The MSP's competitive edge in domain security
Free tools that close deals. Original research that proves the gaps. A platform that turns domain security into billable, recurring revenue. And the signals cyber insurers are already looking for.
ShieldMarc is not another DMARC dashboard. It is a sales weapon, a revenue line, and a compliance engine, built for UK MSPs who want to lead the conversation on domain security, not chase it.
20 free tools. Your new sales weapon.
All 20 of our security lookup tools are free, instant, and require no sign-up. That is not a loss leader. It is a deliberate strategy to give MSPs a practical edge in every client conversation.
How MSPs are using these tools to win business
- Walk into a meeting with evidence: Run a Security Grade scan on a prospect's domain. In seconds you have a clear security score covering DMARC, SPF, SSL, DNSSEC, and more. You are showing facts, not a pitch deck.
- Surface the gaps they did not know they had: The scan identifies specific, fixable issues: missing DMARC policy, weak SPF, expiring certificates, unsigned DNSSEC. Every gap is an opportunity you can quote for.
- Show them the threat landscape: Use the Lookalike Domain Scanner to show which confusingly similar domains already exist. Most clients have never seen this. It changes the conversation instantly.
- Close and onboard in the same meeting: Once they see the score, add their domains to the dashboard. Monitoring starts immediately. Brand alternates are detected automatically. You go from audit to active protection in minutes.
When a prospect sees their own domain scored and scanned in real time, the conversation shifts from "why do I need this?" to "when can we start?"
We do not just sell monitoring. We audit the industry.
Our UK MSP DMARC Audit: Q1 2026 analysed 192 UK Managed Service Providers across DMARC, SPF, SSL, DNSSEC, and brand domain protection. The findings are not flattering: 80% had an unprotected alternate brand domain. Even among MSPs with a perfect DMARC score on their primary domain, the majority had left their .co.uk or .com counterpart wide open.
These are not theoretical risks. They are gaps we found, measured, and published. When we build scoring logic or surface a recommendation, it is grounded in data we collected ourselves. That is the kind of partner you want behind your domain security practice.
A revenue line, not just a cost line
Most security tools are a cost you absorb. ShieldMarc is designed to be a service you sell.
Bill it as a managed service
Domain security monitoring is a natural fit for your existing managed services stack. Add it alongside your RMM and backup offerings. Clients understand recurring security monitoring, as they are already paying for antivirus and endpoint protection. Domain security is the same model, applied to the layer most MSPs are not covering yet.
Margins that work
Professional covers 25 domains for £49/month annual. MSP covers 100 domain slots for £99/month annual, and brand TLD variants (primary plus every defensive .co.uk, .com, .de, .com.au and so on) count as a single slot. Run the MSP plan at capacity: 100 clients, three TLDs each, is 300 monitored domains for £99/month. That is under £1 per client per month, or about 33p per actual domain monitored. Price the service to your clients at whatever your market bears, and the margin is yours.
Need more than 100 clients? Each expansion bucket adds 50 domain slots and 5 million extra messages per month for £39.99/month. Industry-leading volume (20 million messages on MSP) means most MSPs never expand, but if you do, the price is fixed and there is no surprise billing. No hard cap, no overage fees, no metered charges: if you go over, reports keep parsing and we talk before anything on your invoice changes.
QBR-ready reporting
Show clients their Security Grade trend over time. Demonstrate how their score has improved since onboarding. Use the data in quarterly business reviews to justify your retainer, prove ROI, and upsell remediation work for any remaining gaps.
Win new business with the free tools
The free tools are your prospecting engine. Run a Security Grade scan in a sales meeting, surface the gaps, and quote the remediation. You are leading with value before the client has spent a penny. That is a fundamentally different sales motion to cold calling with a slide deck.
The signals cyber insurers are already looking for
Cyber insurance underwriters do not just ask "do you have antivirus?" any more. They are increasingly checking domain-level security signals: DMARC policy, SPF alignment, DNSSEC signing, MTA-STS enforcement, certificate validity, and whether parked domains are properly locked down.
