MSP guide

DMARC monitoring for MSPs

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 16, 2026

DMARC monitoring for MSPs means collecting and reading aggregate (rua) reports across every client domain you manage, so you can see exactly who is sending as those domains. It's the essential first half of the job. The second half is enforcement: moving each domain from p=none to p=reject so spoofed mail is actually blocked.

Why DMARC landed on every MSP's desk

For years, DMARC was something security-minded companies did voluntarily. That ended in February 2024, when Google and Yahoo began requiring bulk senders (roughly 5,000+ messages a day) to authenticate with SPF, DKIM, and a published DMARC policy. Mail that failed the new requirements started bouncing or landing in spam, and it kept working fine for everyone who had done the setup.

Microsoft followed in 2025 with matching requirements for its consumer Outlook domains. Bulk mail from domains without proper authentication now comes back with 550 5.7.x rejections. You can check any domain against those requirements with the free Microsoft compliance checker.

Here is why that matters to you specifically: when a client's invoices stop arriving or their marketing blasts bounce, they don't call Google. They call their MSP. Email authentication quietly became part of the managed-services baseline, the same way backup and patching did, and unlike a one-off project, DMARC is an ongoing responsibility across every domain in your book. If you want the protocol fundamentals first, start with What is DMARC? and come back.

What DMARC monitoring actually involves

DMARC monitoring is built on aggregate reports. When a domain publishes a DMARC record with a rua= tag, every participating mail receiver (Google, Microsoft, Yahoo, and hundreds of others) sends a daily XML report to that address describing every message they saw claiming to come from the domain: the sending IP, whether SPF and DKIM passed, and whether the results aligned with the visible From address.

Reading those reports is how you answer the two questions that matter per domain: which senders are legitimate (the client's mail platform, their CRM, their invoicing tool, the marketing SaaS somebody signed up for last quarter), and who else is out there sending as the domain: misconfigured systems, forwarders, or someone actively spoofing it.

In practice, monitoring means parsing gzipped XML from dozens of receivers per domain per day, resolving IPs to actual services, and tracking per-source alignment over time. For one domain that's a chore. Across an MSP book, it's a data pipeline, which is why nobody does this in a mailbox.

A monitoring record done right: the rua tag

Correct

v=DMARC1; p=none;
rua=mailto:reports@dmarc.yourmsp.example

Reports for every client domain flow to an address you control, feeding one parsing pipeline. Because the report address is on a different domain than the client's, the receiving domain must also publish an external destination verification record; hosted DMARC handles this for you.

Common mistake

v=DMARC1; p=none;
rua=mailto:owner@clientdomain.example

Reports land as gzipped XML attachments in a human inbox. Nobody reads them, so the domain sits in 'monitoring' with zero actual visibility: all of the exposure of p=none, none of the benefit.

Monitoring one domain is a task. Monitoring fifty or two hundred is an operation, because the work recurs: every new client, every new SaaS tool, every key rotation restarts some part of the cycle. This is the actual job description:

The recurring work, across a client base

Recurring jobDoing it manuallyWhat automation does
New client onboardingAudit SPF/DKIM/DMARC for each domain by hand, publish records at each client's DNS host, set up report collection per domainImport the client's domains in bulk from your PSA, publish hosted records from one dashboard; reports start flowing within a day or two
A new SaaS sender appearsAn unfamiliar source shows up in reports; you chase down which department signed up for what, then edit SPF or set up DKIMThe agent identifies the service from report data and adds it to the domain's authentication if it's legitimate
SPF 10-lookup limit hitManually flatten includes, then re-audit every time one of the client's vendors changes their own SPFHosted SPF keeps the record under the lookup limit automatically
DKIM key rotationTrack selectors per client per sender, generate new keys, republish DNS at each host, retire the old keysHosted DKIM records rotate without touching the client's DNS
Report triageParse gzipped XML from dozens of receivers per domain per day and diff it against last weekReports are parsed and aggregated per source; you're alerted only when something changes

Monitoring vs enforcement: the part that actually stops spoofing

Here is the honest seam in every DMARC conversation: monitoring shows you the problem, and only enforcement fixes it. A domain at p=none delivers spoofed mail exactly as if DMARC weren't there; receivers just tell you about it afterward. Protection starts at p=quarantine, where failing mail is diverted to spam, and is complete at p=reject, where it's refused outright.

The ladder below is the whole rollout in one picture. Monitoring is step one: the listening post where you gather evidence. The value your client is paying for lives at step three.

You are here

Step 1

p=none

Monitor

Failing mail is still delivered — you only collect reports.

Step 2

p=quarantine

Contain

Failing mail is diverted to the spam or junk folder.

Step 3

p=reject

Block

Failing mail is refused outright and never arrives.

Monitoring onlyFull protection
A DMARC rollout moves left to right — from monitoring only, to containing spoofed mail, to blocking it outright.

This distinction is also where DMARC tools genuinely differ. Most platforms are monitoring products: excellent dashboards that show you what's failing and tell you what to change, while you (or your client) make every DNS edit and policy decision. That model works for a hands-on admin with two domains. Multiplied across an MSP book, guided-times-two-hundred is a job, which is why the make-or-break question for MSP tooling is whether it executes the path to enforcement or just describes it.

Check a client domain now

See the domain's current DMARC policy and reporting setup. The check runs instantly on the next page. Free, no signup.

