MSP guide
DMARC monitoring for MSPs

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 16, 2026
DMARC monitoring for MSPs means collecting and reading aggregate (rua) reports across every client domain you manage, so you can see exactly who is sending as those domains. It's the essential first half of the job. The second half is enforcement: moving each domain from p=none to p=reject so spoofed mail is actually blocked.
Why DMARC landed on every MSP's desk
For years, DMARC was something security-minded companies did voluntarily. That ended in February 2024, when Google and Yahoo began requiring bulk senders (roughly 5,000+ messages a day) to authenticate with SPF, DKIM, and a published DMARC policy. Mail that failed the new requirements started bouncing or landing in spam, and it kept working fine for everyone who had done the setup.
Microsoft followed in 2025 with matching requirements for its consumer Outlook domains. Bulk mail from domains without proper authentication now comes back with 550 5.7.x rejections. You can check any domain against those requirements with the free Microsoft compliance checker.
Here is why that matters to you specifically: when a client's invoices stop arriving or their marketing blasts bounce, they don't call Google. They call their MSP. Email authentication quietly became part of the managed-services baseline, the same way backup and patching did, and unlike a one-off project, DMARC is an ongoing responsibility across every domain in your book. If you want the protocol fundamentals first, start with What is DMARC? and come back.
What DMARC monitoring actually involves
DMARC monitoring is built on aggregate reports. When a domain publishes a DMARC record with a rua= tag, every participating mail receiver (Google, Microsoft, Yahoo, and hundreds of others) sends a daily XML report to that address describing every message they saw claiming to come from the domain: the sending IP, whether SPF and DKIM passed, and whether the results aligned with the visible From address.
Reading those reports is how you answer the two questions that matter per domain: which senders are legitimate (the client's mail platform, their CRM, their invoicing tool, the marketing SaaS somebody signed up for last quarter), and who else is out there sending as the domain: misconfigured systems, forwarders, or someone actively spoofing it.
In practice, monitoring means parsing gzipped XML from dozens of receivers per domain per day, resolving IPs to actual services, and tracking per-source alignment over time. For one domain that's a chore. Across an MSP book, it's a data pipeline, which is why nobody does this in a mailbox.
A monitoring record done right: the rua tag
Correct
v=DMARC1; p=none;
rua=mailto:reports@dmarc.yourmsp.exampleReports for every client domain flow to an address you control, feeding one parsing pipeline. Because the report address is on a different domain than the client's, the receiving domain must also publish an external destination verification record; hosted DMARC handles this for you.
Common mistake
v=DMARC1; p=none;
rua=mailto:owner@clientdomain.exampleReports land as gzipped XML attachments in a human inbox. Nobody reads them, so the domain sits in 'monitoring' with zero actual visibility: all of the exposure of p=none, none of the benefit.
Monitoring one domain is a task. Monitoring fifty or two hundred is an operation, because the work recurs: every new client, every new SaaS tool, every key rotation restarts some part of the cycle. This is the actual job description:
The recurring work, across a client base
| Recurring job | Doing it manually | What automation does |
|---|---|---|
| New client onboarding | Audit SPF/DKIM/DMARC for each domain by hand, publish records at each client's DNS host, set up report collection per domain | Import the client's domains in bulk from your PSA, publish hosted records from one dashboard; reports start flowing within a day or two |
| A new SaaS sender appears | An unfamiliar source shows up in reports; you chase down which department signed up for what, then edit SPF or set up DKIM | The agent identifies the service from report data and adds it to the domain's authentication if it's legitimate |
| SPF 10-lookup limit hit | Manually flatten includes, then re-audit every time one of the client's vendors changes their own SPF | Hosted SPF keeps the record under the lookup limit automatically |
| DKIM key rotation | Track selectors per client per sender, generate new keys, republish DNS at each host, retire the old keys | Hosted DKIM records rotate without touching the client's DNS |
| Report triage | Parse gzipped XML from dozens of receivers per domain per day and diff it against last week | Reports are parsed and aggregated per source; you're alerted only when something changes |
Monitoring vs enforcement: the part that actually stops spoofing
Here is the honest seam in every DMARC conversation: monitoring shows you the problem, and only enforcement fixes it. A domain at p=none delivers spoofed mail exactly as if DMARC weren't there; receivers just tell you about it afterward. Protection starts at p=quarantine, where failing mail is diverted to spam, and is complete at p=reject, where it's refused outright.
The ladder below is the whole rollout in one picture. Monitoring is step one: the listening post where you gather evidence. The value your client is paying for lives at step three.
Step 1
p=noneMonitor
Failing mail is still delivered — you only collect reports.
