Selling DMARC monitoring to a client who's never heard of it is one of the easiest sales conversations you can have in professional services, assuming you frame it correctly. The problem is that most agencies frame it wrong.
Selling DMARC monitoring to a client who's never heard of it is one of the easiest sales conversations you can have in professional services, assuming you frame it correctly. The problem is that most agencies frame it wrong.
Here's how the wrong conversation usually goes:
"We'd like to offer you DMARC monitoring — it's a protocol that helps with email authentication and deliverability, makes sure SPF and DKIM align properly, and reduces the risk of your domain being spoofed by malicious actors. We recommend getting to
p=rejectover a six-month rollout."
The client's eyes have glazed over by the word "protocol." The three letter acronym count has exceeded their tolerance. They do not buy. They go back to the thing they were doing before you interrupted them.
Here's how the right conversation goes:
"I ran a quick security check on your domain this morning. Right now, anyone on the internet can send an email that looks like it's from you — from your actual domain, not a fake lookalike. If an attacker sent a fake invoice to one of your customers with updated bank details, their email server couldn't tell it apart from a real one from you. We can close that hole in about 48 hours and then monitor it for £X/month. Would you like me to show you?"
The client does not need to understand DMARC to buy DMARC monitoring. They need to understand the specific business risk you're solving.
Three business outcomes to lead with, in order of persuasive power.
"Right now, anyone can send email that looks like it's from your domain. That email will reach your customers' inboxes. It will look legitimate. Their spam filters will not catch it."
This is true for any domain without DMARC enforcement. It's also the outcome that matters most to business owners, because it has a specific, nameable bad outcome: a customer gets defrauded, the customer blames the business (correctly or otherwise), the relationship is damaged, in some cases there's legal exposure.
You don't need the client to understand the mechanics. You need them to understand that this risk exists for their domain, specifically, right now, and that fixing it is fast and cheap.
If you have a real BEC story — especially from the client's own industry — lead with it. "A contractor I know lost £40,000 to a spoofed supplier invoice last year. The supplier hadn't set up DMARC. Your domain is in exactly the same state right now." This is not fear-mongering; it's an accurate description of the threat landscape.
"Your marketing emails are being treated with suspicion by Gmail and Outlook because your domain doesn't prove it's the real sender. Setting up DMARC properly will measurably improve the percentage of your emails that reach the inbox."
This is the outcome that matters to clients whose businesses depend on email marketing. It's quantifiable — they can see the improvement in their open rates and bounce rates within a few weeks — and it maps to revenue because more email in the inbox means more conversions.
Google's 2024 bulk sender rules give you the regulatory frame here. "Google and Yahoo now require DMARC for anyone sending over 5,000 emails a day. If you're anywhere close to that volume, this isn't optional." For clients under that threshold, the framing shifts slightly: "The bar is going to keep rising. Microsoft tightened theirs in 2025. Staying ahead of this is cheaper than catching up later."
"Cyber insurance policies increasingly ask about email authentication as part of their underwriting. Some regulated sectors — financial services, healthcare, public sector — have explicit DMARC requirements. If you're bidding for public sector work or tightening your insurance, this comes up."
This one's more niche but powerful for specific client types. Any client who's completed a cyber insurance questionnaire in the last two years will have been asked about DMARC. Most of them got the answer wrong. Some of them had their premiums raised or coverage excluded as a result.
Ten minutes, four questions, one result.
After the call, run the free audit against their domain and send them the results. This is the killer move. The grade is a concrete number they can react to. Nobody likes seeing "F" next to their own domain.
Your follow-up email is one paragraph:
"Ran the audit we discussed. Your domain scored F — the main issues are [specific finding 1] and [specific finding 2]. The short version is that your domain is currently open to impersonation and your marketing emails are being deprioritised. We can fix the configuration in 48 hours and monitor it for £X/month so it stays fixed. Happy to walk through the detail on a call, or if you'd rather just see a proposal I can send one over."