Choosing DMARC tooling as an MSP

MSP requirements are different enough from single-company requirements that a great admin tool can be a poor MSP tool. Five criteria do most of the sorting:

  • Multi-tenancy: one dashboard for every client, with real per-client separation for reporting and access.
  • Per-domain pricing you can quote: published rates you can build into a service price, rather than a custom quote per client.
  • Hosted records: SPF, DKIM, and DMARC served from the platform, so changes don't require touching each client's DNS host.
  • PSA integration: client and domain import from the system you already run your business on.
  • White-label reporting: client-facing reports under your brand, ready for QBRs.

We've compared the major platforms on exactly these criteria (with every vendor claim cited to the vendor's own site) in our roundup of the best DMARC monitoring tools for MSPs. Most established platforms have some MSP answer; they differ widely on which of the five criteria they actually meet.

The margin math (an illustrative example)

DMARC management is unusual among security services in that the underlying platform cost is small, published, and per-domain, which makes the service economics easy to model. Palisade's published rate is $9 per domain per month, dropping to $7 from 100 domains and $5 from 1,000, with your own MSP's domain free forever as an NFR (see pricing).

The service-price side is yours to set: there's no standard market rate, and how you package it (a line item, part of a security bundle, included in a premium tier) matters more than the number. But to make the arithmetic concrete: if you charge, say, $25 per domain per month for managed email authentication across a 100-domain book, revenue is $2,500/month against a platform cost of about $700: roughly $1,800/month of gross margin on a service the platform mostly runs. At, say, $15/domain, the same book still contributes about $800/month. These are hypothetical service prices, not market statistics; plug in your own.

The structural point holds regardless of what you charge: because the platform is priced per domain with unlimited email volume and report retention on paid plans, your cost doesn't step up when a client's sending grows, so a fixed-fee service price doesn't get eroded underneath you.

An MSP rollout playbook

The same sequence works whether you're onboarding one client or standing up DMARC as a service line across your whole base:

  1. 1

    Batch-import client domains

    Pull domains in from your PSA (Palisade integrates natively with ConnectWise, HaloPSA, and Autotask) or import in bulk. Onboarding should be measured in minutes per client, not per domain.

  2. 2

    Baseline every domain at p=none with reporting

    Publish a monitor-only DMARC record with rua reporting into your pipeline. This changes nothing about mail delivery, so it's safe to do across the entire book on day one.

  3. 3

    Identify every legitimate sender

    Let reports accumulate for a few weeks, then resolve each sending source: the client's mail platform, CRM, invoicing, marketing tools. This is the step Palisade's agent does from report data; it's also the step that takes the longest by hand.

  4. 4

    Align senders, then move to p=quarantine

    Once every legitimate source passes SPF or DKIM with alignment, tighten the policy. Failing mail now goes to spam instead of the inbox: real protection, with a safety net while you watch for stragglers.

  5. 5

    Finish at p=reject, and keep monitoring

    When quarantine reports show no legitimate mail failing, move to p=reject. If you're migrating from another DMARC tool, run both in parallel first; a DMARC record supports multiple rua recipients, so both platforms receive the same reports during the overlap. Enforcement is a state to maintain, not a project to close: new senders will keep appearing, and monitoring is how you catch them.

Trusted by MSPs

Palisade allowed our team to deploy DMARC on our domains in minutes instead of hours and making sure our clients are compliant with cutting edge security recommendations from Microsoft.
Alvin KalliAlvin Kalli CSIO, MSP Corp
Partner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner Logo

Enforce it — don't just monitor it

Monitoring tells you who's spoofing your clients. Palisade's agent reads the reports, configures SPF and DKIM, and walks every client domain to p=reject, so the spoofing actually stops. Per-domain pricing from $9/month, native PSA integrations, hosted records.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Frequently asked questions

With a multi-tenant DMARC platform rather than one tool per client. Each client domain publishes a rua= address that routes aggregate reports into the platform, which parses the XML and shows per-domain, per-source authentication results in one dashboard. One detail that trips up MSPs: when reports for a client domain flow to an address on your domain, the receiving domain must publish an external destination verification record, or many receivers will refuse to send reports. Good platforms handle that automatically with hosted records.

It depends on how many services send mail as the domain. A simple domain (one mail platform, one or two SaaS senders) can often move from monitoring to p=reject in a few weeks. Domains with many senders take longer because every legitimate source needs SPF or DKIM alignment before you tighten the policy. The monitoring phase exists to find those senders; the mistake is letting it run forever.

There is no standard published rate: most MSPs either fold DMARC into a broader security bundle or price it per domain per month as a managed email security line item. The economics work as simple arithmetic: if you charge, say, $25 per domain per month and your platform costs $7–9 per domain, each managed domain contributes roughly $16–18 of monthly margin. The right price is whatever fits your market and packaging; the point is that the platform cost is small relative to typical managed-service pricing.

No. A multi-tenant platform manages every client domain from one dashboard, with per-client separation for reporting. Running separate single-tenant accounts per client multiplies logins, billing relationships, and per-domain costs, and makes cross-client triage (like spotting the same spoofing campaign across your book) much harder.

Nothing is protected. p=none is monitor-only: you receive reports, but mail that fails DMARC is still delivered, so anyone can spoof the domain and land in inboxes. A domain parked at p=none looks 'DMARC-enabled' on an audit checklist while providing zero enforcement. Monitoring is the means; p=reject is the end.

For bulk senders, yes. Since February 2024, Google and Yahoo require senders of roughly 5,000+ messages per day to publish a DMARC policy (at minimum p=none), among other authentication requirements. Microsoft announced matching requirements for consumer Outlook domains in 2025, rejecting non-compliant bulk mail with 550 5.7.x errors. Below those volumes the rules are softer, but unauthenticated mail increasingly lands in spam regardless of volume.

Keep reading

See how Palisade works for MSPs