Skip to content
OS Domains
Deliverability · Recurring service

Managed DMARC and BIMI, run by the operators who already manage the MTA

DMARC is the email authentication policy that tells receiving servers what to do with mail that fails SPF and DKIM alignment — monitor it, quarantine it, or reject it — while sending you reports on who is sending under your domain. Managed DMARC is OS Domains taking a domain from no policy to enforcement (p=reject) safely: reading the aggregate reports, fixing the legitimate sources that break alignment, and tightening policy in stages so real mail is never blocked, for organizations that need enforcement without a full-time deliverability hire.

DMARC enforcement is the kind of project that fails when ownership is split. SaaS dashboards parse the reports, but somebody still has to add the records, fix alignment, chase the third-party senders, and not break the Friday-night newsletter. We do all of it. Vienna-based, EU sub-processors, signed DPA, no SaaS-only blind spots. From €99 per domain per month.

In short

  • Takes a domain from p=none (monitoring) to p=reject (enforcement) in a typical 8 to 12 weeks, in controlled stages.
  • Reads the RUA aggregate reports for you, identifies every legitimate sender, and fixes SPF/DKIM alignment before tightening policy.
  • Covers the whole authentication stack — SPF, DKIM, DMARC, plus BIMI, MTA-STS and TLS-RPT — not only the DMARC record.
  • Priced per domain per month by depth: Monitoring €99, Enforcement €199, Premium €299 (BIMI and SLA included).
  • Enforcement done wrong blocks your own invoices and password resets — a staged rollout against live reports is what prevents that.
To enforcement

What does DMARC enforcement actually do?

Enforcement tells receivers to act on mail that fails authentication — first to watch it, then to quarantine it, finally to reject it outright — which is what stops anyone spoofing your domain. The risk is blocking your own legitimate mail, so policy tightens only after the reports show every real sender is aligned. The diagram shows the three stages.

p=none · weeks 1-4 collect reports find every sender nothing blocked p=quarantine · 4-8 unauth mail to spam fix alignment compliance to 95%+ p=reject · weeks 8-12 spoofed mail rejected enforcement reached reports keep flowing Policy advances only when the reports show every legitimate sender is aligned.

The whole journey is visible in one DNS record — it begins at p=none with reporting on, and ends at p=reject with strict alignment, reports still flowing:

# week 1 - monitoring only, reports flowing
$ dig +short TXT _dmarc.yourdomain.com
"v=DMARC1; p=none; rua=mailto:[email protected]; fo=1"

# week 12 - full enforcement, strict alignment
$ dig +short TXT _dmarc.yourdomain.com
"v=DMARC1; p=reject; rua=mailto:[email protected]; adkim=s; aspf=s"
Why p=none no longer counts as protection

DMARC went from "best practice" to "enforced compliance" in 24 months. Most senders are still stuck at p=none.

Two years after Gmail and Yahoo introduced their February 2024 bulk sender requirements, the data is in: only 28.5% of domains with a published DMARC record have actually reached p=reject enforcement, according to Valimail's 2024 industry report. The remaining 71.5% are sitting at p=none, technically compliant with the bulk sender baseline but functionally unprotected against the spoofing campaigns DMARC was designed to stop. p=none is monitoring, not protection. It tells receivers what is happening; it does not stop anything from happening.

In 2026, that gap is no longer just a security exposure. It is a deliverability tax. Mailbox providers increasingly use DMARC enforcement as a positive reputation signal — domains at p=quarantine or p=reject are trusted more than domains at p=none, all else being equal. Being stuck at p=none does not just leave you exposed to brand impersonation; it depresses your inbox placement on legitimate sends compared to enforcing senders in the same vertical. Microsoft began rejecting non-compliant high-volume mail outright on May 5, 2025. PCI DSS v4.0 made DMARC mandatory for organizations processing payment card data as of March 2025. Cyber insurers increasingly require enforcement as an underwriting condition. CISA BOD 18-01 mandates p=reject for US federal domains.

And then there is BIMI — the brand logo and verified checkmark in Gmail and Apple Mail that is rapidly becoming the visual proof of "this is a real sender." BIMI requires DMARC at p=quarantine or p=reject minimum. No enforcement, no logo, no checkmark, no brand display in inbox. Senders who do not finish the DMARC journey lose the BIMI marketing real estate, and that real estate has been documented to lift open rates by 21–39% in field tests by Red Sift and Entrust.

So why are most senders still at p=none? Because the path from p=none to p=reject is technically straightforward but operationally painful. You have to find every system that sends mail on your behalf, authenticate each one, watch the aggregate reports, fix alignment failures one by one, slowly tighten the percentage-rolled-out, and not break the newsletter that goes out on Friday. The platforms that automate the parsing make it look like a SaaS subscription will solve the problem. It will not. Somebody still has to do the work in DNS, in the third-party vendor portals, in the MTA configuration, and in the Friday-night change window.

