The MSP's competitive edge in domain security
Free tools that close deals. Original research that proves the gaps. A platform that turns domain security into billable, recurring revenue. And the signals cyber insurers are already looking for.
ShieldMarc is not another DMARC dashboard. It is a sales weapon, a revenue line, and a compliance engine, built for UK MSPs who want to lead the conversation on domain security, not chase it.
18 free tools. Your new sales weapon.
All 18 of our security lookup tools are free, instant, and require no sign-up. That is not a loss leader. It is a deliberate strategy to give MSPs a practical edge in every client conversation.
How MSPs are using these tools to win business
- Walk into a meeting with evidence: Run a Security Grade scan on a prospect's domain. In seconds you have a clear security score covering DMARC, SPF, SSL, DNSSEC, and more. You are showing facts, not a pitch deck.
- Surface the gaps they did not know they had: The scan identifies specific, fixable issues: missing DMARC policy, weak SPF, expiring certificates, unsigned DNSSEC. Every gap is an opportunity you can quote for.
- Show them the threat landscape: Use the Lookalike Domain Scanner to show which confusingly similar domains already exist. Most clients have never seen this. It changes the conversation instantly.
- Close and onboard in the same meeting: Once they see the score, add their domains to the dashboard. Monitoring starts immediately. Brand alternates are detected automatically. You go from audit to active protection in minutes.
When a prospect sees their own domain scored and scanned in real time, the conversation shifts from "why do I need this?" to "when can we start?"
We do not just sell monitoring. We audit the industry.
Our UK MSP DMARC Audit: Q1 2026 analysed 192 UK Managed Service Providers across DMARC, SPF, SSL, DNSSEC, and brand domain protection. The findings are not flattering: 80% had an unprotected alternate brand domain. Even among MSPs with a perfect DMARC score on their primary domain, the majority had left their .co.uk or .com counterpart wide open.
These are not theoretical risks. They are gaps we found, measured, and published. When we build scoring logic or surface a recommendation, it is grounded in data we collected ourselves. That is the kind of partner you want behind your domain security practice.
A revenue line, not just a cost line
Most security tools are a cost you absorb. ShieldMarc is designed to be a service you sell.
Bill it as a managed service
Domain security monitoring is a natural fit for your existing managed services stack. Add it alongside your RMM and backup offerings. Clients understand recurring security monitoring, as they are already paying for antivirus and endpoint protection. Domain security is the same model, applied to the layer most MSPs are not covering yet.
Margins that work
ShieldMarc Professional covers 25 domains for £69/month (£49/month billed annually). If you are managing 15 clients with a primary and an alternate domain each, that is under £2 per domain per month to you. Price the service to your clients at whatever your market bears, and the margin is yours. Brand TLD variants count as a single slot, so you are not penalised for doing the right thing.
QBR-ready reporting
Show clients their Security Grade trend over time. Demonstrate how their score has improved since onboarding. Use the data in quarterly business reviews to justify your retainer, prove ROI, and upsell remediation work for any remaining gaps.
Win new business with the free tools
The free tools are your prospecting engine. Run a Security Grade scan in a sales meeting, surface the gaps, and quote the remediation. You are leading with value before the client has spent a penny. That is a fundamentally different sales motion to cold calling with a slide deck.
The signals cyber insurers are already looking for
Cyber insurance underwriters do not just ask "do you have antivirus?" any more. They are increasingly checking domain-level security signals: DMARC policy, SPF alignment, DNSSEC signing, MTA-STS enforcement, certificate validity, and whether parked domains are properly locked down.
If your client cannot evidence these controls, they face higher premiums, exclusions, or outright refusal of cover. If they suffer a phishing incident and their domain security was visibly neglected, the claim gets harder to defend.
How ShieldMarc helps your clients get insured and stay insured
- DMARC at enforcement, the single most-asked question on cyber insurance applications. ShieldMarc tracks policy stage and guides you to p=reject.
- SPF and DKIM alignment. Insurers want to see that legitimate mail is properly authenticated, not just that a record exists.
- SSL/TLS certificates valid and monitored. Expired certificates signal neglect. Continuous monitoring removes that risk.
- DNSSEC, MTA-STS, TLS-RPT: advanced controls that demonstrate mature security posture. ShieldMarc checks all three.
- Security Grade as evidence, a single, auditable score your client can present to their broker. It covers every signal in one scan.
For MSPs, this is a straightforward conversation: "Your cyber insurance renewal is coming up. Let me show you exactly where you stand on the controls they are going to ask about." That is a service your clients will pay for.
Alerts that mean something. Not just alerts.
DMARC aggregate reports contain a lot of noise. A sending IP that failed authentication might be a misconfigured marketing platform, a legacy mail relay you forgot about, or an active spoofing attempt targeting your client. The raw data looks identical. The response should not be.
How our threat scoring engine works
Every row in every DMARC report is evaluated by a multi-signal scoring engine before it reaches your dashboard. The engine cross-references IP reputation data, reverse DNS and sending infrastructure context, SPF/DKIM alignment patterns, message volume and velocity, and cross-domain consistency across our platform. An AI evaluation layer then reasons over the combined signals to classify each source, the same way an experienced security analyst would, but automatically and at scale.
The result: misconfigured services are identified as configuration issues to fix. Known forwarders are recognised and deprioritised. Genuine spoofing attempts are escalated with full context including source, reputation history, volume pattern, and confidence level.
