Email Authentication Coverage
| Mail Check Feature | Technical Specification | Cloudflare Solution | Coverage |
|---|---|---|---|
| DMARC Aggregate Monitoring | Ingestion and visualization of RUA reports from receivers | DMARC Management (Beta) | Full Coverage |
| SPF Configuration Analysis | Verification of record syntax, IP ranges, and DNS lookup limits | DMARC Management & Security Insights | Full Coverage |
| DKIM Key Management | Validation of selector records and cryptographic alignment | DMARC Management | Partial (reporting focus) |
| Anti-Spoofing Policy Guidance | Feedback on progression from p=none to p=quarantine/reject | DMARC Management Dashboard | Full Coverage |
| Email Source Identification | Mapping of sending IP addresses to known SaaS and ISP providers | DMARC Management | Full Coverage |
| Forensic Reporting (RUF) | Detailed failure reports including message headers and body snippets | Not Currently Available | Gap |
| Historical Data Retention | Storage of authentication trends over time for audit | Cloudflare Security Center | Full Coverage |
What Cloudflare Provides
- Granular dashboard of all sending sources with automatic identification of legitimate services (Microsoft 365, Google Workspace, etc.)
- Consolidated insights within the same platform used for DNS management, enabling immediate record remediation
- Visual cues showing readiness for enforcement policy progression
- Active blocking of DMARC/SPF failures with Cloudflare Email Security
Current Gaps
- Forensic (RUF) Reporting: Cloudflare focuses on aggregate data for privacy. For detailed failure analysis, consider Red Sift or Sendmarc.
- BIMI Management: Manual DNS record entry only. For full BIMI support with logo verification, third-party tools are required.
Email Confidentiality: TLS, MTA-STS, and TLS-RPT
Important: Unlike the authentication features above, Cloudflare does not provide native products for MTA-STS hosting or TLS-RPT collection. These capabilities require custom implementation using Cloudflare's developer platform (Workers/Pages). Ready-to-deploy solutions are available below.
A significant portion of Mail Check's value was in email confidentiality controls—evaluating cipher strength, certificate validity, and MTA-STS implementation. While Cloudflare Email Security handles some aspects, key features require custom solutions built on the Workers platform.
| Confidentiality Feature | Technical Mechanism | Cloudflare Solution | Implementation |
|---|---|---|---|
| Inbound TLS Probe | Checking mail server support for STARTTLS and secure ciphers | Not Available | No native Cloudflare product—requires third-party or custom tooling |
| MTA-STS Policy Hosting | Serving a policy file over HTTPS at a .well-known URI | Custom Worker Required | Deploy via Workers/Pages (see ready-to-deploy solution below) |
| MTA-STS DNS Signaling | Publishing _mta-sts TXT records to signal policy support | Cloudflare DNS | Manual TXT record entry via DNS dashboard |
| TLS Reporting (TLS-RPT) | Ingesting failure reports from senders (RFC 8460) | Custom Worker Required | Deploy via Workers (see ready-to-deploy solution below) |
| Partner TLS Enforcement | Dropping non-TLS mail from specific trusted domains | Email Security | Configurable via Settings > Partner Domain TLS |
| MX Certificate Monitoring | Checking for expiration or weak signatures on MX servers | Not Available | No native product—consider Hardenize or similar |
MTA-STS with Cloudflare Workers
Hosting the MTA-STS policy file is a particularly strong use case for the Cloudflare developer platform. By deploying a Worker, your organisation can host the required mta-sts.txt file on Cloudflare's global network, ensuring high availability and automatic HTTPS—both mandatory for MTA-STS compliance.
This eliminates the need to maintain a separate, highly-available web server just for policy signaling.
See ready-to-deploy solutionsCloudflare Email Security Platform
While NCSC Mail Check only reported on email authentication, Cloudflare Email Security provides a complete active defence platform that blocks phishing, BEC, and malware before they reach your users.
AI-Powered Detection
Advanced ML models analyse hundreds of attributes per email—sender reputation, message sentiment, conversation context—to detect sophisticated threats with 99.99% accuracy.
Patented Email Detection Fingerprint (EDF) uncovers hidden patterns across phishing campaigns.
Stop BEC Attacks
Detect deceptive Business Email Compromise attacks that impersonate executives, employees, and vendors to steal data or extract fraudulent payments.
Conversation context analysis identifies impersonation attempts even without malicious links.
Multi-Channel Protection
Block attacks that combine email with other channels—malicious links, QR codes, and delayed phishing that activates after delivery across Slack, Teams, and SMS.
Real-time link analysis and post-delivery retraction capabilities.
PhishGuard Managed Service
A team of expert analysts (including ex-NSA and CIA security professionals) routinely inspects your email environment and responds to threats. PhishGuard provides:
- Real-time threat hunting and rapid incident response
- Insider threat detection and compromised account monitoring
- Custom detection rules tailored to your organisation
- User submission review—freeing your security team for critical work
Free Phishing Risk Assessment
Using Microsoft 365? Discover what phishing threats your current email filters are missing with a free retrospective scan of your inbox.
The scan analyses your historical email data to identify phishing attempts, BEC attacks, and malicious content that bypassed existing defences—giving you concrete evidence of your current risk exposure.
Start Free Phishing ScanForrester Wave™ Recognition
Cloudflare is a Strong Performer in Email, Messaging, and Collaboration Security Solutions (Q2 2025), scoring 5.0/5.0 in 9 criteria including malware detection, URL analysis, and threat intelligence.
Implementation Quick Start
Enable DMARC Management
Navigate to your Cloudflare dashboard and enable DMARC Management (Beta) for all zones to begin collecting baseline authentication data.
Review Sending Sources
Analyse the automatically identified email sources. Verify legitimate services and flag any unauthorized senders failing SPF or DKIM alignment.
Deploy Email Security (Optional)
For active enforcement, deploy Cloudflare Email Security in your mail flow to block emails that fail authentication checks, regardless of recipient server settings.
Continue Your Assessment
Explore how Cloudflare replaces Web Check functionality, or review the complete gap analysis.