That is what managed DMARC is, and that is what we do. We operate the work end-to-end. The platform is part of it; the human expert handling is most of it.

What makes ours different

There are dozens of DMARC SaaS platforms. There are very few managed-DMARC services run by people who also operate the MTA, the DNS and the IP space.

The DMARC service market is fragmented across two extremes. On one side, pure SaaS platforms (PowerDMARC, EasyDMARC, dmarcian, Red Sift OnDMARC, Valimail) — they parse aggregate reports, generate dashboards, and leave the actual remediation work to you or your MSP. On the other side, traditional MSPs and security firms — they handle the operational work but rebrand a third-party SaaS underneath. We sit in a third position that almost nobody occupies: we built our own analysis tooling because we needed it for our own MTA operations, and we run the operational work because we already have the engineers in place. Five practical consequences:

We see your DMARC reports from inside the MTA, not just from the parser

When you host part of your sending with us (even a small subset for testing), we can correlate aggregate reports against the actual MTA logs in real time. That changes the diagnosis radically. SaaS-only DMARC tools tell you "an unknown source at this IP failed alignment 3,400 times yesterday." We can tell you "that was your support ticketing system trying to send through a relay that does not have DKIM configured, and here is the exact log line." Even for senders not hosted with us, the operator mindset changes how we read reports: we know what real-world misconfigurations look like, not just what the spec says.

EU sovereign by construction, not by certification

OS Domains GmbH is a Austrian entity headquartered in Vienna. Our DMARC platform runs on EU infrastructure, our sub-processors are EU-only, and we sign DPAs as standard on Enforcement and Premium tiers. There is no US parent company, no CLOUD Act exposure, no "we have a Frankfurt region" asterisk on a US-headquartered SaaS. For regulated industries (financial services, healthcare, public sector, EU government suppliers), this often matters more than the technical features.

Done-for-you DNS changes, not "here is the record to publish"

On Enforcement and Premium tiers, you delegate authoritative DNS for your sending subdomains to our nameservers, and we manage the records directly. Every SPF tweak, every DKIM rotation, every DMARC pct increment happens with us holding the lever. You retain full control (you can revoke at any time), but you do not have to ticket every change through your IT change management board. For domains where you cannot delegate (the company apex, for instance), we provide ready-to-paste record values and we keep a synced internal copy so we know exactly what is published and when.

A real human reads every aggregate report, not just the parser

Every domain on Enforcement and Premium tiers has an assigned analyst who reviews the weekly aggregate trend personally. Automation handles the noise (failures from spam-trap probes, transient forwarding edge cases, expected non-compliance during pct rollout) and a human reviews everything else. When something genuinely changes (a new sending source appears, an existing one starts failing, a forensic report shows a credible spoofing attempt), you get a Slack/email alert and a recommended action, not a dashboard widget you have to interpret yourself.

BIMI and VMC handled end-to-end, including SVG Tiny PS conversion

BIMI is the most-failed BIMI implementation step, with 53.6% of published BIMI records containing at least one error per URIports' 2025 audit. Most failures are SVG conversion (Tiny PS subset is restrictive, and Figma/Illustrator output rarely satisfies it on first try) or VMC PEM hosting (most CAs do not host the certificate; you do). We handle the SVG conversion against the BIMI Group reference validator, we host the VMC PEM file on our infrastructure as part of the Premium plan, and we manage the annual VMC renewal with DigiCert or Entrust on your behalf.

When managed DMARC is the right call

Six situations where outsourcing DMARC pays for itself in the first quarter

DMARC is not a project every team should run themselves. It is detail-intensive, it requires sustained attention over weeks and months, and a single bad rollout can block legitimate mail for a business day. The six situations below are where we see clients consistently get more value from a managed service than from rolling their own.

01

You are sending from 5+ platforms and nobody owns the inventory

Most B2B organizations of any size send mail from at least five distinct platforms — marketing automation, transactional ESP, helpdesk, CRM, billing, and one or two SaaS tools nobody documented. Each platform contributes to your DMARC alignment story. Without a centralized inventory and ownership model, getting all of them aligned is whack-a-mole. Managed DMARC starts with the inventory and stays current as your stack changes.

02

You have a DMARC SaaS subscription but you have been at p=none for over six months

This is the most common pattern we see. A company subscribes to PowerDMARC, EasyDMARC or similar, configures the rua= reporting address, watches the dashboard fill with data, and then nothing happens. The platform shows you what is broken, but somebody has to actually fix it, vendor by vendor, sub-domain by sub-domain. If your SaaS dashboard has been showing the same set of unaligned senders for six months, you do not need more software. You need somebody to do the work.

