Cyber Essentials (UK)
Cyber Essentials is a UK government-backed certification scheme operated by the National Cyber Security Centre (NCSC). It sets out baseline security controls that organisations should implement to protect against common cyber threats. While the base Cyber Essentials certification focuses on five technical controls (firewalls, secure configuration, access control, malware protection, and patch management), the enhanced Cyber Essentials Plus certification includes independent verification. Email authentication supports multiple control areas, and the NCSC strongly recommends DMARC through its separate guidance and the Mail Check service.
| Protocol | Requirement | Details |
|---|---|---|
| SPF | Recommended | SPF supports the Secure Configuration control by ensuring only authorised mail servers can send email from your domain. The NCSC recommends SPF as part of its email security guidance published alongside Cyber Essentials. |
| DMARC | Recommended | DMARC is strongly recommended by the NCSC through its Mail Check service and email security guidance. For Cyber Essentials Plus assessors, DMARC enforcement is increasingly viewed as an indicator of mature email security. The NCSC recommends p=reject for all government domains. |
| DKIM | Recommended | DKIM is recommended by the NCSC as part of the email authentication trio (SPF, DKIM, DMARC). It supports the Secure Configuration and Malware Protection controls by verifying email integrity. |
| SSL/TLS | Required | The Secure Configuration control requires that software is configured securely, which includes using encrypted connections. TLS is expected for all web-facing services. The NCSC guidance specifically references TLS for protecting data in transit. |
| Security Headers | Recommended | Security headers fall under the Secure Configuration control. Implementing HSTS, CSP, and related headers demonstrates that web applications are configured securely against common attack types. |
| DNSSEC | Optional | DNSSEC is not part of the Cyber Essentials assessment criteria but is recommended by the NCSC in its broader DNS security guidance as a good practice for organisations with higher security requirements. |
Configure all websites, email servers, and web applications with TLS 1.2 or higher. This satisfies the Secure Configuration control. Disable legacy TLS and SSL versions that are known to be insecure.
Publish SPF records for all domains, enable DKIM signing, and deploy DMARC. While not individually scored in Cyber Essentials, these protocols are recommended by the NCSC and demonstrate mature security practices that Cyber Essentials Plus assessors look for.
The NCSC offers a free Mail Check service (mailcheck.service.ncsc.gov.uk) for UK organisations that monitors DMARC, SPF, and TLS for your domains. Registering provides ongoing visibility and aligns with NCSC recommendations.
Deploy HSTS, Content-Security-Policy, X-Content-Type-Options, and X-Frame-Options on all web applications. Document these as part of your secure configuration baseline that satisfies the Cyber Essentials requirements.
Run a comprehensive domain security scan to verify that TLS, email authentication, and security headers are correctly configured. Use the results to identify and remediate any gaps before your Cyber Essentials assessment.
For Cyber Essentials Plus, retain scan reports and configuration documentation. Assessors perform technical verification, and having pre-existing evidence of email security controls demonstrates proactive security management.
Use Domain Security Scanner reports as evidence for your Cyber Essentials audit. Pro and Agency plans include PDF export for compliance documentation.
Run a free scan to see how your domain's email authentication measures up against Cyber Essentials requirements.
The base Cyber Essentials certification does not explicitly require DMARC. However, the NCSC strongly recommends it through its email security guidance and Mail Check service. Cyber Essentials Plus assessors have discretion in evaluating secure configuration, and the absence of basic email authentication may be noted. For UK public sector organisations, DMARC is effectively required through Cabinet Office guidance.
Cyber Essentials is a self-assessment questionnaire covering five technical controls. Cyber Essentials Plus includes all of the same requirements but adds independent technical verification by a certified assessor who tests your systems. For email security, Cyber Essentials Plus assessors may check TLS configuration and email authentication as part of their secure configuration testing.
Mail Check is a separate free NCSC service that monitors DMARC, SPF, and TLS for UK organisations. While not formally part of Cyber Essentials, using Mail Check demonstrates alignment with NCSC guidance and provides ongoing monitoring evidence. Many organisations pursuing Cyber Essentials use Mail Check reports as supplementary evidence of their email security posture.