Email Authentication for MSPs: Managing Client Domains at Scale

Practical guide for MSPs and IT consultants managing email authentication across multiple client domains. Standardize SPF, DKIM, and DMARC deployment with repeatable processes.

17 min readguidesThomas Johnson

The MSP Challenge

Managing email authentication for a single domain is straightforward. Managing it across 50, 100, or 500 client domains is an operational discipline.

Every client has a different email provider. Some run Google Workspace, some run Microsoft 365, a few are still on legacy Exchange, and the rest are on a mix of platforms you have never heard of. Each client has their own marketing tools, CRM integrations, helpdesk systems, and transactional email services -- all of which send email as their domain and all of which need to be authorized in their DNS records.

The operational reality:

  • Clients add services without telling you. A marketing team signs up for a new ESP and starts sending before anyone publishes the SPF (RFC 7208) include. Email fails silently.
  • DNS changes break things invisibly. Someone edits a TXT record and introduces a syntax error. SPF stops working, but nobody notices until a client calls about emails going to spam two weeks later.
  • Every domain has different authentication gaps. One client has SPF but no DMARC. Another has DMARC (RFC 7489) at p=none and has been "planning to enforce" for 18 months. A third has DKIM (RFC 6376) configured for their mail platform but not for their marketing tool.
  • Provider requirements keep tightening. Gmail, Yahoo, and Microsoft now enforce authentication requirements that did not exist two years ago. See the Bulk Sender Requirements guide for the current state.

The risk to your business is direct: when a client's emails land in spam, the MSP gets the call. When a client domain gets spoofed because DMARC is at p=none, the MSP owns the remediation. Email authentication is no longer optional infrastructure -- it is a core managed service, and the MSPs who treat it that way have a competitive advantage.

Standardizing Your Approach

The difference between an MSP that handles email authentication well and one that does not is a repeatable process. Ad-hoc fixes do not scale. You need a systematic approach that works the same way for every client, every time.

The Assessment Checklist

For each client domain, run through this checklist:

Check Tool What to Look For
SPF record exists SPF Checker Valid record published, no syntax errors
SPF lookup count SPF Checker Under 10 lookups (ideally under 8)
Only one SPF record SPF Checker Multiple SPF records cause PermError
DKIM for primary mail DKIM Checker Key published for Google/Microsoft selector
DKIM for all senders DKIM Checker Each ESP/CRM has DKIM configured
DMARC record exists DMARC Checker Record published at _dmarc.domain.com
DMARC policy level DMARC Checker p=none, p=quarantine, or p=reject
DMARC reporting DMARC Checker rua= tag configured for aggregate reports
MX records valid MX Lookup Records resolve, correct priority
Blacklist status Blacklist Check Sending IPs not listed

Run the mxio SPF Checker on each client domain as a starting point. It gives you the fastest read on whether the domain's authentication foundation is solid or broken.

Document Everything

Maintain a shared record of each client's sending services. For every domain you manage, track:

  • All email-sending services (primary mail, marketing, transactional, CRM, helpdesk, email security/filtering)
  • The SPF include required for each service
  • DKIM selectors configured for each service
  • Current DMARC policy and reporting destination
  • Date of last authentication audit
  • Known issues and planned changes

This inventory is the only way to answer "will adding this new service break anything?" without guessing.

Categorize Your Client Base

Sort every client domain into one of three categories:

Category Definition Action
Fully authenticated SPF valid, DKIM for all senders, DMARC at p=quarantine or p=reject Monitor; audit quarterly
Partially authenticated Some records present but incomplete (missing DKIM, DMARC at p=none, SPF near limit) Remediate; schedule fixes
No authentication Missing SPF, DKIM, or DMARC entirely Prioritize; deploy baseline immediately

This categorization gives you a clear picture of your exposure and a prioritized remediation list.

Common Client Stacks

Most clients fall into a handful of common configurations. Knowing the typical SPF, DKIM, and lookup implications for each saves time during assessments and deployments.

Template SPF Records by Stack

Client Stack Template SPF Record Estimated Lookups
Google Workspace only v=spf1 include:_spf.google.com ~all 3-4
Microsoft 365 only v=spf1 include:spf.protection.outlook.com ~all 2-3
Google + Mailchimp v=spf1 include:_spf.google.com include:servers.mcsv.net ~all 4-5
Google + HubSpot v=spf1 include:_spf.google.com include:spf.hubspot.com ~all 5-6
Microsoft 365 + SendGrid v=spf1 include:spf.protection.outlook.com include:sendgrid.net ~all 4-5
Microsoft 365 + SendGrid + HubSpot v=spf1 include:spf.protection.outlook.com include:sendgrid.net include:spf.hubspot.com ~all 6-7
Google + Salesforce + Mailchimp v=spf1 include:_spf.google.com include:_spf.salesforce.com include:servers.mcsv.net ~all 6-8
Hybrid Google + Microsoft (migration) v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all 5-7

