Phased Migration
Roadmap to March 2026

A structured approach to ensure no loss of visibility before the NCSC deadline, transforming your security posture from periodic checking to active, integrated protection.

Foundation Step

First: Onboard Your DNS to Cloudflare

All the capabilities in this guide require your domains to use Cloudflare for authoritative DNS. This is the foundation that unlocks DMARC Management, Security Insights, and the full Cloudflare platform.

Add Your First Domain Book a Meeting

Why Cloudflare DNS?

  • Free for all plans — Enterprise-grade DNS at no cost
  • Fastest in the world — Sub-11ms global response times
  • Built-in DDoS protection — 321 Tbps network capacity
  • DNSSEC with one click — Cryptographic authentication
1

Add Your Domain

Enter your domain in the Cloudflare dashboard. We'll scan your existing records and import them automatically.

2

Update Nameservers

Change your domain's nameservers at your registrar to point to Cloudflare. Most registrars make this a 2-minute task.

3

You're Ready

Once nameservers propagate (typically under an hour), all Cloudflare features become available for your domain.

Public Sector Tip

Many .gov.uk domains are managed through Jisc or other shared services. Coordinate with your DNS provider to update nameservers. Cloudflare also supports CNAME setup for domains where you cannot change nameservers, and Secondary DNS for organisations requiring multi-provider resilience.

Then: Follow the Phased Migration

PHASE 1 Immediate — Start Now

Enable Monitoring & Baseline Data Collection

Begin collecting data immediately to establish baselines and identify any issues before transitioning away from NCSC services.

Email Security Actions

  • Enable Cloudflare DMARC Management (Beta) on all zones
  • Point DMARC RUA reports to Cloudflare
  • Review and verify all identified sending sources
  • Compare findings against current Mail Check data

Web Security Actions

  • Review Security Insights in Security Center
  • Enable Always HTTPS and HSTS on all domains
  • Set minimum TLS version to 1.2
  • Address any dangling DNS or exposed origin findings
PHASE 2 Complete by March 31, 2026

Implement Confidentiality & Disclosure Controls

Address the "confidentiality" and "disclosure" findings from Mail Check and Web Check through platform features and developer solutions.

Email Confidentiality

  • Deploy MTA-STS policy via Cloudflare Workers or Pages
  • Configure _mta-sts TXT records in DNS
  • Set up TLS-RPT reporting (via Workers if custom dashboard needed)
  • Verify certificate monitoring in Security Insights

Web Disclosure

  • Configure Managed Security.txt for all domains
  • Enable Page Shield for client-side monitoring
  • Review and enable relevant WAF managed rules
  • Establish internal playbooks for Security Insights findings
PHASE 3 Post-Cutoff — Ongoing Enhancement

Active Enforcement & Advanced Protection

After the cutoff, continue enhancing your security posture with advanced enforcement capabilities. These are valuable upgrades but not critical for the transition deadline.

Email Enforcement

  • Deploy Cloudflare Email Security for active DMARC enforcement
  • Configure Partner Domain TLS requirements
  • Progress DMARC policies to p=reject where possible
  • Integrate email threat intelligence with Gateway

Zero Trust Integration

  • Deploy Cloudflare Tunnel for exposed services
  • Configure Access policies requiring MFA
  • Link Security Insights to automated access controls
  • Establish cross-channel threat intelligence sharing

Addressing the "Cost vs. Free" Conversation

A primary concern for public sector customers will be transitioning from free government services to paid commercial ones. Frame the conversation around Total Cost of Ownership (TCO).

Efficiency Gains

Manual remediation based on Web Check findings takes time. Cloudflare's automated headers, WAF rules, and certificate management save hundreds of hours of manual labour per year.

Risk Mitigation Value

The cost of a single successful phishing attack or data breach resulting from an unmonitored email domain far outweighs the subscription cost of a comprehensive platform.

Consolidation

Many organisations already pay for separate DMARC tools, SSL monitors, and WAFs. Cloudflare allows consolidation of these point solutions into a single agreement, often resulting in net cost reduction.

Key Dates Timeline

2017

NCSC ACD services launched

Early 2025

Feature reductions begin

NOW

Today

Begin your transition

March 31, 2026

Services fully retired

The Bottom Line

By the time the NCSC services are retired in 2026, your organisation will not just have replaced a tool—you will have fundamentally upgraded your security architecture to meet the challenges of the modern threat landscape.

Review Mail Check Coverage Review Web Check Coverage