If your client cannot evidence these controls, they face higher premiums, exclusions, or outright refusal of cover. If they suffer a phishing incident and their domain security was visibly neglected, the claim gets harder to defend.
How ShieldMarc helps your clients get insured and stay insured
- DMARC at enforcement, the single most-asked question on cyber insurance applications. ShieldMarc tracks policy stage and guides you to p=reject.
- SPF and DKIM alignment. Insurers want to see that legitimate mail is properly authenticated, not just that a record exists.
- SSL/TLS certificates valid and monitored. Expired certificates signal neglect. Continuous monitoring removes that risk.
- DNSSEC, MTA-STS, TLS-RPT: advanced controls that demonstrate mature security posture. ShieldMarc checks all three.
- Security Grade as evidence, a single, auditable score your client can present to their broker. It covers every signal in one scan.
For MSPs, this is a straightforward conversation: "Your cyber insurance renewal is coming up. Let me show you exactly where you stand on the controls they are going to ask about." That is a service your clients will pay for.
Shortest time from alert to fix
Most legacy shops run a separate DMARC tool, a separate SSL monitor, a separate DNS checker, maybe a separate WHOIS tracker. When an incident starts, an engineer bounces between four consoles trying to correlate what changed, when, and why. That is where the hours go.
All the signals in one view
DMARC aggregate reports, SPF and DKIM alignment, SSL certificate state, DNS record history, DNSSEC, MTA-STS, TLS-RPT, CAA, domain expiry and WHOIS changes, uptime and lookalike registrations all land in a single per-domain view, correlated by timestamp. If DKIM alignment started failing on Tuesday at 14:07 and a DNS TXT record changed at 14:05, they are next to each other. You see cause and effect, not four disconnected dashboards.
Claude AI on tap for deep reasoning, enriched by our threat model
On paid plans, the AI analysis buttons on DMARC reports, threat-feed and domain posture route to a frontier Anthropic Claude model. The model does not see raw DMARC XML. It sees a pre-enriched context assembled by our own threat model: each sending source scored for IP reputation, reverse DNS and ASN fit, SPF and DKIM alignment shape, volume and velocity, and cross-domain behaviour across our entire customer base. Claude reasons on top of that prepared picture, correlates it with the full per-domain signal bundle (DMARC, SPF, DKIM, SSL, DNS, DNSSEC, MTA-STS, TLS-RPT, uptime, WHOIS, lookalikes), and plain-Englishes the specific change, selector rotation, or sender behaviour that caused the break. This is why the output is specific, not generic: the reasoning is Claude; the signal quality is ours.
Free-tool explainers (DMARC Checker, Security Grade, SSL, DNSSEC) run on cheaper models because they do not need that depth, and that is how we keep the free tier genuinely free.
AI never runs on its own. The model only reads your signals when an operator explicitly clicks an AI analysis button. No background inference, no auto- summaries, no silent outbound calls. The signal layer, the enforcement engine and the alerts all run deterministically without AI involvement.
That is how a single engineer covers 100 client domains across DMARC, SSL, DNS and brand protection without drowning. Correlated signals plus frontier-grade AI reasoning on demand is the compounding advantage modern MSPs run on.
Alerts that mean something. Not just alerts.
DMARC aggregate reports contain a lot of noise. A sending IP that failed authentication might be a misconfigured marketing platform, a legacy mail relay you forgot about, or an active spoofing attempt targeting your client. The raw data looks identical. The response should not be.
How our threat scoring engine works
Every row in every DMARC report we parse runs through five independent signal checks before anything surfaces in your dashboard:
- Sending IP reputation, cross-referenced against public abuse feeds, so spam-associated IPs score very differently from clean commercial mail relays.
- Reverse DNS and ASN: does the PTR record look like a branded mail service, or a generic VPS on a hosting ASN with no mail history?
