Introduction
A clean DMARC managed service has three tiers: one-time audit, project-based rollout, and recurring monitoring. Packaging the offering this way matches the technical work — and gives clients a clear progression of value.
This article covers what to include in each tier, how to price, and how the recurring tier scales across multiple clients.
Why this topic matters
A productized DMARC service is sellable, deliverable, and renewable. An ad-hoc service is none of those. The three-tier structure converts a complex technical engagement into a clean commercial offering.
Tier 1: Audit
Deliverable: One-page report covering current authentication state, sender inventory, risk summary, proposed remediation.
Delivery time: 2-3 hours of work, 5-day calendar.
Scope: One client domain. Multi-domain audit is a different SKU.
Pricing: $500-1,500 fixed. Some MSPs offer for free as a sales tool.
The audit creates urgency by showing clients senders they didn't know about. Most rollout engagements start here.
Tier 2: Rollout
Deliverable: DMARC published at p=reject pct=100, every legitimate sender authenticated, weekly monitoring during the rollout.
Delivery time: 8-12 weeks calendar, 20-40 hours of MSP time.
Scope: One domain, parent + any subdomains.
Pricing: $3,000-15,000 fixed depending on sender complexity, or hourly with cap.
The rollout follows the safe path from monitoring to enforcement. Major deliverables: SPF cleanup, DKIM configuration per sender, DMARC policy phases.
Tier 3: Monitor
Deliverable: Weekly aggregate-report review, new-sender alerts, monthly health report, quarterly review, annual DKIM rotation.
Delivery time: 1-2 hours/month per client.
Scope: Ongoing. Per domain.
Pricing: $50-300/month per domain.
This is the recurring revenue line. How MSPs can turn DMARC into recurring revenue covers the structure.
Step-by-step approach to building the offering
- Document each tier's deliverables. SOW templates per tier.
- Set fixed pricing. Avoid hourly except for edge cases.
- Build the technical foundation. A multi-tenant DMARC platform.
- Train the team. One engineer can run the rollout; the monitoring tier scales across the team.
- Pilot with 2-3 clients. Refine the deliverables before scaling.
Best practices
- Standardize the monthly report. Same template, branded.
- Track per-client metrics. Pass rate, sender count, policy level.
- Automate alerts. New senders should trigger an automated client communication.
- Productize remediation. Standard playbooks for common issues.
- Renew annually. Annual review is the natural renewal conversation.
Recommended next step
Sketch your three-tier deliverables this week. SOW templates, pricing, and operational runbook. Two weeks of work yields a productized offering you can sell repeatedly.
FAQ
Can I skip tier 1 and go straight to rollout?
You can, but the audit creates the urgency that closes the rollout. Skipping it usually lengthens the sales cycle.
What if a client wants only the monitoring tier?
Their domain needs to already be at p=reject or close. Otherwise the rollout is required first.
Should the rollout tier include BIMI?
BIMI usually a separate add-on. It's downstream of DMARC enforcement.
How do I handle multi-domain clients?
Pricing per domain with volume discounts. Enterprise clients negotiate.
What's the gross margin on the monitoring tier?
70-90% once the platform and process are in place. The recurring tier is the profitable one.
Final thoughts
The three-tier DMARC managed service is one of the cleanest packagings in MSP cybersecurity. Each tier has clear deliverables, defined scope, and natural pricing. Productize once; sell repeatedly.
The monitoring tier is the long-term value. The audit and rollout get you there.