For Managed Service Providers

DMARC for MSPs:
a managed-service practice, not a one-off project.

DMARC is the rare email-security control that maps cleanly to a recurring MSP service line: every client domain needs it, the setup is non-trivial enough that clients can't self-serve, and the operational lift (reading reports, escalating policy, tracking shadow senders) is permanent. This page covers what it takes to run DMARC as a service across a portfolio — pricing, tiers, deployment, reporting cadence, and the offramps that protect both you and the client.

Start free for MSPs arrow_forward Book demo

Why DMARC fits the MSP shape

Recurring revenue from an annoying, permanent problem.

Most security controls land as a project: roll out MFA, deploy the EDR agent, ship the awareness training, close the engagement. DMARC doesn't behave that way. The DNS record is two lines of TXT, but the work around it — reading aggregate reports, hunting shadow senders, deciding when it's safe to move from p=none to p=quarantine to p=reject, repairing alignment when the client's marketing team signs up for a new SaaS — is permanent.

That permanence is the asset. A client who pays for "DMARC monitoring and enforcement" pays you every month for as long as they send email. Adding a domain to the service is a few minutes of work; the recurring billable is the report review and the policy progression. The work scales sub-linearly with the number of client domains because most of the operational effort is templated.

Three structural traits make it work as a managed line: (1) clients can't realistically run it themselves — the XML reports are unreadable without a parser; (2) the operational rhythm matches a typical MSP cadence (weekly review, monthly report, quarterly business review); (3) the risk of getting it wrong is concentrated at the moment of policy escalation, which the MSP owns rather than the client.

Anatomy of a DMARC service line

Three tiers that almost every successful practice ends up with.

The shape converges across practices. The labels differ — "Monitor / Manage / Enforce", "Bronze / Silver / Gold", "Visibility / Active / Hardened" — but the buckets are the same. Pricing differs by region and by the rest of the MSP's stack; the structural pattern doesn't.

visibility

Tier 1 — Monitoring

Entry level. Visibility, no enforcement.

check_circlePublish p=none with a managed RUA endpoint pointed at your DMARC platform.
check_circleMonthly report: senders discovered, pass/fail rate, outliers worth investigating.
check_circleQuarterly recommendation: ready for Tier 2 or still finding senders.

Tier 2 — Active management

Monitoring + remediation work.

check_circleEverything in Tier 1, plus authentication fixes — SPF includes, DKIM enablement, alignment repair.
check_circlePolicy escalation to p=quarantine on a phased schedule with rollback windows.
check_circleChange-control coverage for new SaaS signups that touch email.

verified_user

Tier 3 — Hardened

Enforcement + BIMI + MTA-STS.

check_circleEverything in Tier 2, plus p=reject with continuous monitoring.
check_circleMTA-STS + TLS-RPT to harden inbound transport.
check_circleBIMI rollout when the brand is ready, including VMC sourcing if the client wants it.

Each tier links to the next via a clear gate — Tier 1 → Tier 2 when the sender inventory is stable and known-good; Tier 2 → Tier 3 when pass-rate at p=quarantine has been steady for several reporting cycles. The gates are what protect both the MSP and the client from premature enforcement.

The playbook

From new client to fully enforced — a repeatable rollout.

The work below is the actual labor on a typical client engagement. Sequence matters: skipping discovery and going straight to enforcement is how MSPs end up quarantining the client's newsletter and inheriting a Slack channel full of furious sales reps.

Phase 1

Sender discovery (weeks 1–4)

Publish p=none with the platform RUA endpoint. Read the first 2-4 weeks of aggregate reports. Build the canonical list of "everything that sends as this client" — Microsoft 365, the CRM, the help-desk, the marketing tool, the SaaS the finance team forgot to mention. This list is the artefact that justifies the whole engagement to the client.

Phase 2

Authentication fixes (weeks 3–8)

Walk the discovery list. For each legitimate sender: add the SPF include or DKIM key. Resolve alignment issues — most third-party senders need a custom DKIM domain rather than a generic @servicedomain signature. Repeat until aggregate reports show ~100% DMARC pass for known-good senders.

Phase 3

Quarantine rollout (weeks 8–12)

Move policy to p=quarantine; pct=25, then 50, then 100, watching pass-rate at each step. Keep a rollback window of one business day at each percentage so a missed sender surfaces while it's still cheap to fix. Document the change in the client's change calendar.

Phase 4

Reject + steady state (week 12 onward)

Move policy to p=reject when quarantine has been stable for several reporting cycles. The work doesn't stop — new SaaS signups, brand acquisitions, sub-domain delegations, and quarterly DKIM rotations keep the operational cadence active. This is the recurring billable that justifies the line item.

Start the practice

Two ways to start running DMARC across a client portfolio.

Self-serve No credit card

Start a free 30-day Premium trial

Sign up, add the first client domain, and see real aggregate reports inside 48 hours. Unlimited Basic monitoring (*fair use policy) is always free; Premium is yours for 30 days, then per-active-domain afterwards.

Start a free 30-day Premium trial arrow_forward

Guided 30 minutes with an engineer

Book demo

Walk through the multi-tenant dashboard with a real engineer. Bring a client domain — we will load it live and show what the reports look like across an MSP portfolio.

Book demo north_east

FAQ

DMARC-as-a-service: the questions buyers actually ask.

Is DMARC actually a recurring service or a one-time project? expand_more

Recurring. The DNS record is published once, but new SaaS signups, brand acquisitions, sub-domain delegations, DKIM key rotations, and quarterly policy reviews mean there is always something to do. Practices that try to bill DMARC as a one-time project re-do the discovery six months later when the client's sender inventory has drifted.

What's the right price point for a managed DMARC service? expand_more

It depends on tier and region, but the structural rule holds across markets: Tier 1 monitoring is a low monthly figure (think the cost of a coffee per domain per month) that covers platform + report review; Tier 2 active management is multiples of that to reflect the remediation labor; Tier 3 enforcement carries a premium because the consequences of getting it wrong are concentrated there. The full article on pricing DMARC services walks through the math.

What happens to DMARC when we offboard a client? expand_more

Three concrete handovers: (1) RUA endpoint — change the address in the client's _dmarc TXT record so reports stop flowing to your platform; (2) policy ownership — document the current p= and pct= state so the next owner doesn't roll back; (3) sender inventory — hand the discovery artefact over as a static document. The full mechanics live in the tenant offboarding article.

How do we avoid breaking the client's email during enforcement? expand_more

Phased pct rollout with rollback windows. Move pct=25 → 50 → 100 inside p=quarantine before going to p=reject; keep a one-business-day rollback window at each step; document the change in the client's calendar so support tickets get routed correctly. The detailed playbook lives in moving from monitoring to enforcement safely.

Can we white-label the client reports? expand_more

Yes. Branded PDF exports and a white-label client portal mean the report carries the MSP's logo and colors rather than ours. The platform stays invisible to the end-client so the MSP brand is the one in front of the conversation.

Start the practice with one free tenant.

Sign up for free, add one client domain, publish p=none with our RUA endpoint, and see real aggregate reports inside 48 hours. No credit card, no commitment, no pressure on Premium until you're ready.