DMARC for Agencies and MSPs

If you manage email or DNS for client domains, DMARC should be on every single one. Whether you run a marketing agency, an IT managed services practice, or a consulting firm, your clients are exposed without it. Not sure if a client actually needs it? Our article on whether you need DMARC covers the scenarios where it is essential. The challenge is not setting up one DMARC record. It is setting up dozens or hundreds of them, keeping them monitored, and making sure nothing drifts out of compliance.

This guide covers the practical workflow for agencies and MSPs deploying DMARC across a client portfolio, including how to handle the unique challenges that come with managing domains you do not own.

The Multi-Client Challenge

A single business sets up DMARC once and moves on. An agency or MSP does it repeatedly, across clients with wildly different setups. Some clients use Google Workspace, others use Microsoft 365, and some have legacy on-premise servers. Each client has a different mix of marketing tools, support desks, and transactional email services. DNS is hosted in different places. Some clients have existing records that are incomplete or broken.

The common problems agencies face:

No two clients have the same sending stack. You cannot use a single template and apply it everywhere. Each domain needs its SPF, DKIM, and DMARC records tailored to its actual senders. Understanding how SPF, DKIM, and DMARC work together is essential for getting this right across diverse client setups.
DNS access varies. Some clients give you full DNS control. Others require you to submit changes through a ticket system or their internal IT team. Some have DNS locked behind a registrar account with credentials nobody remembers.
Existing records are often wrong. Many domains have partial SPF records, no DKIM, or a DMARC record that was set up years ago and never updated. You need to audit before you build.
Clients add services without telling you. A client signs up for a new marketing tool and starts sending email from their domain without updating SPF or DKIM. The first sign of trouble is their email landing in spam.

Every client domain needs DMARC

Even if a client domain does not send email, it still needs a DMARC record. Domains without DMARC are easy spoofing targets. A p=reject record on non-sending domains takes two minutes and eliminates an entire category of risk for your client.

Why Agencies Should Own DMARC for Every Client

Setting up DMARC for your clients is not just a nice add-on. It directly affects the work you are already doing. If you manage a client's email marketing and their domain gets spoofed, your campaigns suffer from the reputation damage. If you manage their IT infrastructure and their email authentication breaks, the support tickets land on your desk.

Protect your own deliverability work

If you run email marketing for clients, domain reputation directly affects open rates and inbox placement. DMARC at enforcement prevents spoofers from destroying the reputation you have worked to build.

Reduce support burden

Email authentication problems generate confusing symptoms: messages in spam, bounced emails, customer complaints. Setting up DMARC properly reduces these tickets. Monitoring it prevents them from recurring.

Demonstrate measurable value

DMARC reports give you concrete data to show clients: how many unauthorized senders were blocked, what percentage of email passes authentication, and how their domain's posture has improved over time.

Create recurring revenue

DMARC setup is a one-time project, but ongoing monitoring is a recurring service. Clients need someone watching their records, reviewing reports, and updating configurations as their sending stack changes.

The Agency DMARC Workflow

Here is a repeatable process for deploying DMARC across client domains. This works whether you have ten clients or two hundred.

Audit the existing records

For each client domain, check what SPF, DKIM, and DMARC records already exist. Use dmarcrecordchecker.com to look up the current DMARC record. Note which domains have no record, which have p=none, and which have enforcement. Document the current state before making changes.

Inventory all sending services

For each client, identify every service that sends email from their domain. This includes their email platform (Google Workspace, Microsoft 365), marketing tools (Mailchimp, Klaviyo, HubSpot), support desks (Zendesk, Freshdesk), transactional email (SendGrid, Postmark), and any custom applications. Each sender needs SPF and DKIM authentication.

Build SPF and DKIM records

Create a complete SPF record for each domain at spfcreator.com that includes all identified senders. Generate DKIM records at dkimcreator.com for any services that require custom DKIM setup. Verify that each sending service has its domain authentication configured in its own admin panel.

Generate and publish DMARC records

Use the generator below to create a DMARC record for each domain. Start every domain at p=none with reporting enabled. Publish the TXT records at _dmarc.clientdomain.com in each client's DNS.

Monitor reports and fix issues

Review aggregate reports for each domain over two to four weeks. Identify any legitimate senders that are failing authentication. Fix SPF and DKIM for those senders. Our DMARC monitoring guide explains what to look for in reports and how to act on the data. This is where the real work happens, and where you earn your keep as the agency.

Move to enforcement

Once a domain's reports show all legitimate mail passing, move it to p=quarantine and then p=reject. Track enforcement progress across your portfolio so you can report to clients on their security posture.

Handling Non-Sending and Parked Domains

Many of your clients own domains they do not use for email. These might be alternate TLDs, old brand names, typo domains purchased defensively, or domains reserved for future projects. Every one of these needs a DMARC record. For clients with complex domain structures, our guide on DMARC for subdomains covers how to apply policies across parent and child domains.

For any domain that does not send email, publish this immediately:

v=DMARC1; p=reject; sp=reject;

Pair it with v=spf1 -all for SPF and no DKIM records. This tells every receiving server in the world that no email from this domain is legitimate. There is no monitoring period needed because there is no legitimate mail to protect.

This is low-effort, high-impact work. A single afternoon spent locking down parked domains across your client portfolio eliminates a significant spoofing surface.

Quick win for new clients

When you onboard a new client, lock down their non-sending domains on day one. It takes minutes per domain, demonstrates immediate value, and protects them from a threat most businesses do not even know exists.

Monitoring at Scale

Setting up DMARC records is a project. Keeping them working is an ongoing service. For a single domain, you might manually check records once a month. For a portfolio of client domains, manual checking does not scale.

Things that break DMARC over time:

A client's IT team updates DNS and accidentally deletes or modifies the DMARC record
A new sending service is added without updating SPF or configuring DKIM
An SPF record exceeds the ten lookup limit after adding a new include
A DKIM key expires or a signing configuration changes during a platform migration
A client moves their domain to a new registrar and does not transfer all DNS records

You need automated monitoring that checks every client domain daily and alerts you when something changes. This is not optional at scale — it is the difference between catching a problem in hours versus discovering it weeks later when a client calls about their email landing in spam.

Monitor every client domain from one dashboard

Track SPF, DKIM, DMARC, and MX records across all your client domains. Daily checks, instant alerts, bulk CSV import.

Start Monitoring

Building DMARC Into Your Service Offering

For marketing agencies, DMARC fits naturally into email deliverability services. You are already managing campaigns that depend on inbox placement. Adding authentication management to your scope protects the work you are doing and gives you a new line item.

For IT MSPs, DMARC belongs in your standard security stack alongside firewalls, endpoint protection, and backup. Email is the primary attack vector for phishing, and DMARC is the primary defense against domain spoofing. It should be part of every client onboarding.

For consultants, DMARC audits are a strong entry point for new engagements. Run a quick check on a prospect's domain, show them what you find, and propose a remediation project. Most businesses have never checked their DMARC status, and the results are often eye-opening. Our DMARC best practices article is a useful reference to share with clients during onboarding.

The Email Deliverability Suite supports unlimited domains, bulk CSV import, and custom check schedules, which makes it practical for agencies managing large portfolios. You can import your entire client list, set up daily monitoring, and get alerts the moment any record changes or breaks.

Monitor Your DMARC Record

You've created your DMARC record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss a DMARC issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.