Step 2
p=quarantineContain
Failing mail is diverted to the spam or junk folder.
Step 3
p=rejectBlock
Failing mail is refused outright and never arrives.
This distinction is also where DMARC tools genuinely differ. Most platforms are monitoring products: excellent dashboards that show you what's failing and tell you what to change, while you (or your client) make every DNS edit and policy decision. That model works for a hands-on admin with two domains. Multiplied across an MSP book, guided-times-two-hundred is a job, which is why the make-or-break question for MSP tooling is whether it executes the path to enforcement or just describes it.
Check a client domain now
See the domain's current DMARC policy and reporting setup. The check runs instantly on the next page. Free, no signup.
Choosing DMARC tooling as an MSP
MSP requirements are different enough from single-company requirements that a great admin tool can be a poor MSP tool. Five criteria do most of the sorting:
- Multi-tenancy: one dashboard for every client, with real per-client separation for reporting and access.
- Per-domain pricing you can quote: published rates you can build into a service price, rather than a custom quote per client.
- Hosted records: SPF, DKIM, and DMARC served from the platform, so changes don't require touching each client's DNS host.
- PSA integration: client and domain import from the system you already run your business on.
- White-label reporting: client-facing reports under your brand, ready for QBRs.
We've compared the major platforms on exactly these criteria (with every vendor claim cited to the vendor's own site) in our roundup of the best DMARC monitoring tools for MSPs. Most established platforms have some MSP answer; they differ widely on which of the five criteria they actually meet.
The margin math (an illustrative example)
DMARC management is unusual among security services in that the underlying platform cost is small, published, and per-domain, which makes the service economics easy to model. Palisade's published rate is $9 per domain per month, dropping to $7 from 100 domains and $5 from 1,000, with your own MSP's domain free forever as an NFR (see pricing).
The service-price side is yours to set: there's no standard market rate, and how you package it (a line item, part of a security bundle, included in a premium tier) matters more than the number. But to make the arithmetic concrete: if you charge, say, $25 per domain per month for managed email authentication across a 100-domain book, revenue is $2,500/month against a platform cost of about $700: roughly $1,800/month of gross margin on a service the platform mostly runs. At, say, $15/domain, the same book still contributes about $800/month. These are hypothetical service prices, not market statistics; plug in your own.
The structural point holds regardless of what you charge: because the platform is priced per domain with unlimited email volume and report retention on paid plans, your cost doesn't step up when a client's sending grows, so a fixed-fee service price doesn't get eroded underneath you.
An MSP rollout playbook
The same sequence works whether you're onboarding one client or standing up DMARC as a service line across your whole base:
- 1
Batch-import client domains
Pull domains in from your PSA (Palisade integrates natively with ConnectWise, HaloPSA, and Autotask) or import in bulk. Onboarding should be measured in minutes per client, not per domain.
- 2
Baseline every domain at p=none with reporting
Publish a monitor-only DMARC record with rua reporting into your pipeline. This changes nothing about mail delivery, so it's safe to do across the entire book on day one.
- 3
Identify every legitimate sender
Let reports accumulate for a few weeks, then resolve each sending source: the client's mail platform, CRM, invoicing, marketing tools. This is the step Palisade's agent does from report data; it's also the step that takes the longest by hand.
- 4
Align senders, then move to p=quarantine
Once every legitimate source passes SPF or DKIM with alignment, tighten the policy. Failing mail now goes to spam instead of the inbox: real protection, with a safety net while you watch for stragglers.
- 5
Finish at p=reject, and keep monitoring
When quarantine reports show no legitimate mail failing, move to p=reject. If you're migrating from another DMARC tool, run both in parallel first; a DMARC record supports multiple rua recipients, so both platforms receive the same reports during the overlap. Enforcement is a state to maintain, not a project to close: new senders will keep appearing, and monitoring is how you catch them.
Trusted by MSPs
“Palisade allowed our team to deploy DMARC on our domains in minutes instead of hours and making sure our clients are compliant with cutting edge security recommendations from Microsoft.”
Alvin Kalli — CSIO, MSP Corp

































Enforce it — don't just monitor it
Monitoring tells you who's spoofing your clients. Palisade's agent reads the reports, configures SPF and DKIM, and walks every client domain to p=reject, so the spoofing actually stops. Per-domain pricing from $9/month, native PSA integrations, hosted records.
Free 15-day trial · No credit card · Your own domain free forever (NFR)
Frequently asked questions
Keep reading
p=nonep=quarantinep=rejectadkim / aspfSPF 10-lookup limitDKIM selectorsBest DMARC tools for MSPsEmail deliverability hubPricing