DMARC for Agencies: Turn Email Authentication Into Recurring Revenue
Published July 1, 2026
Agencies are the natural owner of DMARC for their clients: you already control their DNS and email tools, deliverability failures land on your desk anyway, and monitoring is genuinely ongoing work clients will pay monthly for. Bundled at $50-100 per domain per month against roughly $39 per month in tooling for your whole portfolio, DMARC monitoring is one of the highest-margin recurring line items an agency can add, and it protects clients from the invoice-fraud spoofing that small businesses are disproportionately hit by.
Why this lands on the agency anyway
If you run marketing, web, or IT services for clients, you already own the two things DMARC (Domain-based Message Authentication, Reporting and Conformance: the DNS policy that stops strangers from sending email as a domain) touches: the client's DNS and their sending tools. When a client's newsletter lands in spam or their invoices bounce off Gmail's authentication requirements, the ticket comes to you regardless of whether anyone is paying you to handle it.
The choice, then, isn't whether to deal with clients' email authentication: it's whether to do it reactively for free or proactively for revenue. Since Gmail and Yahoo made authentication mandatory in 2024, every client domain has a compliance reason to need this, and most small businesses have no idea the requirement exists until something bounces. That gap between mandatory and unknown is exactly where a productized agency service lives.
The trust angle: invoice fraud targets your clients
The security pitch writes itself, because the threat is concrete. Business email compromise (most visibly, fake invoices sent from a spoofed company domain asking a customer to pay into a new bank account) consistently ranks among the costliest cybercrimes tracked by the FBI's Internet Crime Complaint Center, with reported losses in the billions of dollars each year. Small businesses are preferred targets precisely because they rarely have DMARC enforced: their domains can be spoofed freely.
Walk a client through what p=none means (anyone on the internet can currently send email as their domain, to their own customers, and it will be delivered), and the conversation stops being about deliverability plumbing and becomes about protecting their name. A domain at p=reject makes that spoofed invoice bounce instead of reaching the customer. Few line items on an agency invoice map that directly to 'we stopped someone impersonating you'.
The operational playbook
Run it as a productized service with a fixed motion per client, not bespoke consulting. The recurring workload per domain after the initial rollout is minutes per month, which is what makes the economics work.
- Onboard in bulk: import every client domain at once, publish p=none records with reporting enabled, and let two weeks of data build each domain's sender inventory
- Rollout, once per domain: fix each legitimate sender's DKIM alignment (you likely configured those ESPs yourself), then walk the policy up to p=reject over four to eight weeks
- Monitor continuously: alerts for new senders, authentication failures, and record changes across the whole portfolio from one dashboard
- Report monthly: a white-label DMARC report under your agency's branding in each client's monthly pack, visible proof of ongoing protection
- Share on demand: give the client's bookkeeper or IT contact a read-only share link instead of fielding status questions
Pricing it
The clean model is a flat monthly fee per domain, bundled into the retainer or listed as a security line item. Market rates for managed DMARC among agencies and MSPs (managed service providers) run $50-100 per domain per month, with the initial none-to-reject rollout either included at the top of that range or billed as a one-time setup project. Against agency-tier tooling (DMARCPath's agency plan is $39 per month covering your whole portfolio), the margin math is straightforward:
| Portfolio | Billed at $50/domain/mo | Billed at $100/domain/mo | Tooling cost | Monthly margin |
|---|---|---|---|---|
| 10 client domains | $500 | $1,000 | $39 | $461-961 |
| 25 client domains | $1,250 | $2,500 | $39 | $1,211-2,461 |
| 50 client domains | $2,500 | $5,000 | $39 | $2,461-4,961 |
Handling the obvious objections
'Can't the client just set this up once themselves?' Publishing a record is a one-time task; DMARC isn't. New sending tools appear and fail alignment, SPF records drift past the 10-lookup limit, marketing hires sign up for platforms without telling anyone. Monitoring is the product, and the monthly report is what makes the ongoing value visible.
'Is this really our lane?' You configured their Mailchimp, their CRM (customer relationship management system), their website forms: every one of those is a sender in their DMARC reports. Nobody else has the access or the context to keep those aligned. And a white-label report with your logo on it makes the point better than any pitch: start with your five most email-dependent clients, run them to p=reject, and put the before-and-after in next month's client pack.
Frequently asked questions
- What happens when a client's DMARC breaks something?
- With the staged rollout, breakage means a sender landing in spam at the quarantine stage, not lost mail: you drop the enforcement percentage, fix that sender's DKIM setup, and resume. This is also the argument for the agency owning it: you can fix the ESP configuration yourself instead of coordinating three parties.
- Do clients on their own Google Workspace or Microsoft 365 still need this?
- Yes. Workspace and 365 handle SPF and DKIM for mail sent through them, but they don't cover the client's newsletter tool, invoicing system, CRM, or booking platform, and they don't publish or manage a DMARC policy, watch reports, or walk anything to enforcement. That's the service.
- How long does onboarding a new client domain take?
- Hands-on time is small: publishing the initial record takes minutes, then reports accumulate on their own for two weeks. The active work (fixing each sending service's alignment and stepping the policy up) is a few short sessions spread over four to eight weeks, most of it in DNS records you already manage.
Keep reading
Reading about it is step one
DMARCPath does the watching for you: every sender identified, every failure explained, and a guided path to p=reject. One domain free, forever.
Start monitoring free →