For service providers

A repeatable DMARC workflow for customer domains

Vigil helps service-provider teams assess customer domains, process aggregate reports, identify sending sources, review SPF and DKIM evidence and guide policy progression. Your team chooses how much of the customer relationship and technical work it wants to own.

Compare partner models · Check your own domain

Why the work becomes difficult at scale

The DNS record is only the start. The operational work is discovering every legitimate sender, interpreting report data, coordinating provider-side authentication, handling exceptions and revisiting the configuration when a customer adds or changes a service. A repeatable workflow matters more than a one-off record generator.

What the workflow supports

  • Point-in-time assessment of public DMARC, SPF, DKIM and MX signals.
  • Aggregate-report processing and source identification.
  • SPF review, lookup-limit analysis and optimisation support.
  • DKIM selector discovery, evidence review, validation guidance and monitoring.
  • Policy-stage recommendations grounded in report evidence.
  • Provider-oriented reporting across customer domains.

Exact product access, branding, support and commercial scope are confirmed privately. This page does not promise DKIM key control, MTA-STS capability or a fully white-labelled platform.

A practical client workflow

Start with the provider domain

Learn the process using a domain your team controls.

Assess a first customer

Confirm DNS ownership, mail platforms and visible authentication gaps.

Observe normal sending

Use aggregate reports to identify expected and unexpected sources.

Remediate and progress

Work with the DNS owner and mail providers, then move policy when evidence supports it.

Monitor change

Review new sources, configuration drift and policy status over time.

Choose responsibility deliberately

Referral suits teams that want to introduce the need and hand off delivery. Reseller suits teams that want to retain the customer and billing relationship with shared delivery. Self-service suits teams ready to own more of the technical workflow. Review all three before applying.

Compare partner models · Read the MSP service-delivery guide · Read the WISP scope and workflow guide

Boundaries to explain to customers

  • DMARC addresses exact-domain authorisation; it is not inbound content filtering.
  • A reject policy is a domain-owner request; receivers may apply local policy.
  • Authentication does not guarantee deliverability or stop lookalike-domain abuse.
  • Customer DNS and mail-provider changes remain important operational dependencies.

FAQ

Can a provider offer managed DMARC without building a report parser?

Yes. A managed workflow can process aggregate reports and present authentication evidence while the provider focuses on DNS ownership, customer communication and remediation decisions.

Does Vigil replace customer DNS management?

No. DNS remains under the domain owner or its authorised provider. The working model determines who publishes approved changes.

What happens when a customer adds a sending service?

The provider should identify the service, review its SPF and DKIM options, update approved DNS where needed and confirm alignment in subsequent report data.

Which partner model should we choose?

Choose based on responsibility: Referral for handoff, Reseller for a retained customer relationship with shared delivery, or Self-service for more direct technical operation.

Start with your own domain

Check the public records, then submit the context needed for guided onboarding.

Check a domain · Apply for guided onboarding