(And Why Should I Care About These if my Email is Already Working ?)

The National Cyber Security Centre (NCSC) has updated its email security guidance, and many organisations are now reviewing their use of hosted DMARC services such as Valimail. A key concern is ensuring full control over DMARC, SPF and DKIM settings.

The NCSC guidance encourages organisations to maintain direct visibility and authority over DNS records. Hosted models may reduce agility during an incident and can obscure how policies are applied. This has affected real‑world cases in local government and higher education where slow configuration updates allowed phishing activity to continue longer than necessary.

Step one is to examine the DMARC record published in DNS. Use common lookup tools such as Dig or MXToolbox.  Capturing this detail is essential when conducting a DMARC compliance review.

Next, inspect your SPF and DKIM configuration. Valimail is known for maintaining flattened SPF records so they remain under the ten‑lookup limit. If your SPF record includes Valimail references, the platform is actively handling part of your email authentication chain. This is not negative; however, the NCSC guidance recommends documenting where external automation controls critical processes. This is particularly relevant when organisations run many SaaS tools and need consistent sender validation. These checks also support search terms such as SPF flattening service, Valimail SPF check, and email sender validation.

Many businesses find outdated applications still present. These “forgotten senders” can create vulnerabilities that attackers may exploit. Reviewing this list is now considered part of good operational hygiene and supports search demand around email threat reduction, authorised sender management, and reducing spoofing risk.

Valimail offers strong automation, good reporting and simplified SPF alignment, but it is important to understand exactly how it is configured in your environment.

What is Valimail?

Valimail simplifies email authentication by focusing on DMARC, SPF (Sender Policy Framework), and DKIM (DomainKeys Identified Mail). These protocols work together to verify that emails sent from your domain are legitimate. Knowing how to check your Valimail implementation is key for any cybersecurity professional.

Steps to Check Your Valimail Settings

1 – Log into the Valimail Dashboard

Start by logging into your Valimail account. The dashboard provides a clear overview of your domain’s authentication status, including DMARC compliance, SPF records, and DKIM signatures.

2 – Check Your DMARC Status

Go to the DMARC section on the dashboard. Here, you’ll see the current DMARC policy for your domain. It’s best to start with a none policy for monitoring before moving to quarantine or reject.

3 – Review SPF and DKIM Records

Validate your SPF and DKIM records. Use Valimail’s tools to check that your SPF record is correctly configured and that all legitimate senders are listed. For DKIM, confirm that signatures are correctly applied to outgoing emails.

4 – Monitor DMARC Reports

Valimail offers detailed reports on email authentication. Regularly review these reports to spot any unauthorised use of your domain. Look for any spikes in failed authentications.

5 – Reducing DMARC Failures

Reducing DMARC failures is crucial for improving your email security. Here are some effective strategies:

Whitelist Legitimate Senders: Ensure all legitimate email-sending services are included in your SPF record. This reduces the chance of genuine emails being marked as spam.

Conduct Regular Audits: Periodically audit your email setup. Check for outdated records and confirm that all sending domains comply with your DMARC policy.

Educate Your Team: Make sure your team understands the importance of email authentication. Training can help prevent human error, which often leads to DMARC failures.

The updated NCSC guidance does not require organisations to remove DMARC. Instead, it encourages teams to ensure ownership, clarity and resilience.

The advantages of Valimail include DMARC automation, strong reporting and simple onboarding. Limitations include reliance on vendor infrastructure and reduced direct DNS control. For many, the right outcome is a review rather than replacement.

A structured check gives you a clear view of risk and readiness. Organisations aiming to improve resilience, reduce spoofing, support insurance requirements and demonstrate governance often use this moment to refresh their policies. Conducting a thorough review ensures alignment with NCSC DMARC guidance and strengthens your wider email security posture.

Email is still the number one attack vector.

If you are not 100% clear who controls your SPF, DKIM and DMARC, you are carrying risk.

Time for a Structured Email Security Review?

We can help you:

📞 +44 (0) 113 341 0123

📞 +64 (0)9 802 2444

📧 hello@itogether.com