- Failure shape: SPF-pass DKIM-fail looks like a forwarder; DKIM-missing high-volume from an unknown IP looks like spoofing.
- Volume and velocity: a sudden spike from a new source is treated very differently from a steady low-volume pattern from a familiar one.
- Cross-domain consistency: if the same IP sends authenticated mail for hundreds of other domains on the platform it is almost certainly legitimate; if it only targets one customer with repeated auth failures, the score is pushed the other way.
The weighted score classifies each source as misconfig, forwarder, or threat. Misconfigurations become configuration tasks you can action. Forwarders are recognised and deprioritised so they stop generating noise. Threats are escalated with the source IP, the reputation history, the volume curve, and the confidence level. You do not investigate every failure; you investigate the ones the engine flags.
Every report we parse adds to a proprietary dataset of sending source behaviour across our customer base. The dataset compounds. An actor probing one client is far more likely to be identified when they probe another, because the signal pattern is already in our engine.
For MSPs managing multiple client domains, this matters operationally. You cannot manually investigate every DMARC failure across a portfolio of 50 clients. You need the platform to tell you which failures are worth your time. That is what ours does.
Read our engineering article on how the threat detection engine works →
Subdomain policy (sp=) detection, done properly
Most DMARC tools read the policy (p=reject) and score the domain as protected. They miss that a weaker subdomain policy (sp=none) leaves every subdomain wide open to spoofing. ShieldMarc scores sp= independently and flags weaker-than-p subdomain policies as a specific control failure. It is the difference between looking protected and being protected, and it is one of the most common gaps we find in the UK MSP DMARC Audit.
Actionable tasks, not just alerts
Compare the output:
Your technician gets a task, not an alert to triage.
We store almost no personal data
MSPs signing a new security vendor are the ones carrying the DPIA. The less your new supplier holds, the easier that paperwork becomes. ShieldMarc is a machine-data platform: we process domains, DNS, certificates and DMARC report metadata, not end-user correspondence.
The only personal data we hold
- Your account and team-member email addresses, for login, invites and notifications.
- Authentication and audit log entries, including IP address and user agent for each significant action.
- DMARC forensic (RUF) report headers, only in the rare cases where receivers send them. Google, Microsoft and Yahoo do not send RUF by default, so this set is empty or near-empty for most customers. Headers only, never body content.
We never store email body content, card data, or any personal data relating to your end users. That is a deliberate product decision, not a future aspiration. Full detail on the Trust page.
The gap nobody is closing
Your client operates from yourcompany.com. Their customers also trust yourcompany.co.uk. If that alternate domain has no DMARC record, no SPF, no SSL certificate, and no DNS monitoring, an attacker can register it, spoof it, or let it lapse and pick it up at auction. Your DMARC policy on the primary domain does not protect against this.
In our UK MSP DMARC Audit, 80% of the 192 MSPs we analysed had an unprotected alternate brand domain. The NCSC has repeatedly warned that MSPs are high-value targets for supply chain attacks. Attackers do not limit themselves to spoofing the exact sending domain. They impersonate the brand across any domain variant a client might trust.
ShieldMarc closes this gap automatically. Add a primary domain and we detect the regional alternates (.com/.co.uk, .de, .com.au and 30+ others). Both are scanned, scored, and monitored together. TLD variants count as a single domain slot, so there is no cost penalty for doing the right thing.
What ShieldMarc does differently
Intelligent alternate domain detection
Enter a primary domain and ShieldMarc automatically identifies the regional alternate (.com/.co.uk, .de, .com.au and 30+ others). Both domains are scanned, scored, and monitored together as a single brand group.
Full-stack domain security
Not just DMARC. Every domain is checked for DMARC policy and alignment, SPF record validity, SSL/TLS certificate health, DNSSEC signing, MX configuration, and domain registration status.
