Winning with DMARC: The MSP’s Definitive Guide to Email Security

There’s a straightforward question MSPs can ask their clients: “If you could stop phishing, spoofing, C-level fraud, and business email compromise (BEC), would you?”

The answer is always an emphatic YES. This makes the decision to deploy DMARC clear. DMARC is how MSPs empower clients to prevent these threats.

In the past, fighting phishing felt like an endless arms race. Solutions like filters and whitelists offered only temporary relief before attackers found ways around them. DMARC shifts the paradigm. Instead of trying to keep bad email out, it ensures that only legitimate emails are allowed in.

As a bonus, DMARC is open source, so there’s no vendor lock-in and no critical path dependencies on third-party proprietary solutions. This gives both MSPs and clients greater flexibility and control over their email security.

How Do MSP Clients Benefit from DMARC?

• DMARC prevents unauthorized senders from impersonating your client’s domain in phishing attacks. This protects brand reputation, employees, partners, and customers.
• It improves inbox placement. Authenticated email is more likely to reach the inbox instead of a SPAM folder. This ensures that sales, marketing, and transactional emails land where they should, helping your clients get the most value from their campaigns.
• It gives insight into your customer’s email domain catalog and the sources sending on their behalf. DMARC also lets you know whether SPF/DKIM is set up correctly and offers visibility into which services are misconfigured or abused.
• It mitigates BEC by enforcing a p=reject DMARC policy. This greatly reduces the success of invoice scams, CEO fraud, and vendor impersonation attempts.
• DMARC compliance is becoming increasingly important. Major email providers like Google, Yahoo and Microsoft now require organizations to have a DMARC record in place. Additionally, many cybersecurity insurance providers are making DMARC a requirement for coverage.

What Are the MSP Revenue Opportunities from DMARC?

• Add a high-value, high-urgency service to your security stack by offering DMARC management. It helps clients strengthen trust while protecting their domain and brand reputation.
• Create a recurring revenue stream by bundling ongoing DMARC monitoring, reporting, policy enforcement, and client support into a monthly service package.
• Uncover Shadow IT, unauthorized third-party senders, outdated email infrastructure, and even redundant services. This helps your clients identify cost-saving opportunities. It also creates upsell paths for solutions like MTA setup and cloud email modernization.

DMARC Deployment for MSPs: 5 Proven Steps to Protect Client Domains

Following these steps will help MSPs deliver effective DMARC deployment, protect client domains from email-based threats, and ensure ongoing resilience in the face of new challenges.

Joe Garner

1. Domain Audit

• Thoroughly assess the client’s sending infrastructure and create a comprehensive domain catalog.
• Evaluate DMARC management tools with robust data visualization and client management group capabilities to streamline oversight and help you scale your business.

2. Initiate Monitoring

• Implement a DMARC record with a policy of p=none to begin monitoring without affecting email flow.
• Identify and document all third-party senders authorized to use the domain.
• Leverage DMARC reporting to gain full visibility into legitimate and unauthorized email activity.

3. Achieve DMARC Alignment

• Focus on aligning SPF and DKIM authentication for your client’s domains and subdomains.
• Properly connect the authentication mechanisms to the enforcement policy defined in the DMARC record. Alignment is fundamental to DMARC’s effectiveness.

4. MoveToward Enforcement

• Develop a realistic timeline for transitioning DMARC policy enforcement from p=none to p=quarantine to ultimately p=reject.
• Gradually increase policy strictness to reduce risks without disrupting legitimate email flow.

5. Long-term DMARC Management

• Treat DMARC as an ongoing practice rather than a one-time setup.
• Once the domain is protected with the p=reject policy, monitor DMARC reports and adjust configurations as needed.
• Proactive management is essential to maintaining email security and staying ahead of evolving cyber threats.

Joe Garner is the MSP program manager at dmarcian Inc. With a background in technology consultation and customer engagement, he is passionate about educating MSPs about DMARC and the importance it plays in having a robust security stack.

Featured image: Muhammad — Adobe Stock