DMARC Monitoring for MSPs

Stop client emails
from landing in spam.

Most MSPs don't know their clients' emails are failing authentication checks - until the calls start coming in.

For MSP owners and technical directors managing email across 50 to 500 client domains.

Start Free Trial See How It Works
The Problem

You're sending emails into a black hole.

Right now, there could be client domains on your watch failing authentication checks - emails bouncing, invoices vanishing into spam, domains getting spoofed - and you'd have no way to know until someone calls you about it.

550 5.7.1 A client's password reset never arrives. Then their invoices stop going through. By the time you hear about it, they're already looking for a new MSP.
Spam folder Gmail and Microsoft are silently quarantining your clients' messages. No bounce, no error - just a growing pile of 'I never got that email' tickets.
Spoofed Someone sends phishing emails from your client's domain. Their customers get scammed. And the finger points at you - the one who manages their email.

MXBastion watches every domain you manage - so these problems get caught and fixed before anyone notices.

bounce-notification.eml
From: mailer-daemon@mx1.google.com
To: you@your-company.com
Subject: Delivery Status Notification (Failure)

--- Below this line is the bounce message ---

550 5.7.1 Unauthenticated email from
your-company.com is not accepted due
to domain's DMARC policy.

DMARC policy:  p=none (no enforcement)
SPF:           FAIL (too many DNS lookups)
DKIM:          FAIL (signature not found)
Alignment:     FAIL

Action required: Fix your email
authentication configuration.
With MXBastion

No more 'did you get my email?' calls.

With MXBastion protecting your domains, every email is authenticated, every threat is caught, and you never get blindsided by a client call again.

Every client email lands in the inbox

SPF, DKIM, and DMARC all pass. Receiving servers trust the message. Your clients' invoices arrive, their password resets work, and their customers stop asking 'did you send that?'

Authentication Rate 100%

Continuous Monitoring

DNS records checked every 6 hours. DMARC reports processed as they arrive. When something drifts, you fix it the same day - not three weeks later after a client churns.

Proactive Issue Resolution

When something breaks, you get the exact DNS record to fix it. No Googling RFC specs, no guessing at syntax. Copy, paste, done - verified in minutes, not days.

How It Works

From vulnerable to protected in days, not months.

Use MXBastion and every client domain reaches full DMARC enforcement - p=reject - with guided steps and zero guesswork.

1

Add Your Domains

5 minutes

Enter your domains and we instantly scan their SPF, DKIM, and DMARC records.

2

Review Authentication

24 hours

We collect and analyze your first DMARC aggregate reports to map all legitimate senders.

3

Tighten Enforcement

1-2 weeks

Gradually move from p=none to p=reject with guided steps and safety checks at each stage.

4

Monitor & Protect

Ongoing

Continuous monitoring catches config drift, spoofing attempts, and new sender issues in real time.

DMARC Enforcement Progression

p=none

Monitor only. No emails are blocked. You see what's happening but nothing is enforced.

p=quarantine

Suspicious emails go to spam. Legitimate mail still delivers. A safe middle ground.

p=reject

Full protection. Unauthenticated emails are rejected. Your domain can't be spoofed.

Platform Preview

See your domain health at a glance.

app.mxbastion.com/dashboard
Dashboard
Domains
Reports
Alerts
Settings
4
Domains
98.2%
Auth Rate
2
Warnings
1
Critical
acme-corp.com Healthy
DMARC pass SPF pass DKIM pass
store.acme-corp.com Warning
DMARC pass SPF pass DKIM misaligned
legacy-app.io Critical
DMARC fail SPF too many lookups DKIM pass
notifications.acme-corp.com Healthy
DMARC pass SPF pass DKIM pass
Authentication Results
Last 7 days — improving trend
Mon
Tue
Wed
Thu
Fri
Sat
Sun
Critical Issue

SPF Exceeds 10 Lookup Limit

legacy-app.io has 13 DNS lookups in its SPF record. RFC 7208 limits this to 10.

