MX/01DMARC monitoring for MSPs

Stop client emails
from landing in spam.

Most MSPs don't know their clients' emails are failing authentication checks - until the calls start coming in.

For MSP owners and technical directors managing 50-500 client domains.

Start Free Trial See How It Works
01 / The Problem observed failure modes

You're sending emails into a black hole.

Right now, there could be client domains on your watch failing authentication - invoices vanishing into spam, spoofed mail going out under their name - and you'd have no way to know until someone calls.

550 5.7.1 A client's password reset never arrives. Then their invoices stop going through. By the time you hear about it, they're already looking for a new MSP.
X-Spam: YES Gmail and Microsoft are silently quarantining your clients' messages. No bounce, no error - just a growing pile of 'I never got that email' tickets.
SPF: ~all Someone sends phishing emails from your client's domain. Their customers get scammed. And the finger points at you - the one who manages their email.

MXBastion watches every domain you manage - so you catch and fix these problems before anyone notices.

bounce-notification.eml RFC 3464
From: mailer-daemon@mx1.google.com
To: you@your-company.com
Subject: Delivery Status Notification (Failure)

--- Below this line is the bounce message ---

550 5.7.1 Unauthenticated email from
your-company.com is not accepted due
to domain's DMARC policy.

DMARC policy:  p=none (no enforcement)
SPF:           FAIL (too many DNS lookups)
DKIM:          FAIL (signature not found)
Alignment:     FAIL

Action required: Fix your email
authentication configuration.
02 / With MXBastion expected operating state

No more 'did you get my email?' calls.

MXBastion monitors authentication on every domain you manage and alerts you the moment something breaks - long before a client notices.

02.1

Every client email lands in the inbox

SPF, DKIM, and DMARC all pass. Receiving servers trust the message. Your clients' invoices arrive, their password resets work, and their customers stop asking 'did you send that?'

Auth rate 100%
SPF / DKIM / DMARC pass
02.2

Continuous monitoring

We check DNS records every 6 hours and process DMARC reports as they arrive. When something drifts, you fix it the same day instead of three weeks later when the client churns.

DNS checks every 6h
DMARC reports real-time
02.3

Proactive issue resolution

When something breaks, you get the exact DNS record to fix it. Paste it at your DNS provider and MXBastion verifies the change within minutes.

Fix format exact DNS record
Time to verify minutes
03 / How It Works four steps to p=reject

From vulnerable to protected in days, not months.

MXBastion walks each client domain to full DMARC enforcement - p=reject - one verified step at a time.

01 5 minutes

Add Your Domains

Enter your domains and we instantly scan their SPF, DKIM, and DMARC records.

02 24 hours

Review Authentication

We collect and analyze your first DMARC aggregate reports to map all legitimate senders.

03 1-2 weeks

Tighten Enforcement

Gradually move from p=none to p=reject with guided steps and safety checks at each stage.

04 Ongoing

Monitor & Protect

Continuous monitoring catches config drift, spoofing attempts, and new sender issues in real time.

DMARC enforcement progression

v=DMARC1; p=none

Monitor only. See what's happening without blocking anything.

v=DMARC1; p=quarantine

Suspicious emails go to spam. Legitimate mail still delivers.

v=DMARC1; p=reject

Full protection. Unauthenticated emails are rejected outright.

03.1 / Platform Preview interactive - click the sidebar

See your domain health at a glance.

https:// app.mxbastion.com/dashboard preview
Dashboard
Domains
Reports
Alerts
Settings
4
Domains
98.2%
Auth Rate
2
Warnings
1
Critical
acme-corp.com Healthy
DMARC pass SPF pass DKIM pass
store.acme-corp.com Warning
DMARC pass SPF pass DKIM misaligned
legacy-app.io Critical
DMARC fail SPF too many lookups DKIM pass
notifications.acme-corp.com Healthy
DMARC pass SPF pass DKIM pass
Authentication Results
Last 7 days - improving trend
Mon
Tue
Wed
Thu
Fri
Sat
Sun
Critical Issue

SPF Exceeds 10 Lookup Limit

legacy-app.io has 13 DNS lookups in its SPF record. RFC 7208 limits this to 10.