That's it. You've established urgency (they have an F), authority (you ran the audit and can explain the findings), action (48 hours, specific cost), and a low-friction next step (call or proposal, their choice).
Two configurations work well for agencies.
Bundled with retainer. If you have existing clients on a monthly retainer for web hosting, SEO, or general marketing support, add DMARC monitoring as a line item at £25-50/domain/month depending on your margins. Frame it as "domain security monitoring" on the invoice. No negotiation needed because it's an addition, not a standalone sale.
Standalone service for portfolio clients. For clients who aren't on retainer, a standalone DMARC audit + setup + 12-month monitoring package at £500-1,500 depending on domain count works. The audit is the thing you're actually charging for on the front end; the monitoring is the recurring revenue that justifies the low front-end price.
Either way, the margin math works because the actual ongoing monitoring is cheap — if you're using a tool like DMARC Sentinel as your back-end, you're paying single-digit pounds per domain per month and marking it up 5-10x. This is standard agency economics for any managed service.
You'll hear four objections repeatedly.
"Our IT team already handles this." Response: "Perfect — the audit will either confirm they've done a good job, in which case we both win, or surface something they might have missed. Either way, it's worth ten seconds."
"Our email works fine." Response: "I agree — your legitimate email almost certainly works. The question is whether illegitimate email pretending to be from you also works. Let me show you what the audit found."
"We're too small for anyone to target us." Response: "The attacks are automated. The attacker isn't picking you specifically — they're scanning the entire internet for domains without DMARC and sending fake invoices from all of them. Being small doesn't protect you; being properly configured does."
"How much does it cost?" Response: Specific number, no hedging. £X/domain/month, Y-domain minimum, can start tomorrow. Clients who hear vague pricing assume the answer is "a lot."
The free audit at dmarcsentinel.com is designed specifically to be the artefact you bring to this conversation. Run it against the client's domain before the call. Screenshot the grade and top findings. Send them the shareable URL after the call so they can look at it themselves. The shareable URL is also useful for circulating internally — it's the thing the marketing director forwards to the CTO when she's trying to get DMARC prioritised on the roadmap.
If you're already sold on monitoring as a service for your portfolio, DMARC Sentinel's Agency tier handles the multi-tenant side — client dashboards, white-label reports, API access for integration into your own client portal. That's the paid product I'm building to pair with the free audit. But even if you use a different monitoring back-end, the free audit is the conversation-starter, and it works regardless of what you sell after.
Every agency I've talked to who has tried to sell DMARC monitoring to clients has reported the same surprise: it's one of the easiest services they've ever sold, once they stop explaining DMARC and start explaining the outcome.
The client doesn't buy authentication protocols. They buy "nobody can send fake invoices pretending to be us." They buy "our marketing emails reach more inboxes." They buy "we're compliant with the security questionnaire our biggest customer just sent us." The fact that the underlying implementation is a DNS TXT record and some automated monitoring is implementation detail that they don't need and don't want.
Run the audit. Show the grade. Name the business outcome. Price specifically. Follow up within 24 hours. That's the whole playbook.
Jon Morby has run email and DNS infrastructure since the early 1990s. He built DMARC Sentinel after watching too many agencies discover their clients' email was going to spam the hard way.
Founded by Jon Morby, whose team has been running UK servers since 1992. Hosting built by engineers who care about deliverability and uptime.
Get in touch →DKIM keys are supposed to be rotated periodically. Almost nobody does it. The ones who try often break their email for a few hours doing it. There's a correct procedure that avoids both problems, and it's surprisingly unglamorous.
In October 2023, Google and Yahoo jointly announced new requirements for anyone sending more than 5,000 emails a day to their users. The rules were to take effect in February 2024. They were, at the time, the biggest change to bulk email deliverability in more than a decade.
The domain owner is baffled. Everything is "correct." Nothing is working. Legitimate transactional mail is being rejected by receiving servers and landing in nobody's inbox.