DNS Record Examples

# Google Workspace only
v=spf1 include:_spf.google.com ~all

# Microsoft 365 + Mailchimp + Zendesk
v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net include:mail.zendesk.com ~all

# Google Workspace + SendGrid + HubSpot
v=spf1 include:_spf.google.com include:sendgrid.net include:spf.hubspot.com ~all

# Microsoft 365 + Salesforce + SendGrid + Mailchimp (danger zone: 8-10 lookups)
v=spf1 include:spf.protection.outlook.com include:_spf.salesforce.com include:sendgrid.net include:servers.mcsv.net ~all

DKIM Setup Notes by Provider

Provider Default Selector Setup Method
Google Workspace google Admin Console > Apps > Google Workspace > Gmail > Authenticate email
Microsoft 365 selector1, selector2 Microsoft 365 Defender > Policies > Email authentication > DKIM
Mailchimp k1 Account > Domain > Authenticate > DKIM
SendGrid s1, s2 Settings > Sender Authentication > Authenticate Your Domain
HubSpot Custom per account Settings > Domain & URLs > Email Sending Domains
Salesforce sf1, sf2 Setup > DKIM Keys > Create DKIM Key
Zendesk zendesk1, zendesk2 Admin Center > Channels > Email > SPF/DKIM
MailRoute mr01, mr02, mr03 (auto-rotated) MailRoute Admin > Outbound DKIM Settings

Always run the mxio DKIM Checker after configuring each selector to verify the DNS record is published and the key is valid. Common issues include propagation delays, CNAME vs. TXT record type mismatches, and providers requiring domain verification before DKIM activation.

SPF Management at Scale

The 10-lookup limit (RFC 7208 Section 4.6.4) is the single biggest operational pain point for MSPs managing email authentication. When clients use one mail platform and one marketing tool, it is fine. When they are on Google Workspace plus a CRM, a marketing platform, a transactional email service, and a helpdesk, you are at 8-10 lookups before you have added anything yourself.

The Lookup Budget

Think of the 10-lookup limit as a budget. Every include:, a:, mx:, redirect=, and exists: mechanism costs at least one lookup, and each include may trigger additional lookups as the receiving server resolves nested records.

Lookups Used Status Action
1-5 Safe Room to add services
6-7 Watch Limited room; audit before adding includes
8-9 Warning One more service could push you over
10 At limit No room; any provider IP expansion could cause nested lookups to exceed the limit
11+ Broken SPF PermError; authentication fails for all email

Run the mxio SPF Checker on each client domain to see the current lookup count. Anything at 8+ needs a plan.

When Managed SPF Becomes Necessary

When a client hits the lookup limit and cannot remove any includes because every service is actively sending, SPF flattening is the solution. Flattening resolves include: mechanisms to their underlying IP addresses, which do not count against the lookup limit.

mxio's Managed SPF automates this: it polls provider SPF records for changes, resolves them to IP addresses, and updates the client's DNS record automatically. No manual maintenance, no stale records.

Warning: Never flatten SPF records manually. Provider IP ranges change without notice, and a manually flattened record goes stale. Always use automated flattening that polls for changes and updates DNS automatically. See What Is SPF Flattening and Do You Need It? for the full explanation.

Managing Changes Across Many Domains

When a provider changes their SPF include requirement (it happens), you may need to update dozens of domains. Standardize your approach:

  1. Maintain a list of which client domains use which providers
  2. When a provider announces a change, query your inventory to identify affected domains
  3. Make the DNS change for each affected domain
  4. Verify each domain with the SPF Checker after the change
  5. Document the change and date in your client records

This process is tedious but non-negotiable. A missed domain means broken authentication for that client. For domains on Managed SPF, provider IP changes are detected and applied automatically.

DMARC Rollout Across Clients

DMARC is the most impactful email security control you can deploy for your clients, and also the most likely to cause problems if rushed. A phased rollout across your entire client base reduces risk and builds confidence. See the DMARC Deployment Guide for the full technical walkthrough of each phase.

Phase 1: Deploy p=none Everywhere

Start by publishing a DMARC record at p=none on every client domain that does not already have one. This is zero-risk -- p=none tells receiving servers to send reports but take no action on failures.

_dmarc.clientdomain.com  TXT  "v=DMARC1; p=none; rua=mailto:dmarc-reports@yourmsp.com; fo=1"

Key decisions at this stage:

  • Use your own reporting address (or a DMARC report processing service). Sending reports to the client's mailbox is useless -- aggregate reports are XML files that no human reads directly.
  • Set fo=1 to request failure reports for any authentication mechanism that fails, not just when both fail. This gives you more diagnostic data.
  • Deploy across all client domains in a batch. There is no reason to wait -- p=none has no delivery impact.

