Introduction
Selling DMARC services requires a different motion than selling endpoint protection or backup. Clients usually don't know they have a problem — until you show them. This article covers the sales conversation that converts: the question, the artefact, the close.
Why this topic matters
DMARC is one of the easiest security services to deliver and one of the hardest to articulate. The technical work is mechanical; the sales work is education. Get the conversation right and DMARC becomes a default add to every client.
The conversation that opens the door
Three questions reliably open the conversation:
- "Do you know how many systems are sending email as your company today?" Most clients estimate 3-5. The actual number is usually 10-20.
- "What happens if a customer of yours receives an invoice that looks like it's from you but isn't?" Reframes the threat away from abstract spoofing into concrete business risk.
- "Would you like to see the data?" The free audit close. Almost always yes.
The conversation hands off to the audit deliverable.
The artefact that closes the deal
A one-page DMARC audit report. Structure:
- Current authentication state. Posture summary, what's published, what's missing.
- Sender inventory. List of every IP currently sending as the client's domain, with sender attribution. This is where the surprise lives.
- Risk summary. Spoofing exposure, deliverability state, compliance posture.
- Proposed remediation. Phased rollout with timeline.
The sender inventory is the artefact that closes. Clients almost always discover 2-5 senders they didn't know about — and that creates urgency.
Step-by-step approach to the sales motion
- Audit the client's domain (under 30 minutes with the right platform).
- Schedule a 30-minute review meeting.
- Walk through the one-page report. Lead with the sender inventory.
- Propose the rollout as a fixed-scope engagement.
- Propose the monitoring tier as the steady-state product.
The objections you'll hear
- "We have SPF and DKIM, isn't that enough?" Show how
dkim=mailchimp.comisn't aligned with their From. - "How long does this take?" 8-12 weeks for typical SME.
- "Will it break our email?" Only if done badly; the rollout phases exist to prevent it.
- "How much?" Show the audit price, the rollout price, the monthly monitoring. Three SKUs.
- "We don't have time." You're doing the work; they're approving milestones.
The DMARC sales script for MSPs covers the full play-by-play.
Best practices
- Lead with the data, not the technology. The sender inventory is the conversation.
- Frame risk in customer-facing terms. Customer trust > DNS records.
- Don't oversell complexity. The work is well-understood, not heroic.
- Productize the proposal. Fixed-price, fixed-scope where possible.
- Have a portfolio of case studies. "Here's what we did for client X."
Recommended next step
Pick 5 prospects this week. Run audits on their domains. Send each a one-page report. Track conversion rates. Most MSPs are surprised by how quickly clients say yes once they see the data.
FAQ
How do I audit a domain I don't have credentials for?
DMARC audits work from public DNS. You can audit any domain without client cooperation; the deliverable is the conversation opener.
What if the prospect already has a DMARC platform?
They probably don't have an MSP managing it. The conversation shifts to "are you actively monitoring this?" — usually no.
How long is the typical sales cycle?
2-6 weeks from audit to signed engagement, depending on client size and decision process.
Should I offer a free audit?
Yes. The audit is your conversation opener; charge for the rollout and monitoring.
What's the close rate after audit?
Well-positioned audits convert 40-60% of prospects into rollouts. The variance is mostly about how the data is presented.
Final thoughts
Selling DMARC services is selling visibility of a problem clients didn't know they had. The audit is the artefact; the conversation around it is the sales motion. Productize both and DMARC becomes a clean, repeatable revenue line.