03

A cyber insurance underwriter or compliance auditor flagged DMARC enforcement as a control gap

Cyber insurance increasingly underwrites against DMARC posture, and PCI DSS v4.0, CISA BOD 18-01, and SOC 2 communications-security controls all reference DMARC. If you have an upcoming audit or renewal where DMARC posture is on the checklist, managed DMARC with a fixed timeline and signed deliverables removes the largest single blocker on most enterprise DMARC projects: cross-team coordination.

04

You want BIMI brand display in Gmail and Apple Mail but your DMARC is not at enforcement

BIMI is gated by DMARC enforcement (p=quarantine or p=reject minimum) and Gmail brand display is gated additionally by VMC or CMC certificate. Getting from "we want BIMI" to "BIMI logo visible in Gmail" is typically a 6 to 12 week project for a complex sending stack. We run that project as a single fixed-fee engagement on the Premium plan.

05

Your domain has been spoofed in a phishing campaign and the security team needs visible action

A successful brand spoofing campaign creates pressure to "do something about email." DMARC at p=reject is the technical answer, but the operational journey is invisible to the executive team. Managed DMARC produces visible artifacts (the executive monthly report showing aggregate volume, alignment trend, enforcement progress, and forensic incidents) that demonstrate progress to the board even during the long monitoring phase.

06

You have multiple business units, multiple brands, multiple country domains and they all need DMARC

Multi-domain DMARC is operationally non-linear. Each domain has its own SPF, DKIM, DMARC records; each may use different sending vendors; each may have different alignment patterns. Managing 1 domain takes one person a day a week. Managing 25 domains takes the same person three days a week, with mistakes growing exponentially. This is exactly where an MSP-style managed service breaks even quickly — and where pure SaaS subscriptions consistently lose because the work is in the per-domain detail, not in the dashboard.

How the engagement runs

Six phases, weeks 1 to 12 typical, then ongoing

A managed DMARC engagement is not "set up the record and walk away." It is a 6 to 12 week project to reach enforcement, then continuous operation. Below is exactly what we do at each phase, what you receive, and where the inflection points sit.

01

Discovery and inventory (week 1)

We start by mapping every system that sends mail on your behalf. This includes the obvious (marketing automation, transactional ESP, CRM email module) and the non-obvious (calendar invites that go out from your shared mailboxes, billing system reminders, monitoring tools that alert you over email, contractor tools nobody documented. Each system gets a row in a sender inventory document with vendor, business owner, technical owner, sending domain or subdomain, current SPF inclusion, DKIM selector, and authentication state. This inventory becomes the source of truth for the rest of the engagement and the artifact you keep after.

Deliverable Sender inventory spreadsheet, signed off by your team. This typically catches 30 to 50 percent more sending sources than the client thought they had.
02

Baseline DMARC publication and report flow (week 1 to 2)

If you do not already have DMARC records on your domains, we publish them at p=none with both rua (aggregate) and ruf (forensic, where supported) reporting addresses pointing at our analysis infrastructure. If you do have DMARC records, we audit them for syntax issues, missing reporting addresses, and alignment misconfiguration, and we propose corrections. We verify report flow within 48 hours of publication — most providers (Google, Microsoft, Yahoo, ProtonMail, large enterprise gateways) start sending reports immediately; some smaller receivers take up to a week. We do not advance to phase 3 until report flow is confirmed clean.

Deliverable DMARC records published or corrected on every in-scope domain, report flow verified, baseline metrics established.
03

Monitoring and source authentication (weeks 2 to 8)

This is the longest phase and the one most senders underestimate. We watch the aggregate reports come in, identify every sending source that is failing alignment, and work through them one at a time. For each: confirm whether the source is legitimate (some "unaligned senders" are spoofing attempts and should be ignored, not authenticated), determine the right authentication path (SPF inclusion, DKIM selector publication, subdomain delegation, or removal if the source is unauthorized), execute the change in DNS or in the vendor portal, and verify alignment improves on the next aggregate cycle. We typically work through 1 to 4 sources per week depending on vendor responsiveness. By the end of phase 3, your DMARC compliance rate is at 95 percent or above, which is the prerequisite for moving toward enforcement without breaking legitimate mail.

