arrow_back Back to Blog
DMARC & Email Security February 17, 2026 · 14 min read

DMARC for MSPs: Complete 2026 Guide to Deployment, Enforcement, and Revenue

DMARC is no longer optional for Managed Service Providers. It's required by PCI DSS 4.0, expected under NIS2, and increasingly demanded by clients who've experienced phishing attacks. This guide covers everything you need — from your first DNS record to full enforcement across every client domain — and how to monetize it.

What is DMARC and why does it matter for MSPs?

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It is a DNS-based email authentication policy that tells receiving mail servers what to do when an email claiming to come from your domain fails authentication checks.

Without DMARC, anyone on the internet can send an email with From: yourclients@company.com in the header. SPF and DKIM provide authentication individually, but they don't tell the receiving server to reject the message when authentication fails — only DMARC does that.

For MSPs, this matters because:

  • Every unprotected client domain is an attack surface. Attackers routinely spoof supplier and vendor domains to launch business email compromise (BEC) attacks.
  • Compliance frameworks now require it. PCI DSS 4.0 Requirement 5.4.1, NIS2, and numerous cyber insurance policies explicitly reference DMARC.
  • It's a billable service. DMARC setup and ongoing monitoring is a natural expansion of any MSP's managed security offering.

How SPF, DKIM, and DMARC work together

These three records work as a stack. You need all three for full email authentication:

Record What it does What it doesn't do alone
SPF Lists the IP addresses authorized to send email for a domain Doesn't protect the visible From: address
DKIM Adds a cryptographic signature to outgoing messages Doesn't tell receivers what to do if verification fails
DMARC Sets the enforcement policy and requests aggregate reports Requires SPF and/or DKIM to pass and align to be effective

DMARC alignment is the key concept: not only must SPF or DKIM pass, the authenticated domain must align with the domain in the visible From: header. This is what prevents header spoofing even when a message passes basic SPF checks.

What MSPs need from a DMARC solution

Consumer-grade and SMB DMARC tools are designed for a single organisation managing their own domain. MSPs have fundamentally different requirements:

  • Multi-tenant dashboard. See every client's DMARC posture in one view — policy level, pass rates, and open issues — without switching between accounts.
  • Guided policy enforcement. Move clients from p=none to p=reject safely, with data-backed recommendations that prevent breaking legitimate email.
  • Automatic aggregate report parsing. DMARC RUA reports arrive as XML — a good platform parses them automatically so you never have to download or process raw files.
  • Proactive alerting. Know when pass rates drop, policies change unexpectedly, or new unknown senders appear — before a client contacts you about email problems.
  • Full audit trail. Every policy change and DNS update should be logged with timestamps and actor information, both for internal governance and for client reporting.

Standalone DMARC tools deliver most of these capabilities, but they exist in isolation from the rest of the infrastructure MSPs manage. If you're already handling DNS records, domain registrations, and website hosting for your clients, a platform that unifies DMARC with those services eliminates tool-switching and gives you a single view of every client's email security posture alongside their full infrastructure.

Step-by-step: deploying DMARC safely across client domains

Step 1: Audit existing SPF and DKIM records

Before adding a DMARC record, verify that each client domain has valid, aligned SPF and DKIM records for all legitimate senders. Common senders to check:

  • Microsoft 365 or Google Workspace (primary business email)
  • Marketing platforms: Mailchimp, HubSpot, Constant Contact
  • CRM and support tools: Salesforce, Zendesk, Intercom
  • Billing and transactional: QuickBooks, Stripe, DocuSign

For any third-party sender that cannot support DKIM signing on the client's domain, isolate their traffic to a dedicated subdomain (e.g., mail.company.com) before advancing DMARC policy on the root domain.

Step 2: Publish a p=none record

Start with a monitoring-only DMARC record. This tells receiving servers to take no action on failures, but to send aggregate reports to your RUA address:

_dmarc.clientdomain.com TXT

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourmsp.com; adkim=s; aspf=s;

Note: setting adkim=s and aspf=s enforces strict alignment — the authenticated domain must exactly match the From: domain. This is stricter than the default relaxed mode, but it gives you cleaner data and is necessary for full spoofing protection.

Step 3: Collect and review aggregate reports for 2–4 weeks

During the monitoring phase, aggregate reports will reveal every source sending email from the client's domain. Review:

  • Are all expected senders passing SPF and DKIM alignment?
  • Are there senders you don't recognise? (These could be attackers or forgotten services.)
  • Is your primary mail platform (Microsoft 365 / Google Workspace) achieving near-100% alignment?

Don't advance policy until your core business email achieves near-perfect alignment and all legitimate senders are identified and accounted for.

Step 4: Advance to p=quarantine

Update the policy tag to quarantine failing messages rather than drop them:

v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc-reports@yourmsp.com; adkim=s; aspf=s;

Start with pct=10 (apply policy to 10% of failing messages) and increase gradually while monitoring for any legitimate email appearing in spam folders. Keep your previous record documented and ready to revert if something breaks unexpectedly.

Step 5: Advance to p=reject

Once you have 2+ weeks of stable p=quarantine data with no legitimate email in spam, advance to full rejection:

v=DMARC1; p=reject; pct=100; rua=mailto:dmarc-reports@yourmsp.com; adkim=s; aspf=s;

At p=reject with pct=100, any message that fails DMARC alignment is rejected outright by the receiving mail server. Spoofing the client's domain becomes effectively impossible.

