DMARC for agencies: managing email security across multiple client domains
Marketing agencies and MSPs face a unique challenge: implementing DMARC at scale. One client is manageable. Twenty clients, each with their own ESPs, DNS providers, and compliance requirements? That requires a system.
You manage email for twelve clients. Maybe fifty. Each one has their own domain, DNS provider, and marketing stack.
Last week, a client called because their campaign emails stopped arriving. Two days later, another client asked why their competitors show a verified logo in Gmail and they donât. Yesterday, someone forwarded you a phishing email that perfectly impersonated one of your biggest accounts.
This is agency-scale email security.
Why agencies need centralized DMARC management
The math is simple. If you manage 20 client domains and each one requires 15 minutes of DMARC monitoring per week, thatâs 5 hours of your teamâs time. Every week. Forever.
Multiply that by the cost of senior technical staff, and youâve got a line item that doesnât scale.
Manual monitoring also doesnât catch issues in time. By the time you notice a clientâs authentication is failing, theyâve already lost a week of deliverability. The sales team is complaining. The CEO is asking questions you donât have answers to.
Centralized monitoring changes the equation. One dashboard, all clients, real-time alerts. When something breaks, you know about it before your client does.
The unique challenges of multi-client DMARC
Managing your own domain is straightforward. Managing dozens of client domains introduces complexity at every step.
DNS access fragmentation
Client A uses GoDaddy. Client B uses Cloudflare. Client C has a legacy domain at some registrar youâve never heard of, and Client D insists their âIT guyâ makes all DNS changes, but he only responds to emails on Tuesdays.
Every DNS provider has a different interface. Some have APIs. Most donât. Some propagate changes in minutes. Others take hours.
You need a system that tracks which domains need DNS updates, who has access to make those changes, and whether the changes actually propagated correctly.
The ESP sprawl problem
Each client brings their own marketing tools. One uses Mailchimp. Another runs HubSpot. A third uses Klaviyo for e-commerce and Salesforce for everything else.
Before you can enforce DMARC on any domain, you need a complete inventory of every service sending email as that domain. Miss one, and youâll block legitimate mail when you flip the switch to enforcement.
For agencies, this inventory work multiplies. You canât assume Client B uses the same tools as Client A, even if theyâre in the same industry.
Compliance requirements vary by client
One client operates in healthcare and needs HIPAA-aligned reporting. Another works with European customers and has questions about GDPR. And someoneâs always pursuing SOC 2 certification, which means they need documentation of their email security controls.
Data residency matters. Where the DMARC reports are processed and stored becomes a question youâll answer repeatedly.
White-label considerations
A question that comes up in every agency conversation: how visible should the DMARC platform be to clients?
Some agencies want full transparency. They add clients as users, give them dashboard access, and walk them through the reports. This works well for consultancies that position themselves as educators.
Other agencies prefer to abstract the tooling away. The client sees monthly PDF reports with the agencyâs branding. They donât know or care what platform generates those reports. This works better for done-for-you service providers.
Most land somewhere in between: clients get visibility into their own domainâs health, but the agency maintains control over configuration changes.
When evaluating DMARC platforms for agency use, consider how much flexibility you have in structuring client access. Can you add multiple users per account? Can you scope access to specific domains? Does the pricing model support that structure?
A practical client onboarding workflow
After onboarding dozens of agency clients, a pattern emerges.
Week 1: Discovery and audit
Start by checking the current state of their DNS. Pull their existing DMARC, SPF, and DKIM records. Many clients will have something, even if itâs misconfigured.
Document every email-sending service they use. Donât just ask the marketing team. Sales probably has outreach tools. Support has a helpdesk. Finance has invoicing software that sends receipts. Talk to all of them.
Week 2: Baseline configuration
Set up DMARC in monitoring mode (p=none) with reports flowing to your centralized platform. This does nothing to block email but starts collecting data about everything sending as that domain.