Deliverable Weekly progress reports, sender inventory updated continuously, DMARC compliance trending toward 95%+ across all in-scope domains.
04

Gradual enforcement rollout (weeks 8 to 12)

Once compliance is at 95 percent or above and stable for two consecutive weeks, we begin the enforcement transition. We use the pct= percentage tag to apply enforcement to a subset of failing mail, starting at pct=10 with policy p=quarantine. We watch for two consecutive clean reporting cycles, then increment to pct=25, then pct=50, then pct=100 still at quarantine. After two clean cycles at p=quarantine pct=100, we transition to p=reject pct=10 and walk the same ramp up to p=reject pct=100. The total transition typically takes 4 to 6 weeks. Throughout, you have a kill switch — if anything breaks, we drop back to the previous policy within minutes via DNS update. We have used the kill switch in roughly 4 percent of engagements; in every case the cause was a previously undiscovered sending source that surfaced under enforcement.

Deliverable Domain reaches p=reject pct=100, with documented evidence of the rollout, alignment metrics, and any sources discovered during enforcement.
05

BIMI and VMC implementation (Premium tier, weeks 8 onward in parallel with phase 4)

BIMI implementation runs in parallel with the final stages of enforcement, since BIMI requires p=quarantine or p=reject. We start by validating your existing logo against the BIMI Group SVG Tiny PS reference validator. In our experience, 70 percent of provided logos fail Tiny PS on first submission — usually because of embedded fonts, raster images, or wrong aspect ratio. We convert the logo to compliant Tiny PS format and host it on HTTPS infrastructure with appropriate caching. For VMC issuance, we coordinate with DigiCert or Entrust (your choice; we recommend DigiCert based on validation speed in our experience). The VMC validation process takes 2 to 4 weeks and requires evidence of trademark registration in an approved jurisdiction. For senders without a registered trademark, CMC is the alternative path with similar Gmail brand display and approximately 40 percent lower certificate cost. Once issued, we host the PEM file on our infrastructure and add the BIMI record with both l= and a= attributes pointing at the SVG and PEM.

Deliverable BIMI logo visible in Gmail (with VMC checkmark), Apple Mail, Yahoo, Fastmail. SVG and PEM hosted on our infrastructure. Annual VMC renewal handled.
06

Continuous operation (ongoing)

After enforcement is reached, the work does not stop — it changes shape. New sending sources appear (a marketing team signs up for a new SaaS tool that needs authentication), existing sources rotate keys (Google Workspace rotates DKIM by default, third-party platforms occasionally change SPF includes), aggregate trends shift (a forensic report flags a real spoofing attempt that needs investigation). We monitor continuously, alert you in Slack or email when something requires action, and execute routine maintenance directly. Monthly executive reports summarize aggregate volume, alignment, enforcement health, BIMI display rate, and any forensic incidents handled.

Deliverable Continuous monitoring with action alerts, monthly executive report, quarterly review call. SLA on alert response time and DNS change execution windows for Premium tier.
What we cover, end to end

Which records does full email authentication need?

Full email authentication needs SPF, DKIM and DMARC working in alignment, plus BIMI, MTA-STS and TLS-RPT around them. DMARC depends on SPF, DKIM and the alignment between them. BIMI depends on DMARC. Each layer has its own failure modes. Below is exactly what we manage, organized by layer.

01

SPF (Sender Policy Framework)

  • Record syntax validation against current RFC 7208

    Multiple SPF records on the same domain are invalid. Trailing characters, malformed mechanisms, conflicting all qualifiers — we catch the syntax issues a basic check passes and a strict receiver fails on.

  • DNS lookup count under the 10-lookup limit

    Every include, a, mx, ptr, exists or redirect counts. Cross the limit and the receiver returns PermError, which most treat the same as no SPF. We monitor your lookup count continuously and flag when accumulated includes get close to the limit.

  • SPF flattening and macro use where appropriate

    For domains stuck near the lookup limit, SPF flattening (replacing includes with their resolved IP ranges) or macros can extend the runway. Both have tradeoffs we walk you through; we do not flatten by default because it requires ongoing maintenance as your vendors' IP ranges change.

  • Subdomain SPF strategy

    Heavy senders on a subdomain (marketing.example.com, transactional.example.com) get their own SPF record rather than crowding the apex. This isolates risk and keeps lookup counts manageable as your stack grows.

  • Alignment configuration relative to your sending pattern

    SPF alignment can be relaxed (subdomain match) or strict (exact match), set via the aspf tag on DMARC. We pick based on your real-world Return-Path patterns, not as a default.

02

DKIM (DomainKeys Identified Mail)

  • Key length verification (1024 vs 2048 bit)

    1024-bit keys are still everywhere, including default Google Workspace setups. They are computationally weak and we recommend rotating to 2048-bit, with the caveat that some legacy DNS providers do not support 2048-bit TXT records and require subdomain CNAME delegation instead.

  • Selector inventory and rotation tracking

    Your sending stack uses multiple DKIM selectors — one per signing service. We inventory all selectors in active use, track when each was last rotated, and flag when rotation is overdue. Industry best practice is rotation every 12 to 18 months.

