Introduction
The key insight that turns DMARC for MSPs from project work into recurring revenue: the rollout is finite, but the monitoring is forever. Once a client reaches p=reject, the configuration is stable. What's not stable is the client's sender estate — every new SaaS tool, every vendor change, every M&A event is a potential alignment break.
This article covers the structure that converts DMARC monitoring into per-domain recurring revenue.
Why this topic matters
MSPs often sell DMARC as a project: audit, configure, advance to enforcement, invoice once. That leaves money on the table — and leaves the client without the steady-state monitoring that catches the next break.
The three-tier service structure
A productized DMARC offering typically has three tiers:
- Audit tier. One-time. Inventory senders, identify gaps, propose remediation. Fixed-price.
- Rollout tier. Project. Remediate authentication, progress through policy phases. Fixed-price or milestone-based.
- Monitor tier. Recurring. Watch aggregate reports, catch new senders, advise on rollouts. Per-domain monthly.
The first two are typical project revenue. The third is the recurring product.
What's in the monitor tier
Per client, per month:
- Aggregate-report review (weekly).
- New-sender alerts and remediation recommendations.
- Quarterly authentication health report.
- Annual policy review and DKIM rotation.
- Incident response for any DMARC-related event.
For 50 client domains, that's 5-10 hours per month of focused work and a substantial recurring line.
Step-by-step approach to launching the recurring tier
- Pilot with 3-5 existing clients. Discounted or free for the first quarter to refine deliverables.
- Standardize the monthly report. Templated, takes 10-15 minutes per client.
- Set the pricing. How to price DMARC services as an MSP covers the math.
- Add to every new-client onboarding. Default deliverable from the audit conversation.
- Renew annually. Use the annual review as the renewal conversation.
Best practices
- Sell the monitoring as the steady-state product. Not as a follow-on to the rollout.
- Make the monthly report visible. Clients pay for what they can see.
- Use a multi-tenant DMARC platform. Scales the operational time per client.
- Productize the runbook. Standard playbook for new-sender remediation.
- Track metrics. Per-client pass rate, sender count, policy level.
Recommended next step
Pick 3 existing clients with DMARC at p=reject or close. Offer them a 90-day pilot of monthly monitoring at no cost in exchange for feedback. By the end of the quarter you'll have your recurring-tier deliverables refined and a case study for the rest.
FAQ
What's a typical recurring price per client domain?
$50-300/month depending on sender complexity and client size. Multi-domain clients (large enterprises) negotiate.
How much MSP time per domain per month?
10-20 minutes for a stable client. More during sender changes or incidents.
Do I need a DMARC platform to run this?
Strongly recommended. Manual XML parsing doesn't scale past 1-2 clients.
Can I white-label the platform?
Most modern DMARC platforms offer white-label tiers. Your brand on the report, your domain in rua=.
What's the renewal conversation?
Annual policy review + the metric trend. Most clients renew on the strength of the visible monthly reports.
Final thoughts
DMARC's recurring-revenue model works because the underlying threat doesn't stop. Senders change, vendors come and go, and the monitoring needed to catch the next break is structurally permanent.
MSPs that productize the monitoring tier capture that value. Those that don't end at the project invoice and miss the rest.