Introduction
The DMARC sales conversation is education. Buyers usually don't know they have a problem until you show them. This article is the field-tested script — the questions to ask, the data to present, the close.
Why this topic matters
A DMARC pitch that reads like a technical lecture loses the buyer in the first minute. A pitch that frames the risk in customer-facing terms and produces evidence wins. The script is the bridge.
The opener
Start with this question: "Do you know how many systems are sending email as your company today?"
The buyer estimates. They say "3 or 4." You note it.
Then: "What happens if a customer of yours receives an invoice that looks like it's from you but isn't?"
The buyer pauses. The risk lands.
Finally: "Would you like to see the data on your domain?" The audit close. Almost always yes.
The data presentation
Show the audit you've prepared. Lead with the sender inventory. Most buyers see 12-20 active senders on their domain — vastly more than they estimated.
Walk through:
- "Here's the customer-facing list of who's sending as you."
- "Here are 3-5 we don't recognize — these are senders your team added without IT knowing."
- "Here's the gap that lets an attacker put your CEO in a fake email."
The pricing reveal
Three tiers:
- Audit — already done. $500 or free.
- Rollout — fixed-scope. $X (your number).
- Monthly monitoring — recurring. $Y/month per domain.
The audit is paid for in the sales conversation; the rollout is the engagement; the monitoring is the renewable revenue.
Step-by-step approach
- Open with the question. Get their estimate.
- Connect to customer-facing risk. Brand impersonation, customer trust.
- Show the sender data. Surprise is your urgency.
- Walk through the gap. Specific, technical-but-accessible.
- Propose the tiers. Audit ⟶ Rollout ⟶ Monitor.
- Schedule the rollout kickoff. Calendar the next conversation.
Handling common objections
"We have SPF and DKIM, isn't that enough?" Show the alignment failure. dkim=mailchimp.com doesn't align with their From.
"This sounds complicated." Frame as project: 8-12 weeks, you do the work, they approve milestones.
"How much email do we even send?" Show the audit volume. They always underestimate.
"What if it breaks our email?" Explain the monitoring phase. The whole rollout exists to prevent breakage.
"How much?" Three tiers, three numbers. Don't haggle on the audit.
Best practices
- Lead with the question, not the explanation. Their data > your speech.
- Connect risk to customers. "Your customer" beats "the threat actor."
- Show, don't tell. The sender inventory is the artefact.
- Productize the tiers. Three SKUs, three prices, three deliverables.
- Always book the next step. Discovery call, audit delivery, rollout kickoff.
Recommended next step
Memorize the three opening questions. Use them in the next 5 prospect conversations. Track conversion to audit.
FAQ
What if the prospect isn't technical?
The script is designed for non-technical buyers. The "your customer receives a fake invoice" framing always lands.
How long is the typical pitch?
15-30 minutes for the initial conversation; 30-45 for the audit review.
Do I need a slide deck?
Helpful but not required. The audit one-pager often beats a deck.
What's the typical close rate?
40-60% from audit to rollout for well-positioned prospects.
Should I pitch to IT or the CFO?
Both work. IT cares about the technical fit; CFO cares about the business risk and compliance.
Final thoughts
The DMARC sales script is one of the cleanest in MSP cybersecurity. Three questions, an audit, three tiers. The economics work because the buyer can see the problem in their own data.
Run the script consistently and DMARC becomes a predictable revenue source.