Phase 2: Review Reports and Fix Gaps

With p=none deployed, you start receiving DMARC aggregate reports within 24-48 hours. These reports show every IP address that sent email as each client's domain and whether SPF and DKIM passed or failed for each source.

For each client domain:

  1. Identify all legitimate sending sources from the reports
  2. Cross-reference against your documented sending services -- look for services the client added without telling you
  3. Fix SPF records to include missing authorized senders
  4. Configure DKIM for any services that support it but do not have it set up
  5. Investigate unknown senders -- they may be unauthorized (spoofing) or legitimate services the client forgot to mention

This phase takes 2-4 weeks per client to get clean data. Do not rush it.

Phase 3: Move to p=quarantine

Once a client's DMARC reports show consistent authentication passes for all legitimate sources (typically 95%+ pass rate sustained over 2+ weeks), move to p=quarantine:

_dmarc.clientdomain.com  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourmsp.com; fo=1"

At p=quarantine, emails that fail DMARC are delivered to the recipient's spam/junk folder instead of the inbox. This catches spoofing while giving you a safety net -- if a legitimate source is misconfigured, the email still arrives (in spam) rather than being rejected outright.

Monitor reports closely for the first week after each upgrade. Look for any drop in pass rates.

Phase 4: Upgrade to p=reject

After 2-4 weeks at p=quarantine with no legitimate failures, move to p=reject:

_dmarc.clientdomain.com  TXT  "v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourmsp.com; fo=1"

At p=reject, emails that fail DMARC are rejected entirely -- they never reach the recipient. This is the strongest protection against domain spoofing and is the recommended long-term policy.

Timeline Expectations

Phase Duration Risk Level
p=none deployment 1-2 days (batch across all clients) None
Report review and fixes 2-4 weeks per client None
p=quarantine 2-4 weeks monitoring Low (failures go to spam)
p=reject Ongoing Minimal (if previous phases were thorough)

The full rollout from nothing to p=reject takes 3-6 months per client. For an MSP managing 50+ domains, stagger the rollout -- move 5-10 clients through each phase at a time so you can handle any issues without being overwhelmed.

Client Conversations

Technical implementation is half the battle. The other half is getting clients to approve the work, especially when they do not understand what email authentication is or why they need it.

Common Objections and Responses

"Our email works fine. Why do we need this?"

It works today because Google, Yahoo, and Microsoft are still delivering your unauthenticated email. That is ending. Gmail and Yahoo already require SPF, DKIM, and DMARC for high-volume senders, and Microsoft published enforcement for high-volume sender domains targeting Outlook consumer mailboxes. Without authentication, your email will start landing in spam or being rejected outright. This is not optional -- it is infrastructure.

"Will this break our email?"

No. The first step is monitoring only. We publish a DMARC record at p=none, which tells email providers to send us reports about who is sending email as your domain. It has zero effect on email delivery. We use those reports to make sure everything is properly configured before turning on any enforcement.

"This seems expensive."

Compare the cost of proper authentication setup against the cost of your email going to spam. If your sales team's outbound emails or your invoicing system's payment reminders land in junk folders for even a week, the revenue impact dwarfs the authentication setup cost. This is also a one-time configuration with ongoing monitoring, not a recurring project.

"We already have SPF set up."

SPF alone is not sufficient. Without DMARC, anyone can still spoof your domain's From: address in phishing emails. SPF only validates the envelope sender, not the header From: that recipients see. Run the mxio DMARC Checker on your domain -- if there is no DMARC record, your domain is still vulnerable to spoofing regardless of your SPF configuration.

"Can we do this ourselves?"

You can, but the 10-lookup limit, DKIM key management across multiple providers, DMARC report interpretation, and ongoing monitoring are operational burdens. Most IT teams set up SPF once and never revisit it until something breaks. Managed email authentication means the domain stays protected without requiring constant attention.

Monitoring at Scale

Deploying authentication is the beginning, not the end. DNS records change, providers rotate IPs, clients add services, and DKIM keys need periodic rotation. Without ongoing monitoring, carefully configured authentication degrades.

