How much can an MSP charge for DMARC services?

Setup fees typically range from $300–$1,500 per client depending on complexity. Monthly management fees range from $50–$200+ per client, or $5–$20 per domain per month. MSPs with 50+ clients offering DMARC commonly generate $5,000–$15,000 per month in recurring DMARC revenue.

How do I convince a client they need DMARC?

Start with a free domain risk check showing their current DMARC posture (likely p=none or missing). Then connect it to outcomes they care about: PCI DSS 4.0 compliance, insurance requirements, or a recent phishing incident at a peer company. Compliance urgency closes more deals than technical explanations.

Should I bundle DMARC with other security services?

Bundling works well when clients already buy security services from you. A "Domain Security" bundle combining DMARC monitoring, DNS health, and SSL certificate management is a natural package that solves related problems at a single monthly price. It also makes the value more tangible than "we watch a DNS record."

How to Price and Sell DMARC Services as an MSP

Why DMARC is a strong recurring service

Most security services MSPs offer are reactive — EDR responds to threats, backups restore after incidents. DMARC is proactive and continuous: it generates reports daily, senders change over time, new services get added to client environments, and policy needs to be maintained as email infrastructure evolves.

That continuous nature is what makes it a recurring service, not a one-time setup fee. The legitimate ongoing work includes:

Reviewing aggregate reports for new or unknown senders
Advancing enforcement policy as the data supports it
Investigating DMARC failures and remediating alignment issues
Monitoring for policy drift (someone changes the DMARC record without telling you)
Producing quarterly reports showing enforcement progress and threats blocked
Re-reviewing alignment when a client onboards a new email-sending service

Clients can't do this themselves — the XML report format is opaque, the concepts are technical, and they don't have time. That gap is your value.

How to package DMARC as a service

There are three common packaging approaches:

1. Standalone DMARC managed service

A dedicated DMARC service tier with clear deliverables. Works well for clients who are compliance-driven or have had a phishing incident.

Example: DMARC Managed Service

checkInitial audit: current DMARC, SPF, DKIM posture across all domains
checkSetup: publish or correct DMARC record, configure RUA reporting
checkMonthly: report review, sender identification, policy advancement recommendations
checkQuarterly: executive summary with enforcement progress and threats blocked
checkOngoing: alerts for policy drift, new unknown senders, pass rate drops

2. Domain security bundle

Bundle DMARC with related services: DNS health monitoring, SSL certificate management, domain expiry alerts. The bundled value is more tangible than DMARC alone — clients understand "domain security" more intuitively than "email authentication."

Example: Domain Security Bundle

checkDMARC monitoring and enforcement management
checkDNS record change monitoring (alert on unexpected changes)
checkSSL certificate expiry monitoring and proactive renewal
checkDomain expiry alerts and auto-renew management
checkMonthly domain health digest

3. Included in security or managed services tier

Add DMARC monitoring as a line item in your existing managed services tiers. This drives adoption across your entire client base and makes it a retention feature — clients who stop paying lose DMARC coverage, creating a tangible reason to stay. Works best if you can show the value in a monthly report.

Pricing models and what to charge

DMARC service pricing in the MSP channel typically follows one of three models:

Per-client flat fee

Simplest to sell and invoice. One monthly price per client regardless of how many domains they have. Works well if clients have 1–5 domains. Loses margin on clients with 20+ domains unless the price accounts for complexity.

Setup: $300–$800 per client (depends on sender complexity and number of domains)
Monthly management: $75–$200 per client

Per-domain pricing

More scalable for MSPs with clients that have many domains. Pricing is transparent and easy to justify — clients understand they're paying per asset protected.

Setup: $100–$300 per domain (first few domains) with a client-level minimum
Monthly: $8–$20 per domain per month

Tiered service levels

Offer Basic (monitoring only), Standard (monitoring + enforcement management), and Premium (monitoring + enforcement + quarterly reporting + compliance documentation). This lets price-sensitive clients get started and creates upsell paths.

Revenue example at scale

40 clients × $125/month average = $5,000/month recurring from DMARC alone. At 100 clients × $125/month = $12,500/month. The tooling cost per client is typically under $10/month, keeping margins at 85–90%.

How to sell it: the conversation and the hook

Most clients don't know what DMARC is and don't care about the technical details. Lead with outcomes and urgency, not acronyms.

The compliance hook (strongest closer)

"PCI DSS 4.0 now formally requires DMARC for any organization processing payment card data. If your clients accept payments online, this is a compliance item — not optional. We can get it sorted before your next audit."

This works because it creates an external deadline, transfers responsibility ("the standard requires it, not us"), and positions you as proactively ahead of the requirement.

The free domain risk check (strongest opener)

Run a DMARC check on the client's domain before the conversation. Most will be at p=none or missing entirely. Show them the result:

"I ran a quick check on your domain — right now, anyone on the internet can send an email that appears to come from yourcompany.com and there's nothing stopping it from reaching your customers' inboxes. We can fix that."

Concrete, non-technical, immediately relevant to them.

The incident reference

If a client has recently dealt with phishing, BEC (business email compromise), or email fraud — or a peer company has — that's the window. "This is how that happened. DMARC closes that attack vector."

Handling client objections

"We already have email security / spam filtering."

Spam filtering filters incoming threats. DMARC prevents your domain from being used to attack others — including your customers and suppliers. They solve different problems.

"Won't this break our email?"

Not if you do it right. We start with monitoring-only mode (p=none) for 4 weeks to map all your sending services. Nothing changes for your email during that phase. We only advance policy when the data confirms it's safe.

"We're a small company, no one would target us."

Attackers don't target you specifically — they look for domains that aren't protected and use them opportunistically. A p=none domain is attractive precisely because there are no consequences for sending from it.

"Can't we just set it up once and be done?"

The initial setup gets you to monitoring. But senders change — whenever you add a new tool that sends email, DMARC needs to account for it. Ongoing management is what keeps enforcement from accidentally blocking legitimate email.

What to upsell once DMARC is in place

Getting a client to p=reject opens several natural upsell conversations:

BIMI setup — once at p=reject, clients can display their logo in Gmail and Apple Mail. Visible to clients, easy to demonstrate value, often compelling for marketing-aware decision-makers.
MTA-STS and TLS-RPT — encrypt email in transit and monitor delivery failures. Natural extension of email security posture.
DNS security review — clients who care enough to invest in DMARC are often receptive to a broader DNS review: subdomain takeover risk, dangling records, DNSSEC.
Compliance reporting — clients in regulated industries can use DMARC enforcement history as documented evidence of technical controls. Billable as a premium reporting tier.