Technical guide

DMARC for MSPs: A Service Delivery Guide

A practical MSP workflow for assessing, onboarding, monitoring, and progressing DMARC across customer domains.

Published by The Vigilance Initiative GroupUpdated

Technical guidance only. Confirm changes against the current standards and your providers’ documentation before editing production DNS.

Managed DMARC is not a one-record service. An MSP needs a repeatable way to identify legitimate senders, coordinate DNS and provider changes, interpret aggregate reports, explain risk to customers, and progress policy without disrupting valid mail.

This guide describes that operating process. It does not prescribe commercial terms or promise that every customer domain follows the same timetable.

Define the service boundary first

Before onboarding a domain, decide who owns each responsibility:

Responsibility Questions to resolve
Customer relationship Who explains the service, obtains approval, and handles ongoing communication?
DNS Who can approve and publish records? What change-control evidence is required?
Mail platforms Who can enable DKIM or change sender-domain settings inside each provider?
Report review Who classifies sources and follows up on failures?
Policy decisions Who accepts the risk of moving from monitoring towards enforcement?
Escalation What happens when a source cannot be identified or authenticated?

Vigil uses three partner paths: Referral, Reseller, and Self-service. Review the partner models before promising a delivery split to a customer.

Prerequisites for offering managed DMARC

An MSP does not need to build its own report parser, but it does need operational discipline.

Minimum prerequisites include:

A managed platform can process aggregate reports, help identify sending sources, and present authentication evidence. The MSP still coordinates authorised changes, customer communication, provider-side configuration, and exceptions according to the agreed operating model.

Choose the DNS access model

Customer-controlled DNS

The MSP prepares and verifies changes, while the customer or its DNS provider publishes them. This preserves customer control but can slow remediation if responsibilities are unclear.

For each change, provide:

MSP-controlled DNS

Where the MSP is already authorised to manage the zone, changes can follow the MSP’s established DNS controls. Do not treat existing technical access as unlimited approval. Record the customer authorisation and keep an audit trail.

Delegated records

Some managed workflows use CNAME or other constrained delegation patterns for specific records. Delegation can reduce repeated changes at the customer zone, but it must be documented and limited to the agreed namespace. It does not transfer ownership of the customer’s domain.

The per-domain onboarding sequence

1. Confirm ownership and scope

Record the domain, customer contact, DNS operator, primary mail platform, known sending services, and intended partner model. Start with a domain the provider understands well—ideally its own organisation domain—before applying the process across a customer portfolio.

2. Assess current public DNS

Review:

The free DMARC checker provides a point-in-time public view. It cannot discover every DKIM selector or show actual sending behaviour.

3. Inventory legitimate senders

Ask business and technical contacts about:

Do not rely only on the first report cycle. Periodic services may appear later.

4. Establish aggregate reporting

Publish or correct a monitoring record only after confirming the authorised reporting destination and any required external-destination verification. The public DNS record asks participating receivers to send aggregate data; it does not guarantee that every receiver reports.

5. Classify observed sources

For each material source, record whether it is:

Use evidence from DNS, provider documentation, message headers, customer records, and aggregate reports. An IP address alone does not identify the responsible person or application.

6. Remediate authentication gaps

Typical work includes:

Read SPF Records Explained and the DKIM setup guide before changing production DNS.

7. Progress policy using evidence

Move from monitoring only when normal and periodic legitimate sources are understood and aligned. A quarantine or reject policy expresses the domain owner’s requested handling; receiving systems may still apply local policy.

The policy-progression guide provides evidence gates and rollback considerations.

8. Continue monitoring

The work does not end at enforcement. New SaaS tools, provider migrations, key rotation, DNS changes, and forwarding paths can change authentication results. Review change events and report evidence according to the customer’s agreed service process.

Portfolio operations without unsupported shortcuts

Avoid claiming that a dashboard grade or single percentage proves that a domain is secure. Useful portfolio indicators include:

Prioritise exceptions, but keep enough context to explain why an exception matters. A point-in-time score should not replace source investigation or customer approval.

The effort per domain varies with DNS access, number of sending services, provider support, forwarding, and the quality of existing documentation. Do not promise a fixed onboarding or remediation time before discovery.

Customer communication

At onboarding

Use plain language:

We are checking which systems are authorised to send using your domain, correcting authentication gaps, and using report evidence before asking receivers to apply stronger handling to failures.

Explain the boundary:

During remediation

Tell the customer which legitimate service is affected, what evidence was observed, who needs to act, and whether a policy change is being delayed. Avoid converting technical counts into claims that an attack was blocked unless the evidence supports that exact statement.

During ongoing review

Report current policy, meaningful changes, unresolved sources, completed work, and the next decision. Call an authentication pass a pass—not “compliant”, “safe”, or “fraud-free”.

Partner-branded reporting

Partner-branded PDF reporting may be available when it is explicitly configured and agreed. That narrow capability does not imply full platform white-labelling, a separate branded application, or any particular commercial term.

What managed DMARC does not cover

Frequently asked questions

Does an MSP need deep DMARC expertise before starting?

The team needs DNS competence, a controlled workflow, and the ability to coordinate provider settings and customer decisions. Start with the provider’s own domain and escalate unfamiliar cases rather than guessing.

Should every new domain start at p=none?

Use the current evidence. A new or poorly understood domain normally needs monitoring before stronger policy, but an existing domain may already have a valid enforcement policy. Do not weaken it automatically during onboarding.

What happens when a customer adds a new sending service?

Identify the service, confirm authorisation, review SPF and DKIM options, make approved changes, and verify later message and report evidence. Do not assume the service is safe or broken from one source IP alone.

Can an MSP promise a fixed time to reject?

No universal timetable is safe. Progress depends on the sending estate and evidence. Set a target and review gates, not a deadline that overrides unresolved mail flows.

Can reports carry the MSP’s brand?

Partner-branded PDF reporting may be available where explicitly configured and agreed. This is narrower than a fully white-labelled platform.

Start with the service-provider page, compare the partner models, and use the free checker for the first public-DNS assessment. WISPs can use the separate WISP scope and workflow guide to define DNS, customer, and escalation responsibilities without changing this broader MSP operating model.