  • Selector hosting and CNAME chain integrity

    For services that publish DKIM as CNAME (Google Workspace, Mailchimp, SendGrid), we verify the CNAME resolves correctly and the target chain is intact. Broken CNAMEs are a common cause of silent DKIM signature failures — they look fine in your DNS panel but fail at the receiver.

  • Multiple-signature handling (vendor + relay)

    When mail flows through multiple signing layers (your ESP signs, then your relay signs), we configure both correctly and verify both signatures verify at the receiver. Misconfigured double signing is a common cause of DKIM failures that look like alignment problems.

  • DKIM key rotation execution and rollback

    Rotation requires publishing the new selector's public key in DNS, configuring the MTA or vendor to start signing with the new private key, and removing the old selector after a grace period. We orchestrate the full rotation safely.

03

DMARC and reporting

  • Record publication, syntax, and alignment configuration (aspf, adkim)

    We publish records appropriate to your sending pattern, with reporting addresses pointing to our analysis infrastructure. Alignment mode is set per domain based on real-world traffic patterns observed during phase 3.

  • Aggregate report (rua) parsing, deduplication and trend analysis

    Aggregate reports arrive as XML attachments from receiving providers. We parse, dedupe, and aggregate them into a coherent picture: by sending source, by receiving provider, by alignment outcome. The raw XML is preserved for audit; the synthesized view is what your team sees.

  • Forensic report (ruf) handling for spoofing investigations

    Forensic reports are message-level samples of failing DMARC. Most receivers do not send them by default; some require explicit registration. Where available, ruf reports are gold for tracking down credible spoofing attempts. We process them under strict privacy constraints (PGP encryption where supported, retention limits, access logging).

  • Subdomain policy (sp=) configuration

    A common miss: domains where the apex has DMARC at p=none but subdomains inherit the same policy by default, leaving security gaps. We configure sp= per domain to apply tighter policies to subdomains where appropriate.

  • Gradual rollout via pct= percentage tag

    Enforcement transitions use the pct= tag to apply policy to only a subset of failing mail, allowing safe stepwise rollout. We manage the increment cadence based on aggregate report stability, not arbitrary calendar dates.

04

BIMI and VMC (Premium tier)

  • SVG Tiny PS conversion and validation

    BIMI requires a specific SVG subset (Tiny PS — Tiny Portable/Secure). No JavaScript, no external references, square aspect ratio, solid background, restricted attribute set. We convert your provided logo against the BIMI Group reference validator until it passes.

  • BIMI DNS record publication

    TXT record at default._bimi.yourdomain.com pointing at the SVG (l= attribute) and the certificate PEM (a= attribute). We host both on dedicated HTTPS infrastructure with proper caching headers.

  • VMC versus CMC selection and procurement

    VMC requires a registered trademark; CMC does not. Both work for Gmail brand display, but only VMC adds the verified blue checkmark. We help you decide which path makes sense given your trademark portfolio and timeline, then we coordinate with DigiCert or Entrust for issuance.

  • Trademark verification support

    VMC issuance requires evidence of registered trademark in an approved jurisdiction. Most rejected VMC applications fail at this stage. We pre-validate your trademark registration before submitting to the CA to avoid the back-and-forth.

  • PEM file hosting and annual renewal

    VMCs and CMCs expire after 397 days and require annual renewal. We host the PEM file on our infrastructure and manage the renewal cycle, including the periodic re-validation that CAs sometimes require mid-cycle.

Three plans, fixed monthly pricing

How much does managed DMARC cost?

Plans are €99 (Monitoring), €199 (Enforcement) and €299 (Premium) per domain per month. All three plans include the same underlying analysis platform, expert handling, and EU sub-processor stack. The difference is scope: Monitoring stops at p=none and visibility, Enforcement drives you to p=reject, Premium adds BIMI and SLA. You can move up or down between tiers monthly with no penalty. All prices are per domain per month, billed monthly. Annual commitments save 15 percent.

Monitoring

Visibility and reporting at p=none. For senders who need DMARC compliance but do not yet need enforcement.

€99 / domain / month

Setup in 3 to 5 business days

Ideal for

Single-domain SMBs who need DMARC for Gmail/Yahoo bulk sender compliance but are not yet ready to invest in full enforcement. Or senders who have never had visibility into who is sending mail on their behalf.

What's included

  • DMARC record publication at p=none with rua reporting to our infrastructure
  • Aggregate report parsing, deduplication and trend analysis
  • Sender inventory document maintained continuously
  • Slack or email alerts on new sending sources detected
  • Monthly executive report (PDF, 4–6 pages)
  • Email and ticket support, business hours response
  • EU-only sub-processors
  • Cancel any time, monthly billing
Start Monitoring
Most chosen

Enforcement

Managed journey from p=none to p=reject, with done-for-you DNS work and source authentication.

