The National Cyber Security Centre recently announced at CYBERUK 2022 a brand-new tool that organisations can make use of to check the security of their email domains. This free tool checks your organisations email domains for vulnerabilities that can exploited like email spoofing and also checks that your messages are encrypted during transit. The tool requires no sign up or personal information and just checks information about domains publicly available.
The tool completes two checks, firstly it looks at publicly available DNS records to see if anti-spoofing controls (primarily DMARC) are in use or have been configured correctly. Secondly, it will send an email to your server but stops short of sending. By doing this a “handshake” is made in which the email server will reveal to the tool what version and strength of encryption is in use.
These tools have been developed as a part of the NCSC’s plan to make the UK the safest place to work online and has also been announced alongside the recent expanded eligibility of the NSCS’s Mail Check and Web Check to allow all UK education institutions to sign up.
These tools have also been developed as it has been discovered that adoption of recommended controls across different sectors varies significantly at present, with some UK sectors having coverage as low as just 7%.
If you discover through this tool that your organisations email security is not secure, we highly recommend that you follow the NCSC’s guidance on email security and anti-spoofing: Email security and anti-spoofing - NCSC.GOV.UK