DMARC Monitoring for Agencies: Managing Client Domains Without the Busywork
If you run email for clients — marketing agency, MSP, freelance ops — DMARC on their domains is quietly your problem. Here is what that actually involves across 10, 20 or 30 domains, and how to turn a recurring chore into something a client sees value in.
Why client DMARC lands on the agency
Three forces have pushed DMARC from "nice to have" onto the agency's plate:
- Mailbox providers require it. Google and Yahoo enforce authentication requirements for bulk senders — DMARC included — and Microsoft has announced the same direction for high-volume senders to Outlook (see the current requirements). When a client's campaign lands in spam, the first question is whether authentication is set up right — and you sent the campaign.
- You control the sending stack. The ESP, the CRM, the transactional platform — the agency wired them up, so only the agency knows which sources are supposed to exist in the client's DMARC reports.
- Clients cannot read the reports. Aggregate reports are daily XML files (a sample is dissected in how to read DMARC reports). Forwarding them to a client is indistinguishable from sending them nothing.
What the job actually is, per domain
- Set up: SPF, DKIM for every sending platform, and a DMARC record with a
ruaaddress you actually monitor. (Refresher: SPF vs DKIM vs DMARC; record built with the free generator.) - Watch: read the aggregate reports for new sources, authentication drift, and spoofing attempts.
- Tighten: move each domain from
p=nonetop=quarantinetop=rejectwhen — and only when — the reports say it is safe (the policy decision, explained). - Prove it: show the client that the monitoring they are paying for is happening and working.
Where it breaks at agency scale
Each step is manageable for one domain. Multiply by a client roster and the failure modes are predictable:
- Volume. Ten domains sending to the major providers can mean dozens of XML files a day. Nobody reads them by week three — which means nobody notices the new unauthorized source in week five.
- The wrong mailbox. Reports scattered across
dmarc@client-domain.cominboxes that nobody at the agency can search in one place. - Tool pricing shaped for one brand, not thirty. Dashboards priced and designed around a single company's domains get expensive and unwieldy when every domain belongs to a different client with different branding. (Our comparison page covers how the common tools position, with claims scoped and dated.)
- Invisible work. The worst one commercially: done right, DMARC monitoring produces no visible output. The client pays a retainer and sees nothing — until they wonder why they are paying.
What the fix looks like
Whatever tooling you choose, agency-grade DMARC monitoring needs four properties:
- One place for all client domains — every
ruapointed at collection you control, so nothing hides in a client inbox. - Verdicts, not charts. Across thirty domains you do not want thirty dashboards; you want to know which two domains need attention this week and why.
- Flat, predictable cost that does not force a pricing conversation with every client you onboard.
- A client-facing artifact. A weekly report carrying your logo and name — plain-English, forwardable — turns invisible maintenance into visible proof of work. This is the difference between "what do we pay you for?" and a line item that renews itself.
Built exactly for this
PlainDMARC gives every client domain a weekly plain-English verdict — PASS, WARN or FAIL with the reason — and sends it as a white-label report branded as your agency, with a hosted link you can forward or attach to the monthly retainer report. All domains on one flat-price plan. Early access is free.
Create your free account See how it comparesFrequently asked questions
Should DMARC reports go to the client's mailbox or the agency's tooling?
To collection the agency controls. The rua address in the client's DNS can point at any mailbox or service — receivers deliver reports there regardless of the domain they describe. Pointing every client's rua at your own monitoring is standard practice, keeps the inventory in one place, and survives client inbox cleanups.
Can I charge clients for DMARC monitoring?
Agencies commonly fold it into an email or hosting retainer rather than billing it standalone. The key to making it stick is visibility: a branded weekly or monthly report showing authentication status and what was caught gives the line item something to point at. Invisible monitoring is the thing clients cut.
What happens if an agency ignores a client's DMARC after setup?
Two slow failures. New sending tools the client adopts never get authenticated, so genuine mail starts failing as the policy tightens — or the policy never tightens and spoofing continues to reach inboxes. And nobody notices either until a deliverability incident or a phishing complaint makes it urgent. Set-and-forget is the one approach that reliably fails.