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Domains

+ Add Domain
Domain DMARC Policy SPF DKIM Status Last Checked
acme-corp.com p=reject Pass Aligned Healthy 2 hours ago
store.acme-corp.com p=quarantine Pass Misaligned Warning 4 hours ago
legacy-app.io p=none 13 lookups Missing Critical 1 hour ago
notifications.acme-corp.com p=reject Pass Aligned Healthy 30 min ago
mail.clientco.org p=quarantine Pass Aligned Healthy 3 hours ago
invoices.bigretail.com p=reject Pass Aligned Healthy 1 hour ago

DMARC Aggregate Reports

acme-corp.com — Last 30 days
12,847
Total Emails
97.3%
Pass Rate
346
Failed
8
Sources
Sending Source Volume SPF DKIM Aligned
Google Workspace209.85.220.0/24 8,421 Pass Pass Yes
SendGrid167.89.0.0/17 3,204 Pass Pass Yes
Mailchimp205.201.128.0/20 876 Pass Partial DKIM only
Unknown203.0.113.42 346 Fail Fail No

Alert History

Last 7 days
Spoofing attempt detected
203.0.113.42 sent 346 unauthenticated emails as acme-corp.com. All rejected by p=reject policy.
2 hours ago
DKIM alignment failed
DKIM signatures on store.acme-corp.com are signing with a mismatched domain. 4% of emails affected.
5 hours ago
SPF record exceeds lookup limit
legacy-app.io has 13 DNS lookups (limit: 10). SPF is returning permerror for all emails.
1 day ago
DMARC policy upgrade recommended
store.acme-corp.com has had 99.1% pass rate for 14 days. Ready to move from p=quarantine to p=reject.
2 days ago
Weekly digest sent
Status report for 4 domains delivered to team@acme-corp.com and #email-ops Slack channel.
3 days ago

Settings

Notification Channels

Email team@acme-corp.com
Slack #email-ops
PagerDuty Not configured

Check Frequency

DNS record checks Every 6 hours
DMARC report processing Real-time
Weekly digest Mondays, 9:00 AM UTC

Team

Sarah Chen Owner
Mike Torres Admin
Alex Kim Viewer
acme-corp.com Healthy
DMARC SPF DKIM
store.acme-corp.com Warning
DMARC SPF DKIM
legacy-app.io Critical
DMARC SPF DKIM
notifications.acme-corp.com Healthy
DMARC SPF DKIM
04 / Pricing USD / month / organization

Two plans. Flat monthly price.

Both include SSO and full API access.

Growth Recommended

For growing MSPs

$49 /mo
  • Up to 50 domains
  • 1M emails/mo
  • DMARC, SPF, DKIM monitoring
  • Hourly DNS checks
  • SSO + API access
Start Free Trial No credit card required
Pro

For established MSPs

$69 /mo
  • Up to 150 domains
  • 5M emails/mo
  • DMARC, SPF, DKIM monitoring
  • DNS checks every 15 min
  • SSO + API access
Start Free Trial No credit card required

Need more than 150 domains? Let's talk.

Stop losing clients to email problems you didn't know existed. Add your domains and see the first scan results in minutes.

every domain scanned continuously · alerts by email, Slack, or webhook

Get started
05 / FAQ onboarding · records · support

Common questions

Most domains reach full DMARC enforcement (p=reject) within 2-4 weeks. The timeline depends on how many third-party senders you have (like marketing platforms, CRMs, or ticketing systems) that need to be authenticated first. MXBastion guides you through each step and gives you the exact DNS records to add.

No. MXBastion works with any DNS provider. You just need to add or update a few DNS TXT records (SPF, DKIM, DMARC) - something you likely already do for your clients. We tell you exactly what records to set and verify they're correct.

MXBastion reads your existing DMARC, SPF, and DKIM records as-is during onboarding. Nothing is overwritten. We analyze your current setup and walk you through improvements step by step.

We currently support alerts via email, Slack, and webhooks - which means you can connect to virtually any PSA or RMM that accepts inbound webhooks or email-based ticket creation. Native integrations with ConnectWise and HaloPSA are on the roadmap.

You can bulk-import domains via CSV or the API. MXBastion instantly scans all records and starts collecting DMARC reports. Most MSPs have their full domain portfolio loaded and initial reports flowing within an hour.

Yes. All plans include full API access. You can automate domain management, pull authentication data, and integrate MXBastion into your existing tooling and workflows.

All plans include email support with a target response time under 4 hours during business hours. We also have documentation and guides for common DMARC scenarios. If you're on the Pro plan, you get priority support.