Brand domains included free
Your .co.uk and .com are the same brand. We do not charge you twice. TLD variants are grouped together and count as a single domain slot. Competitors charge per domain, meaning brand protection doubles your bill.
Continuous monitoring and alerts
Daily automated checks across every domain. If a DMARC policy changes, an SSL certificate approaches expiry, a DNS record is modified, or a domain registration lapses, you are alerted before it becomes an incident.
How ShieldMarc compares
Most DMARC providers focus on a single domain's email authentication. ShieldMarc treats your brand as a group of domains that all need protection.
| Capability | Typical DMARC tool | ShieldMarc |
|---|---|---|
| DMARC monitoring and reporting | Yes | Yes |
| SPF record validation | Yes | Yes |
| Alternate brand domain detection | No | Automatic |
| Brand domain grouped billing | Per domain | TLD variants free |
| SSL/TLS certificate monitoring | No | Yes |
| DNS record monitoring | No | Yes |
| DNSSEC validation | No | Yes |
| Domain registration and expiry alerts | No | Yes |
| Cyber insurance evidence | No | Security Grade |
| Free prospecting tools | No | 20 tools, no sign-up |
| Multi-tenant for MSPs | Some | Yes |
| UK based, EU-hosted, UK support | Rarely | Yes |
Purpose-built for MSPs
Most DMARC tools were built for single organisations managing their own domain. MSPs have a fundamentally different problem: dozens or hundreds of client domains, each with their own DNS providers, email platforms, and TLD variants.
- Brand grouping on the MSP plan means the .com and .co.uk of a client domain count as one slot, not two.
- Multi-domain dashboards give you a single view across every client, sorted by risk.
- Domain type detection automatically identifies which domains are active mail senders, which are parked, and which are aliases, so each gets the right policy recommendation.
- Actionable guidance for every domain. ShieldMarc does not just report problems. It tells you exactly what to fix and in what order.
- Transparent pricing from £69/month for 25 domains (£49/month annual). No per-seat charges, no opaque enterprise quotes.
Built for the post-NCSC Mail Check landscape
The NCSC retired its Mail Check and Web Check services on 31 March 2026, shifting DMARC monitoring responsibility back to individual organisations and their IT providers. For UK MSPs that relied on Mail Check, this created an immediate gap in visibility.
ShieldMarc was designed for this moment. We provide the DMARC aggregate report parsing, policy progression guidance, and multi-domain management that Mail Check offered, plus the brand domain protection, SSL monitoring, and DNS health checks it never did. For a detailed migration walkthrough, see our guide to the NCSC Mail Check retirement.
Fast and secure by design
Most platforms grow by piling on features to justify higher pricing. We took the opposite approach. ShieldMarc is built lean: the tools you actually need, nothing you do not, and every page engineered for speed.
Rust where it matters, Next.js where it helps
Performance-critical ingest paths, including TLS-RPT parsing and parts of the DMARC aggregate pipeline, are implemented in Rust for predictable latency and memory-safe processing at volume. Legacy DMARC platforms built on Python or Ruby slow down as message volume grows. Ours does not. The dashboard is Next.js with per-request CSP nonces, cached server rendering, and no bloat.
Secured from day one
Every release is automatically scanned for vulnerabilities, secrets, and common web application risks before it reaches production. All traffic is protected by a web application firewall with DDoS mitigation at the edge. Full details on our Security and Trust page.
How it works
Add your domains
Import client domains in seconds. Bulk upload or add one by one. Brand alternates are detected automatically.
Configure monitoring
Choose which modules to enable per domain. SSL, DMARC, DNS, uptime. All optional, all instant.
Get alerted instantly
Receive alerts via email the moment something changes. Dashboard shows current status at a glance.
Try the free tools
Every tool below is free, instant, and requires no sign-up. Check your domain security across every layer. Why we built them free.
Related Guides
See how your brand scores
Check your Security Grade for free. No sign-up, no email required. We will scan your domain across every security layer and give you a clear four-level rating.