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Domains

+ Add Domain
Domain DMARC Policy SPF DKIM Status Last Checked
acme-corp.com p=reject Pass Aligned Healthy 2 hours ago
store.acme-corp.com p=quarantine Pass Misaligned Warning 4 hours ago
legacy-app.io p=none 13 lookups Missing Critical 1 hour ago
notifications.acme-corp.com p=reject Pass Aligned Healthy 30 min ago
mail.clientco.org p=quarantine Pass Aligned Healthy 3 hours ago
invoices.bigretail.com p=reject Pass Aligned Healthy 1 hour ago

DMARC Aggregate Reports

acme-corp.com — Last 30 days
12,847
Total Emails
97.3%
Pass Rate
346
Failed
8
Sources
Sending Source Volume SPF DKIM Aligned
Google Workspace209.85.220.0/24 8,421 Pass Pass Yes
SendGrid167.89.0.0/17 3,204 Pass Pass Yes
Mailchimp205.201.128.0/20 876 Pass Partial DKIM only
Unknown203.0.113.42 346 Fail Fail No

Alert History

Last 7 days
Spoofing attempt detected
203.0.113.42 sent 346 unauthenticated emails as acme-corp.com. All rejected by p=reject policy.
2 hours ago
DKIM alignment failed
DKIM signatures on store.acme-corp.com are signing with a mismatched domain. 4% of emails affected.
5 hours ago
SPF record exceeds lookup limit
legacy-app.io has 13 DNS lookups (limit: 10). SPF is returning permerror for all emails.
1 day ago
DMARC policy upgrade recommended
store.acme-corp.com has had 99.1% pass rate for 14 days. Ready to move from p=quarantine to p=reject.
2 days ago
Weekly digest sent
Status report for 4 domains delivered to team@acme-corp.com and #email-ops Slack channel.
3 days ago

Settings

Notification Channels

Email team@acme-corp.com
Slack #email-ops
PagerDuty Not configured

Check Frequency

DNS record checks Every 6 hours
DMARC report processing Real-time
Weekly digest Mondays, 9:00 AM UTC

Team

Sarah Chen Owner
Mike Torres Admin
Alex Kim Viewer
acme-corp.com Healthy
DMARC SPF DKIM
store.acme-corp.com Warning
DMARC SPF DKIM
legacy-app.io Critical
DMARC SPF DKIM
notifications.acme-corp.com Healthy
DMARC SPF DKIM
Pricing

Simple, transparent pricing

All plans include SSO and full API access. No hidden fees.

Most Popular

Growth

For growing MSPs

$49 /mo
  • Up to 50 domains
  • 1M emails/mo
  • DMARC, SPF, DKIM monitoring
  • Hourly DNS checks
  • SSO + API access
Start Free Trial No credit card required

Pro

For established MSPs

$69 /mo
  • Up to 150 domains
  • 5M emails/mo
  • DMARC, SPF, DKIM monitoring
  • DNS checks every 15 min
  • SSO + API access
Start Free Trial No credit card required

Need more than 150 domains? Let's talk.

Stop losing clients to email problems you didn't know existed. Fix them now in a few clicks.

  • 100% email authentication
  • Continuous DNS monitoring
  • Proactive threat detection
Get started
FAQ

Common questions

Most domains reach full DMARC enforcement (p=reject) within 2-4 weeks. The timeline depends on how many third-party senders you have (like marketing platforms, CRMs, or ticketing systems) that need to be authenticated first. MXBastion guides you through each step with specific DNS records to add - no guesswork involved.

No. MXBastion works with any DNS provider. You just need to add or update a few DNS TXT records (SPF, DKIM, DMARC) - something you likely already do for your clients. We tell you exactly what records to set and verify they're correct.

MXBastion reads your existing DMARC, SPF, and DKIM records as-is during onboarding. Nothing is overwritten. We analyze your current setup, show you what's working and what's not, and guide you through improvements step by step.

We currently support alerts via email, Slack, and webhooks - which means you can connect to virtually any PSA or RMM that accepts inbound webhooks or email-based ticket creation. Native integrations with ConnectWise and HaloPSA are on the roadmap.

You can bulk-import domains via CSV or the API. MXBastion instantly scans all records and starts collecting DMARC reports. Most MSPs have their full domain portfolio loaded and initial reports flowing within an hour.

Yes. All plans include full API access. You can automate domain management, pull authentication data, and integrate MXBastion into your existing tooling and workflows.

All plans include email support with a target response time under 4 hours during business hours. We also have documentation and guides for common DMARC scenarios. If you're on the Pro plan, you get priority support.