€199 / domain / month

Setup in 5 business days, full enforcement typically reached in 8 to 12 weeks

Ideal for

Mid-market B2B with multiple sending platforms, regulated industries that need enforcement on the audit checklist, and senders ready to commit to the 8–12 week journey to full enforcement.

What's included

  • Everything in Monitoring
  • Authoritative DNS delegation for sending subdomains (or coordinated record management on your DNS)
  • Source authentication coordination — we work directly with your vendors to fix alignment
  • Gradual enforcement rollout (p=none → p=quarantine → p=reject) with kill-switch protection
  • DKIM selector rotation managed on our schedule
  • SPF flattening and lookup-count optimization where needed
  • Forensic report (ruf) handling under PGP encryption where supported
  • Quarterly review call with assigned senior analyst
  • Signed Data Processing Agreement included
  • Email and ticket support, 8-hour business response SLA
Book Enforcement plan

Premium

Enforcement plus BIMI, VMC, forensic operations, and a 4-hour SLA.

€299 / domain / month

Setup in 5 business days, BIMI typically live within 6 to 12 weeks (depending on VMC validation timeline)

Ideal for

Brand-conscious senders who want BIMI display in Gmail and Apple Mail, regulated organizations under PCI DSS or SOC 2 audit, and senders who need 24-hour incident response on credible spoofing.

What's included

  • Everything in Enforcement
  • BIMI implementation (SVG Tiny PS conversion, DNS record, hosting)
  • VMC or CMC procurement and annual renewal coordinated with DigiCert or Entrust
  • PEM file hosting on our HTTPS infrastructure with proper caching
  • Forensic incident investigation on credible spoofing attempts (up to 5 incidents per quarter)
  • Monthly compliance evidence pack suitable for SOC 2 / PCI DSS / ISO 27001 audit
  • Dedicated account engineer in Slack Connect
  • 4-hour incident response SLA, business and after-hours
  • Quarterly executive review with security recommendations beyond DMARC
Book Premium plan

VMC certificates from DigiCert (€1,490/yr) or Entrust (€1,490/yr) are billed at cost as passthrough. CMC certificates (€890/yr) for senders without a registered trademark are also passthrough. We do not mark up certificates. One-time onboarding fee of €490 applies to setups starting from scratch on a domain with no prior DMARC; this fee is waived on annual Enforcement and Premium commitments.

How the calendar runs

How long does it take to reach p=reject?

Reaching p=reject takes a typical 8 to 12 weeks. A managed DMARC engagement runs against a typical calendar. Below is the realistic timeline for a mid-market customer with 5 to 10 sending platforms across 1 to 3 domains. Larger or more complex stacks scale primarily by adding weeks to phase 3 (source authentication), not by changing the structure.

  1. Week 0

    Contract, NDA, kickoff

    We sign the MSA (or your equivalent) and the DPA on the same day. NDA mutual on request, typically signed in 24 to 72 hours. Kickoff call is 60 minutes with technical and business owners on your side, and the lead analyst plus account engineer on ours. We confirm scope, agree on the in-scope domain list, and walk through the access requests we will need over the next two weeks.

  2. Weeks 1 to 2

    Discovery, baseline DMARC publication, report flow

    We map your sending inventory and publish DMARC at p=none on every in-scope domain (or audit and correct existing records). Report flow validates within 48 hours of publication. By the end of week 2 you have your first complete aggregate report cycle and a fully documented sender inventory.

  3. Weeks 2 to 8

    Source authentication and alignment

    The core work. Each week we identify failing sources from the aggregate reports and authenticate them. We coordinate directly with vendor support teams where needed. Progress is reported weekly with a chart of DMARC compliance percentage trending toward 95%+. This phase is where engagements vary in length based on the vendor responsiveness — most vendors fix alignment issues within 1 to 5 business days; a few enterprise platforms take 2 to 3 weeks for a single change.

  4. Weeks 8 to 12

    Gradual enforcement transition

    Once compliance is stable above 95%, we begin the enforcement transition. Policy moves through p=quarantine pct=10/25/50/100 and then p=reject pct=10/25/50/100, with each step held for at least one full reporting cycle (typically 7 days). The transition takes 4 to 6 weeks at a measured pace. Faster is possible (we have done it in 14 days where the alignment was already at 99 percent), but the cautious cadence is the default for a reason.

