DMARC Setup Guide for MSPs 2026

What Is DMARC and Why MSPs Need to Care

DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receiving mail servers what to do with emails that fail authentication. Without it, anyone can send email that appears to come from your clients' domains — a trivially easy phishing attack that's becoming the entry point for ransomware.

For MSPs, DMARC is a compliance requirement, an insurance condition, and increasingly a cyber insurance prerequisite. PCI DSS 4.0 references email security controls. HIPAA risk assessments routinely flag missing DMARC. CIS Controls v8 includes email domain protection in Control 9. If your clients are missing DMARC, they're failing compliance requirements they may not even know about.

The scale problem: An MSP managing 50 clients has 50+ domains to configure and monitor. Manual DNS audits don't scale. SBCMSP's 10-check DNS intelligence scans every domain automatically and alerts when records change, are missing, or are misconfigured.

The Three Records You Need: SPF, DKIM, DMARC

DMARC enforcement requires two other records to be in place first. Here's what each does and why all three are required:

1. SPF — Sender Policy Framework

SPF tells receiving servers which IP addresses are authorized to send email for your domain. Without SPF, anyone can claim to send from your domain and pass basic delivery checks.

; SPF record — add as TXT record on your root domain
Name:  @ (or yourdomain.com)
Type:  TXT
Value: "v=spf1 include:_spf.google.com include:sendgrid.net ~all"

; Replace includes with your actual mail senders
; Common includes:
;   Microsoft 365: include:spf.protection.outlook.com
;   Google Workspace: include:_spf.google.com
;   SendGrid: include:sendgrid.net
;   Mailchimp: include:servers.mcsv.net

⚠️ Common SPF mistakes MSPs make: (1) Using -all instead of ~all before DMARC is enforced — this causes legitimate email to hard-fail before you've audited all senders. (2) Listing too many includes — SPF has a 10 DNS lookup limit. Exceeding it causes SPF to permanently fail. (3) Missing third-party senders like transactional email providers, CRM tools, and support platforms.

2. DKIM — DomainKeys Identified Mail

DKIM adds a cryptographic signature to outgoing emails. Receiving servers verify the signature against a public key published in your DNS. DKIM proves the email was sent by an authorized server and hasn't been modified in transit.

; DKIM record — format varies by mail provider
; Microsoft 365 example:
Name:  selector1._domainkey.yourdomain.com
Type:  CNAME
Value: selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com

; Google Workspace example:
Name:  google._domainkey.yourdomain.com
Type:  TXT
Value: "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEB..."

; Find the correct record in your email provider's admin panel
; Each sending platform needs its own DKIM selector

3. DMARC — Policy and Reporting

DMARC references SPF and DKIM and adds a policy: what should receiving servers do with email that fails both checks? DMARC also sets up reporting so you can see who's sending on behalf of your domain.

; DMARC record — add as TXT at _dmarc.yourdomain.com
Name:  _dmarc
Type:  TXT

; Step 1: Start with p=none (monitoring only — no email blocked)
"v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com; fo=1"

; Step 2: Move to p=quarantine (send failures to spam)
"v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc-reports@yourdomain.com"

; Step 3: Full enforcement (reject all failures)
"v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; adkim=s; aspf=s"

The DMARC Policy Progression

Never jump straight to p=reject. Doing so before you've identified all your email senders will block legitimate email. The correct progression takes 4-8 weeks per client and looks like this:

Phase	Policy	What Happens	When to Move On
1. Discover Weeks 1–2	p=none	No email is blocked. Reports flow in showing who's sending on behalf of the domain. Audit the report to find all legitimate senders.	Once you've identified and configured DKIM/SPF for all legitimate senders and DMARC alignment is passing for each.
2. Quarantine Weeks 3–4	p=quarantine pct=25	25% of failing emails go to spam. Start with low pct and increase. Monitor for legitimate email hitting spam folders.	When quarantine rate is stable with no legitimate email impacted. Increase pct to 100 before moving to reject.
3. Enforce Week 5+	p=reject	All emails failing DMARC authentication are rejected at the receiving mail server. Phishing from your domain domain stops.	This is the target state. Monitor reports weekly for any new legitimate senders that need to be added.

DMARC Record Tags — Reference

v=DMARC1         Required. Must be first.
p=none|quarantine|reject  Policy for failing messages
sp=none|quarantine|reject Policy for subdomains (defaults to p= if omitted)
pct=0-100           Percentage of mail to apply policy to (default 100)
rua=mailto:...     Aggregate report destination — who's sending on your behalf
ruf=mailto:...     Forensic report destination — individual failure reports
adkim=r|s          DKIM alignment: r=relaxed (default), s=strict
aspf=r|s           SPF alignment: r=relaxed (default), s=strict
fo=0|1|d|s         Forensic report options: 1=send on any failure (recommended)
ri=86400           Report interval in seconds (default 86400 = 24h)

Advanced: MTA-STS, BIMI, and TLS-RPT

Once DMARC is at p=reject, three additional email security records significantly strengthen your client's email posture and are increasingly required by compliance frameworks:

MTA-STS (Mail Transfer Agent Strict Transport Security)

Requires that incoming mail to your domain is delivered over encrypted TLS, preventing downgrade attacks on email in transit. Published via a policy file at a specific URL and a TXT record at _mta-sts.yourdomain.com.

TLS-RPT (TLS Reporting)

Reports delivery failures caused by TLS negotiation issues. Pair with MTA-STS for visibility into your inbound encryption. Add a TXT record at _smtp._tls.yourdomain.com.

BIMI (Brand Indicators for Message Identification)

Displays your client's logo in supported email clients (Gmail, Yahoo, Apple Mail) when DMARC passes at p=reject. A powerful visual signal to recipients that the email is authentic. Requires a VMC (Verified Mark Certificate) for full Gmail support, though basic BIMI works without one in some clients.

SBCMSP checks all 10: Our DNS intelligence layer monitors DMARC policy enforcement level, SPF existence and complexity, DKIM key presence, DMARC-SPF alignment, DMARC-DKIM alignment, MTA-STS, TLS-RPT, BIMI, DNSSEC, and CAA records — automatically, for every domain you monitor.

DMARC for MSPs: The Scale Problem

The real challenge for MSPs isn't configuring DMARC for one domain — it's maintaining it across 50+ clients. Records drift. Third-party senders get added without updating SPF. DKIM keys expire or get rotated without updating DNS. Clients move to new mail providers and nobody updates the records.

Without automated monitoring, you find out about DMARC failures when a client calls to say their email is bouncing, or worse, when a client's customer gets phished from a spoofed domain.

DMARC Setup Guide for MSPs — Stop Email Spoofing Across All Your Clients

What Is DMARC and Why MSPs Need to Care

The Three Records You Need: SPF, DKIM, DMARC

1. SPF — Sender Policy Framework

2. DKIM — DomainKeys Identified Mail

3. DMARC — Policy and Reporting

The DMARC Policy Progression

DMARC Record Tags — Reference

Advanced: MTA-STS, BIMI, and TLS-RPT

MTA-STS (Mail Transfer Agent Strict Transport Security)

TLS-RPT (TLS Reporting)

BIMI (Brand Indicators for Message Identification)

DMARC for MSPs: The Scale Problem

SBCMSP's 10-Check DNS Intelligence

Audit All Your Clients' DMARC in Minutes