What to Monitor

Signal Why It Matters How to Check
SPF lookup count Clients adding services increases lookups toward the 10-limit SPF Checker -- quarterly per domain
SPF record validity DNS edits can introduce syntax errors SPF Checker -- automated if possible
DKIM key presence Keys can be accidentally deleted; some providers rotate selectors DKIM Checker -- monthly per provider
DMARC pass rate Drops indicate misconfigured or unauthorized senders DMARC aggregate reports -- weekly review
DMARC policy level Ensure no one downgrades from p=reject back to p=none DMARC Checker -- monthly
Blacklist status Sending IP listed on a DNSBL degrades all deliverability Blacklist Check -- weekly
New unauthorized senders Spoofing attempts or unannounced client services DMARC reports -- look for unknown IPs

Prioritize by Policy Level

Not all domains require the same monitoring urgency. Prioritize based on DMARC enforcement level:

  1. p=reject domains first -- Any authentication failure on these domains means email is bounced. A misconfigured sending source causes immediate delivery failures. Monitor these weekly.
  2. p=quarantine domains second -- Failures go to spam, which clients may not notice immediately. Monitor biweekly.
  3. p=none domains third -- No delivery impact from failures, but you should still be working toward enforcement. Monitor monthly and focus on remediation.

Automating Monitoring

Manual checks do not scale past 20-30 domains. For larger client bases, you need automated monitoring that:

  • Checks SPF, DKIM, and DMARC records on a schedule
  • Alerts you when records change or become invalid
  • Tracks SPF lookup counts and warns when approaching the limit
  • Processes DMARC aggregate reports and flags anomalies
  • Checks blacklist status for client sending IPs

mxio monitors your entire authentication stack continuously — SPF validity and lookup counts, DKIM key presence, DMARC policy and pass rates, and blacklist status. When something changes on any of your managed domains, you know within minutes. That is the difference between proactive management and reactive firefighting.

Reporting to Clients

Authentication management runs in the background when it is working correctly. That invisibility is a problem -- clients do not value what they cannot see. Regular reporting makes the value tangible.

What to Include in Client Reports

Monthly or quarterly reports should cover:

  • Authentication pass rates -- Percentage of email passing SPF, DKIM, and DMARC for the reporting period. Trend over time. This is the headline number.
  • Threats blocked -- Number of emails that failed DMARC and were quarantined or rejected. This is spoofing and phishing that DMARC prevented. For clients at p=reject, this number directly represents attacks stopped.
  • Changes made -- Any DNS updates, new service authorizations, or DKIM key rotations during the period. Demonstrates active management.
  • Current status -- Summary of all authentication records and their health. Green/yellow/red status for SPF, DKIM, DMARC, and blacklist checks.
  • Recommendations -- Next steps: advancing DMARC policy, adding DKIM for newly discovered senders, addressing SPF lookup count concerns.

Framing the Value

The report is not just a status update -- it is justification for the ongoing service. Frame the data in business terms:

  • "DMARC rejected 847 unauthorized emails attempting to impersonate your domain this quarter" is more compelling than "DMARC pass rate is 99.2%"
  • "Your domain has been at p=reject for 6 months with zero legitimate delivery issues" demonstrates stability and professionalism
  • "We identified and authorized a new marketing tool your team started using, preventing a potential deliverability disruption" shows proactive value

Clients who see regular evidence that their MSP is actively protecting their email are clients who renew. Clients who never hear about email authentication until something breaks are clients who question the value.

Building the Service Offering

Email authentication management is a natural addition to any managed services agreement. The deliverables are concrete:

  1. Initial assessment and remediation -- One-time project to audit and fix all authentication records
  2. DMARC deployment -- Phased rollout from p=none to p=reject
  3. Ongoing monitoring -- Automated checks with human review and escalation
  4. Quarterly reporting -- Client-facing report with metrics and recommendations
  5. Change management -- Handling new service authorizations, DNS changes, and incident response

This turns email authentication from a one-time fix into a recurring managed service that protects your clients and differentiates your practice from competitors who treat email as "set and forget."

Was this article helpful?

Related Articles

Fix SPF PermError: Too Many DNS Lookupserrors

Your SPF record exceeds the 10-lookup limit, causing email authentication failures. Learn why this happens and how to fix it with step-by-step instructions.

Why Is DMARC Failing? Causes and How to Fix Iterrors

DMARC authentication is failing for your domain. Understand the most common causes — alignment issues, missing records, third-party senders — and fix them.

Google, Yahoo, and Microsoft Bulk Sender Requirements (2026)guides

Complete guide to bulk sender authentication requirements from Gmail, Yahoo Mail, and Microsoft. SPF, DKIM, DMARC, unsubscribe headers, and spam rate thresholds.

Complete Guide to Email Authentication in 2026guides

Understand how SPF, DKIM, and DMARC work together to protect your domain from spoofing and improve email deliverability. A practical guide for email administrators.

What Is SPF Flattening and Do You Need It?guides

SPF flattening resolves include mechanisms to IP addresses, reducing DNS lookups. Learn how it works, the risks of manual flattening, and when you need automated flattening.

Email Security for SMBs: Authentication Management Without Enterprise Pricingguides

Email authentication is no longer optional for small and mid-sized businesses. Learn how to protect your domain from spoofing with SPF, DKIM, and DMARC — and how managed platforms make it practical.