schedule 3-min read

How MSPs Should Audit Client Domains for DMARC Risk

A repeatable DMARC audit process for MSPs: what to check, how to present findings, and how to convert audits into rollout engagements.

01

Introduction

A DMARC audit is the MSP's primary sales artefact. Done well, it surfaces senders the client didn't know about, exposes gaps in compliance posture, and converts into a defined-scope rollout engagement. This article walks the audit checklist and the presentation that closes.

02

Why this topic matters

The audit is where DMARC engagements start. A weak audit reads like a generic security checklist; a strong audit shows the client a specific business risk on their domain. The difference is conversion rate.

03

What to check

The audit covers six items:

1. Current DMARC policy

dig +short TXT _dmarc.<domain> — record exists or doesn't. Policy at p=none, p=quarantine, or p=reject. Subdomain policy.

2. SPF posture

Record exists, sender includes, DNS lookup count, terminal mechanism (~all or -all).

3. DKIM presence

Common selectors tested. Custom DKIM at each known sender.

4. Sender inventory from 30 days of aggregate reports

If reports are accessible, the per-sender breakdown. Most surprises live here.

5. Compliance posture

Provider sender requirements, PCI DSS, insurance-related authentication checks.

6. Adjacent stack items

BIMI, MTA-STS, TLS-RPT — what's present, what's missing.

04

The presentation

A one-page report. Structure:

  • Current state — visual summary of authentication posture.
  • Sender inventory — table of every IP/sender currently active.
  • Gaps and risks — bullet list of what's broken, ordered by impact.
  • Proposed rollout — phased plan with timeline.
  • Pricing — fixed-scope offer.

The sender inventory is the centerpiece. Most clients are surprised by the number of senders; that surprise is your urgency.

05

Step-by-step approach

  1. Pull DNS records. SPF, DKIM (common selectors), DMARC.
  2. Run through a DMARC analyzer. DMARC AI's free audit produces most of the data in under a minute.
  3. Cross-check with the client's known senders. Identify unknowns.
  4. Compose the one-page report. Branded template.
  5. Schedule a 30-minute review. Walk through, propose next steps.
06

Best practices

  • Lead with the data, not the technology. "Here's who's sending as you" beats "your DMARC is misconfigured."
  • Frame risk in business terms. Customer-facing impact, deliverability impact, compliance impact.
  • Keep the report to one page. Long reports don't get read.
  • Present in person or on video. The conversation matters as much as the artefact.
  • Always propose next steps. A pricing tier or follow-up audit.
07

Audit 5 prospects this week. The exercise refines the deliverable and produces 5 sales conversations.

08

FAQ

How long does an audit take?

30-60 minutes with the right tooling, 2-3 hours by hand.

Should the client see the raw DMARC data?

Usually not. Summarize. Raw XML doesn't sell.

What if the client already has DMARC at p=reject?

Audit the steady state — sender drift, new senders, policy details. There's almost always something.

Should I charge for the audit?

Many MSPs offer free. Convert into paid rollout. Some MSPs charge $500-1,500 for a deep audit.

What about multi-domain audits?

Same process, parallelized. Most enterprises have multiple domains; multi-domain audit is a different SKU.

09

Final thoughts

The DMARC audit is the MSP's primary sales mechanism. A repeatable, branded audit deliverable is what converts prospects into engagements.

Build the template once, run it on every prospect, refine quarterly. The conversion economics work.

Ready to Implement?

Get authenticated mail moving in minutes — start free, book a guided demo, or talk to the team about your stack.

Start free arrow_forward event Book demo mail Contact us