  5. Weeks 8 to 16

    BIMI implementation (Premium tier, parallel)

    BIMI work runs in parallel with the final stages of enforcement, since BIMI requires p=quarantine minimum. SVG conversion and validation typically takes 1 week. VMC procurement timeline is dominated by trademark verification (2 to 4 weeks at DigiCert; faster if you are already a customer with reusable organization validation). Once VMC is issued and BIMI record is published, brand display in Gmail and Apple Mail typically starts within 24 hours of receiver-side cache refresh.

  6. Ongoing

    Continuous operation

    After full enforcement is reached, the engagement continues as steady-state operation. Monthly executive reports, quarterly review calls, alert response within SLA, BIMI annual renewal, ongoing source onboarding as your stack changes. We do not auto-renew or auto-upsell; the relationship continues monthly until you decide to bring it in-house or switch.

Three composite engagements

What managed DMARC actually looks like in practice

Composite cases — patterns we have seen repeatedly, with details anonymized. The economics are realistic; the specific clients are not.

Case 1

EU fintech, 1 main domain + 3 country subdomains, PCI DSS audit pressure

Scope

Enforcement plan, 4 domains, 8 sending platforms (Marketo, transactional ESP, Zendesk, billing system, two CRMs, internal SMTP relay, contractor invitation tool)

Top finding

The contractor invitation tool, which had been in use for two years, was sending from [email protected] without any DMARC alignment. The aggregate reports showed 14,000 unauthenticated messages per month under that From address. The compliance team had no idea the tool existed. Engagement deliverable: tool replaced with an authenticated alternative and the contractors@ subdomain locked down with strict alignment.

Outcome

Enforcement at p=reject pct=100 reached at week 11. PCI DSS audit cleared on email controls without further work. €199/mo × 4 domains = €796/mo recurring.

Case 2

Mid-market US SaaS, single domain, brand spoofing in the wild

Scope

Premium plan, 1 domain, 6 sending platforms. Trigger was a phishing campaign that successfully spoofed [email protected] and led to a six-figure customer fraud incident.

Top finding

DMARC was at p=none with reports going to a black-hole address nobody monitored. Forensic reports under ruf showed approximately 800 spoofed messages per day across 11 distinct campaign IPs. Engagement deliverable: enforcement reached in 9 weeks, BIMI live in 14 weeks (delayed by VMC trademark verification), forensic monitoring catches subsequent spoofing attempts within hours and triggers takedown procedures via the underlying ISPs.

Outcome

Enforcement and BIMI achieved. €299/mo recurring + €1,490/yr VMC passthrough. Customer subsequently expanded to a second sub-brand domain.

Case 3

EU public sector supplier, 8 country domains, regulatory mandate

Scope

Enforcement plan with annual commitment, 8 domains, 5 to 9 sending platforms per domain (varies by country business unit).

Top finding

Three of eight domains had multiple SPF records on the apex (invalid), and one had a DMARC record with malformed rua reporting that was silently dropping all reports. Phase 1 alone surfaced and fixed structural issues nobody had been monitoring. Engagement deliverable: all 8 domains reached p=reject pct=100, evidence pack produced per domain for regulatory submission.

Outcome

Full enforcement across all 8 domains reached in 14 weeks. €199/mo × 8 domains × 0.85 (annual commit discount) = €1,353/mo recurring. Regulatory mandate satisfied at next assessment cycle.

Real questions from procurement and security teams

What buyers ask before they sign

How is your service different from PowerDMARC, EasyDMARC or Red Sift OnDMARC?

Those are SaaS platforms. They give you the dashboard and the parser; you (or your MSP) do the operational work — DNS changes, vendor coordination, source authentication, enforcement rollout. Our service includes the operational work performed by senior engineers who run the underlying MTA, DNS and IP layers in production. The pure-SaaS model works well if you have an in-house deliverability team. If you do not, you are buying software you still need somebody to operate. We are the alternative for senders who want managed delivery, not just analytics.

Do we need to host email with you to use the managed DMARC service?

No. About 70 percent of managed DMARC clients in the last 12 months were not OS Domains hosting customers at the time of engagement. The service is standalone. We do find that hosting clients get marginal additional value because we can correlate DMARC reports against MTA logs in real time, but the service is fully effective for senders on Marketo, HubSpot, SendGrid, Mailgun, Postmark or any other platform.

Can we keep using our existing DMARC SaaS subscription?

Yes, on the Monitoring tier we can integrate with your existing PowerDMARC, EasyDMARC, dmarcian or similar subscription instead of routing aggregate reports to our infrastructure — useful if your team is already trained on that platform. On Enforcement and Premium tiers we recommend consolidating reporting to our infrastructure so the operational and analytical context lives in one place, but it is not mandatory.

What does the EU sovereign / Schrems II positioning actually mean for our DPO?