Moving from p=none to p=reject: common mistakes to avoid

warning
Skipping p=quarantine
check_circle
Always spend time at p=quarantine before p=reject. The quarantine stage catches legitimate mail you missed during monitoring before it starts getting rejected.
warning
Moving pct to 100% too fast
check_circle
Use a stepped approach: pct=10 → pct=50 → pct=100 over a few weeks. This limits blast radius if a legitimate sender is still misaligned.
warning
Forgetting subdomains
check_circle
Subdomains inherit the root domain's policy unless you define sp= explicitly. Set sp=none during monitoring on subdomains that send email, then enforce separately.
warning
No rollback plan
check_circle
Before changing the policy, document the exact current record and confirm you can revert within minutes. A DNS change that breaks email feels very fast when a client is calling.
warning
Third-party sender that can't do DKIM
check_circle
For legacy applications that cannot authenticate properly, isolate their traffic to a dedicated subdomain. This protects your primary domain's reputation while the legacy system continues to function.

DMARC and compliance requirements in 2026

DMARC has crossed from best practice into formal compliance territory. If your clients operate under any of the following frameworks, DMARC enforcement is either required or strongly expected:

  • PCI DSS 4.0 — Requirement 5.4.1 includes DMARC as part of anti-phishing controls. Required for any client processing payment card data. Deadline for full compliance has now passed, making this an active audit point.
  • NIS2 Directive (EU) — Requires organizations to implement technical measures against email-based threats. DMARC enforcement is a direct fulfillment of this obligation for any EU-operating client.
  • ISO/IEC 27001 — Email authentication controls support Annex A.8 asset management and protection requirements. DMARC documentation strengthens audit evidence.
  • HIPAA / CJIS — While not explicitly named, DMARC report history and enforcement documentation provides verifiable evidence of technical controls for HIPAA risk assessments and CJIS security policy requirements.

For MSPs, compliance requirements are a strong business development angle. Many clients don't know their compliance framework now references DMARC — this creates a genuine, urgent reason to act that makes the conversation straightforward.

DMARC as a profitable MSP service

DMARC is technically complex and time-consuming to configure correctly — especially for clients with multiple sending platforms. That complexity is an opportunity. MSPs can productize DMARC into a recurring service with clear deliverables:

  • One-time setup fee covering domain audit, SPF/DKIM remediation, and initial DMARC record publication with monitoring
  • Monthly management fee covering ongoing report analysis, policy advancement, alert monitoring, and new sender identification
  • Quarterly compliance report showing enforcement progress, pass rates, threats blocked, and compliance posture — a client-ready deliverable that justifies the recurring fee

To make this margin-positive at scale, you need a platform that automates the routine work: parsing incoming DMARC reports, recommending policy changes, and alerting on anomalies across all client domains simultaneously. Handling this manually across even 20 clients becomes unsustainable quickly.

With Albaspot, DMARC management is part of the same platform where you already manage client DNS records and domain registrations. There's no separate DMARC tool to license, no copy-pasting data between systems, and no context-switching when a client's domain configuration needs updating.

Frequently asked questions

What is DMARC and why does it matter for MSPs? expand_more
DMARC prevents spoofing and phishing from your clients' domains. Without it, attackers can send emails that appear to come from a client's domain, damaging their reputation and enabling targeted phishing attacks. PCI DSS 4.0 now formally references DMARC, making it baseline security for any MSP with compliance-sensitive clients.
How long should we stay in the p=none monitoring phase? expand_more
Typically 2–4 weeks is sufficient to capture data from all major mailbox providers. Stay in monitoring until aggregate reports show no unexpected failing sources and your core business email achieves near-perfect alignment.
Will moving to p=reject break legitimate email? expand_more
Not if you follow a phased process. The most common mistake is advancing too quickly. Review all sending sources at p=none, confirm alignment for business-critical senders, then advance gradually through p=quarantine before reaching p=reject.
Is DMARC required for PCI DSS 4.0 compliance? expand_more
PCI DSS 4.0 Requirement 5.4.1 includes DMARC as part of anti-phishing controls. Any MSP serving clients that process payment card data should treat DMARC as a compliance requirement, not just a best practice.
Can DMARC services generate recurring revenue for MSPs? expand_more
Yes. MSPs bundle DMARC setup, monitoring, policy enforcement, and reporting into a managed security service. Because the work is technically complex and ongoing, it supports a monthly recurring fee. A multi-tenant platform keeps the margin strong as your client base grows.

Related reading

article

How to Set Up DMARC Properly: A Step-by-Step Guide to Moving from Monitoring to Enforcement

A deeper dive into the enforcement rollout process covered in this guide.

 article

The DMARC Audit Guide for MSPs: Domain Inventory, Sender Remediation, and Client Reporting

How to run a structured DMARC audit across all your client domains — from inventory to client report.

 article

Best DMARC Solutions for MSPs in 2026: A Practical Comparison

How the major DMARC platforms compare for MSPs managing multiple client domains.

Manage DMARC across all your clients from one platform

Albaspot combines DMARC monitoring, DNS management, domain registration, and website hosting — so you manage everything for every client in one place.

Start free trial arrow_forward