Every report processed also contributes to a proprietary dataset of sending source behaviour across our customer base. That dataset compounds over time. A threat actor probing one client domain is far more likely to be identified when they probe another, because the pattern is already in our engine.
For MSPs managing multiple client domains, this matters operationally. You cannot manually investigate every DMARC failure across a portfolio of 50 clients. You need the platform to tell you which failures are worth your time. That is what ours does.
Read our engineering article on how the threat detection engine works →
The gap nobody is closing
Your client operates from yourcompany.com. Their customers also trust yourcompany.co.uk. If that alternate domain has no DMARC record, no SPF, no SSL certificate, and no DNS monitoring, an attacker can register it, spoof it, or let it lapse and pick it up at auction. Your DMARC policy on the primary domain does not protect against this.
In our UK MSP DMARC Audit, 80% of the 192 MSPs we analysed had an unprotected alternate brand domain. The NCSC has repeatedly warned that MSPs are high-value targets for supply chain attacks. Attackers do not limit themselves to spoofing the exact sending domain. They impersonate the brand across any domain variant a client might trust.
ShieldMarc closes this gap automatically. Add a primary domain and we detect the regional alternates (.com/.co.uk, .de, .com.au and 30+ others). Both are scanned, scored, and monitored together. TLD variants count as a single domain slot, so there is no cost penalty for doing the right thing.
What ShieldMarc does differently
Intelligent alternate domain detection
Enter a primary domain and ShieldMarc automatically identifies the regional alternate (.com/.co.uk, .de, .com.au and 30+ others). Both domains are scanned, scored, and monitored together as a single brand group.
Full-stack domain security
Not just DMARC. Every domain is checked for DMARC policy and alignment, SPF record validity, SSL/TLS certificate health, DNSSEC signing, MX configuration, and domain registration status.
Brand domains included free
Your .co.uk and .com are the same brand. We do not charge you twice. TLD variants are grouped together and count as a single domain slot. Competitors charge per domain, meaning brand protection doubles your bill.
Continuous monitoring and alerts
Daily automated checks across every domain. If a DMARC policy changes, an SSL certificate approaches expiry, a DNS record is modified, or a domain registration lapses, you are alerted before it becomes an incident.
How ShieldMarc compares
Most DMARC providers focus on a single domain's email authentication. ShieldMarc treats your brand as a group of domains that all need protection.
| Capability | Typical DMARC tool | ShieldMarc |
|---|---|---|
| DMARC monitoring and reporting | Yes | Yes |
| SPF record validation | Yes | Yes |
| Alternate brand domain detection | No | Automatic |
| Brand domain grouped billing | Per domain | TLD variants free |
| SSL/TLS certificate monitoring | No | Yes |
| DNS record monitoring | No | Yes |
| DNSSEC validation | No | Yes |
| Domain registration and expiry alerts | No | Yes |
| Cyber insurance evidence | No | Security Grade |
| Free prospecting tools | No | 18 tools, no sign-up |
| Multi-tenant for MSPs | Some | Yes |
| UK company, EU-hosted, UK support | Rarely | Yes |
Purpose-built for MSPs
Most DMARC tools were built for single organisations managing their own domain. MSPs have a fundamentally different problem: dozens or hundreds of client domains, each with their own DNS providers, email platforms, and TLD variants.
- Brand grouping on the MSP plan means the .com and .co.uk of a client domain count as one slot, not two.
- Multi-domain dashboards give you a single view across every client, sorted by risk.
- Domain type detection automatically identifies which domains are active mail senders, which are parked, and which are aliases, so each gets the right policy recommendation.
- Actionable guidance for every domain. ShieldMarc does not just report problems. It tells you exactly what to fix and in what order.
- Transparent pricing from £69/month for 25 domains (£49/month annual). No per-seat charges, no opaque enterprise quotes.
Built for the post-NCSC Mail Check landscape
The NCSC retired its Mail Check and Web Check services on 31 March 2026, shifting DMARC monitoring responsibility back to individual organisations and their IT providers. For UK MSPs that relied on Mail Check, this created an immediate gap in visibility.
ShieldMarc was designed for this moment. We provide the DMARC aggregate report parsing, policy progression guidance, and multi-domain management that Mail Check offered, plus the brand domain protection, SSL monitoring, and DNS health checks it never did. For a detailed migration walkthrough, see our guide to the NCSC Mail Check retirement.
Fast and secure by design
Most platforms grow by piling on features to justify higher pricing. We took the opposite approach. ShieldMarc is built lean: the tools you actually need, nothing you do not, and every page engineered for speed.
Built to stay out of your way
No bloated dashboards. No third-party tracker noise. Clean interfaces that surface what matters so your team spends time acting on insights, not waiting for them.
Secured from day one
Every release is automatically scanned for vulnerabilities, secrets, and common web application risks before it reaches production. All traffic is protected by a web application firewall with DDoS mitigation at the edge. Full details on our Security and Trust page.
How it works
Add your domains
Import client domains in seconds. Bulk upload or add one by one. Brand alternates are detected automatically.
Configure monitoring
Choose which modules to enable per domain. SSL, DMARC, DNS, uptime. All optional, all instant.
Get alerted instantly
Receive alerts via email the moment something changes. Dashboard shows current status at a glance.
Try the free tools
Every tool below is free, instant, and requires no sign-up. Check your domain security across every layer. Why we built them free.
Related Guides
See how your brand scores
Check your Security Grade for free. No sign-up, no email required. We will scan your domain across every security layer and give you a clear four-level rating.