OS Domains GmbH is a Austrian entity headquartered in Vienna. The DMARC platform runs entirely on EU infrastructure, our sub-processors are EU-only, and the DPA we sign confirms both. There is no US parent company, no group policy that gives a US entity access to your data, and no CLOUD Act exposure. For your DPO the practical implications are: (a) signed DPA on file, (b) sub-processor list available on request that does not include any US entity, (c) data residency confirmed in Austria / EU, (d) record retention and deletion policies that align with your retention obligations under Article 5 GDPR. We are not a substitute for your DPO's broader compliance work; we are one supplier whose paperwork checks out cleanly.

How long does it really take to get from p=none to p=reject?

For a mid-market sender with 5 to 10 platforms, 8 to 12 weeks is realistic. We have done it faster (14 days for a SaaS company that already had near-perfect alignment), and we have seen it take 6 months for enterprise senders with 50+ platforms and slow vendor coordination. The single largest variable is vendor responsiveness — if your CRM vendor takes 3 weeks to add a DKIM selector, that delays you by 3 weeks, regardless of how fast we work on our side. On the engagement plan we publish weekly progress so you always know where the bottleneck is.

What happens if enforcement breaks legitimate mail?

We have a kill switch. Every domain on Enforcement and Premium tiers can be reverted to the previous policy via DNS update within minutes. We have used the kill switch in approximately 4 percent of engagements; in every case the cause was a previously undiscovered sending source that surfaced under enforcement (and therefore needed authenticating before retrying). The kill switch is a normal part of the workflow, not an emergency procedure. If a kill switch event causes a billable incident on your side (for example, a delayed customer-facing email), we credit one month of service at the affected tier, no questions asked.

Do you offer white-label resale for our agency or MSP?

Yes, on Enforcement and Premium tiers, with a minimum of 5 active client domains and a written reseller agreement. Reseller pricing is structured to leave you margin: 30 percent off list at 5 domains, 40 percent off at 25 domains, 50 percent off at 100+ domains. We provide a white-labeled monthly executive report template and a reseller-facing account manager. Get in touch via the contact form for the reseller MSA.

Can you help us get BIMI live without a registered trademark?

Yes, via CMC (Common Mark Certificate) instead of VMC (Verified Mark Certificate). CMC has the same Gmail brand display effect minus the verified blue checkmark, and the certificate cost is approximately 40 percent lower (€890/yr vs €1,490/yr). It is a common path for SMBs and emerging brands that do not yet have a registered trademark. The DigiCert and Entrust trademark validation process for VMC adds 6 to 12 weeks for trademark filing if you do not already have one — for most senders, CMC is the right call until trademark registration completes naturally.

What do you do if our domain is actively being spoofed during the engagement?

On Premium tier, forensic incident investigation is included for up to 5 credible incidents per quarter. The workflow: forensic report (ruf) flags a credible spoofing campaign, we triage within the SLA window (4 hours on Premium), trace the originating ASN and infrastructure, contact the upstream provider with takedown evidence, and report the campaign to industry threat intelligence sharing networks (M3AAWG, Spamhaus, etc.). We do not promise takedowns within a fixed time (that depends on the upstream's responsiveness), but we do everything within standard industry takedown procedures.

How does the service interact with our existing security operations center (SOC)?

We integrate with your SOC via Slack Connect on Premium tier, or via webhook to your SIEM (Splunk, Sentinel, Sumo, Datadog) on Enforcement and Premium. Forensic incidents create both an alert in your SOC tooling and an investigation ticket on our side. For SOC-driven incident response that needs cross-team coordination, our analyst attends your incident calls as the email authentication subject-matter expert.

Do you support DMARC for non-email use cases like SMS aggregator domain authentication?

No. DMARC is specifically an email authentication standard. There are adjacent standards for SMS sender authentication and for OAuth domain verification, but they are out of scope. If you need help with those, we can refer you to specialists.

What is your stance on AI-generated forensic interpretation?

We use machine assistance to deduplicate and cluster aggregate reports, but the actual investigation of meaningful events is performed by human analysts. AI is good at deduplication and pattern matching at scale; it is not yet reliable at distinguishing a credible spoofing attempt from an unusual but legitimate sending pattern. We will revisit this as the technology matures, but the current setup is human-in-the-loop on every actionable finding.

Ready to start?

Two ways to begin

Book a tier directly and we kick off in 3 to 5 business days. Or get a free DMARC posture assessment first — a 30-minute call where we look at your current records together and tell you which tier is right for your stack, with no obligation to proceed.

Phone +43 1 205 11 80 Mon–Fri · 9–18 CET
Email [email protected] Avg response 4h business
Office Fleischmarkt 1, 1010 Wien By appointment