At this stage, youâre not changing anything about their email flow. Youâre just watching.
Weeks 3-6: Inventory analysis
Let the data accumulate. DMARC aggregate reports reveal the truth about who sends email as your clientâs domain. Youâll see their legitimate ESPs. Youâll see forwarding services. Youâll see that random WordPress plugin nobody remembered.
This is where you build the authoritative list of legitimate senders. If itâs not on this list, it shouldnât be sending email as this domain.
Week 7+: Remediation and enforcement
Now you fix things. Add DKIM records for services that support it. Adjust SPF to include necessary IP ranges without hitting the 10-lookup limit. Configure subdomains for services that canât authenticate properly.
When everything legitimate passes authentication, youâre ready to move toward enforcement. Follow a staged rollout from none to quarantine to reject. Donât rush it.
Reporting to clients
Your clients hired you so they donât have to think about this stuff. They want to know if their email is working, whether theyâre protected from spoofing, and what they need to do next.
Bury them in technical details and their eyes glaze over. Give them a simple health score and clear next steps.
Monthly reporting should answer those questions. Open with the summary: âYour email authentication is healthy. 99.2% of messages passed DMARC last month. No action required.â Or: âWe detected a configuration issue with your Mailchimp DKIM. Weâre fixing it this week.â
Save the detailed data for the appendix. Some clients will never look at it. Others will pore over every IP address. Let them choose their depth.
Pricing considerations for agencies
The economics of DMARC monitoring at agency scale deserve attention.
You need a platform that doesnât penalize you for adding domains. Per-domain pricing eats into margins fast. A flat rate for unlimited domains lets you price your services predictably.
DMARCTrust offers flexible pricing with add-on domains at a fixed rate. For agencies managing multiple clients, the Pro plan with additional domains often makes the most sense. You get 5 domains included, then add more as your client roster grows.
Consider how youâll pass costs to clients. Some agencies bundle DMARC monitoring into their retainer, others charge it as a line item. Either works, but model it out before you commit to a platform.
Donât forget the value of your time. A platform that saves you 3 hours per week across your client base is worth more than its monthly fee, even if a cheaper option exists.
Building DMARC into your service offering
The agencies that do this well treat DMARC as an ongoing service, not a one-time project.
Initial setup works as a fixed-fee engagement: configuration, inventory, rollout to enforcement. Clear scope, clear deliverable.
Ongoing monitoring becomes a recurring revenue stream. A monthly retainer covers continuous monitoring, alert response, and regular reporting.
Incident response demonstrates value. When you catch a spoofing attack before it does damage, youâve justified years of monitoring fees in a single conversation.
Email security in 2026 simply requires this approach. Domains need continuous monitoring. Configurations need regular updates as clients add new tools. Threats evolve constantly.
Position yourself as the ongoing partner, not the one-time consultant.
FAQ
How many client domains can one person manage?
With proper tooling, a single technical resource can monitor 50-100 domains effectively. The key is centralized alerting and standardized workflows. Without good tooling, that number drops to maybe 10-15 before things start falling through the cracks.
Should I give clients direct access to the DMARC platform?
It depends on your client relationships. Some clients want visibility, others just want results. Start by offering access, and let clients opt out if they prefer summary reports instead.
How do I handle clients who wonât give DNS access?
Document everything in writing. Provide exact DNS records to add. Follow up weekly until changes are made. If a client consistently delays DNS changes, have a frank conversation about whether theyâre ready for DMARC enforcement.
Whatâs the minimum monitoring period before enforcement?
Four weeks captures most monthly billing cycles and reveals most legitimate senders. For complex organizations with many tools, extend to 6-8 weeks. Rushing enforcement is the fastest way to break client email.
How do I explain DMARC to non-technical clients?
Skip the technical details. Focus on outcomes: âThis protects your brand from email impersonation and makes sure your legitimate emails get delivered.â If they want more, explain that itâs like caller ID for email, where their domain proves itâs really them.
