This is a productised service that any web or digital agency can start selling this week. It generates £500-1,500 per engagement, takes about 3-4 hours of actual work, and has an extremely high conversion rate from the first conversation because the value is obvious and the price is low. It also leads directly into a £50-150/month recurring monitoring service, which is where the real margin is.
This is a productised service that any web or digital agency can start selling this week. It generates £500-1,500 per engagement, takes about 3-4 hours of actual work, and has an extremely high conversion rate from the first conversation because the value is obvious and the price is low. It also leads directly into a £50-150/month recurring monitoring service, which is where the real margin is.
I've seen versions of this offer run successfully by agencies with as few as two staff and as many as forty. The economics scale; the conversation doesn't change.
"Email Security Baseline Audit" — a one-off engagement to audit and harden a client's email authentication configuration.
Deliverables:
Pricing:
Follow-on: continuous DMARC monitoring at £30-100/domain/month on a 12-month minimum.
Four things make this offer convert dramatically better than most professional services:
Concrete starting artefact. You walk into the conversation with the client's actual grade (from a free audit tool) in hand. You're not selling a discovery exercise — you're showing them the problem already exists and telling them what it costs to fix.
Fixed scope. Email authentication is a finite domain. Unlike "optimise your website" or "improve your marketing," DMARC has a specific correct state. You can credibly promise a specific outcome.
Low price point. £500 doesn't require committee approval at any company large enough to have an IT budget. It's in the "just expense it" band. Decisions get made in one meeting.
Recurring upsell. Every one-off audit converts into monitoring revenue if you position it right. The audit fixes the current state; monitoring keeps it fixed. Nobody wants to buy the same audit again next year because their DMARC has silently drifted.
Timing: 2-3 weeks from signed engagement to completed delivery, about 3-4 hours of your own active time.
Run the free audit at dmarcsentinel.com on every client domain they've asked you to assess. Save the shareable URLs for each. Screenshot the summary.
Also run:
dig queries to verify the raw recordsinclude: entries to figure out what legacy services might still be in playTotal time: 15 minutes for a single domain, up to an hour for 10 domains.
Review the audit output and produce a remediation plan. For each finding:
Put this in a short document (5-10 pages). The audit's PDF export gives you the technical meat; you add the business-framed executive summary and the implementation plan.
Total time: 1-2 hours per domain.
Coordinate the DNS changes with whoever controls the client's DNS. For 90% of clients this is the agency themselves (you already manage their hosting and DNS) or an IT-in-a-box provider who can make changes quickly.
Order of operations for the typical F-grade starting point:
p=none with rua= pointing at a monitoring addressp=quarantine with pct=25, ramp to pct=100 over 2-3 weeksp=rejectThis staged rollout is the correct technical approach, but the offer is delivered in two phases: "immediate fixes" (steps 1-3, done in week 2) and "ongoing monitoring" (steps 4-6, which is the follow-on monthly engagement).
Total time: 1-2 hours per domain for the immediate fixes.
Written executive summary delivered to the client, including:
At this meeting, propose the ongoing monitoring engagement. The natural language: "The work we've just done gets you to baseline compliance, but DMARC configuration drifts — ESPs change infrastructure, new senders get added, something breaks. We monitor and alert on changes, plus we complete the migration to p=reject over the next two months, for £X/month."
Total time: 1 hour for the handover meeting.
Keep it short. A one-page proposal converts better than a ten-page one.
Subject: Email security baseline — proposal
Current state. We ran an audit on [yourdomain.com] this morning. It's currently scoring [grade]. The specific issues are: [two or three sentences on the top issues]. In practice this means [business impact — one sentence].
What we'd do. Fix the configuration issues, get DMARC enforcement in place, and verify that no legitimate email is being affected by the changes. The work takes about two weeks start to finish with you unavailable for about an hour of that time.
Cost. £[X] one-off. Fixed price, no contingencies.
Afterwards. We recommend ongoing monitoring so the configuration doesn't drift — this catches issues within minutes instead of after a customer complaint. £[Y]/month, minimum 12 months, cancel any time.
Next step. Reply yes and I'll send an engagement letter. We can start next week.
Sign, send, move on.
Three concentric circles, in order of ease.
Any client currently on a monthly retainer with you for hosting, SEO, or general digital work. You already have their DNS access (probably), you already have their trust, you already have a billing relationship. This is a one-email sale.
"We've added an email security service to our offering. I ran the free audit against [yourdomain.com] this morning and it came back with some issues worth addressing — do you have 15 minutes next week to walk through it?"
Conversion rate from existing clients in the low-risk bucket: 40-60%. Some will say no because they just don't want to spend, but most will say yes because (a) you've already built the trust and (b) running the audit for them before they ask is a high-value free act.
Former clients you've worked with before, business contacts who know your work, referrals from existing clients. The warm-intro version of the same pitch. Run the audit against their domain before you reach out, so your email contains concrete findings rather than a generic pitch.
Conversion rate: 10-20%. Lower because the relationship is older, but volume is higher because your network is larger than your active roster.
Identify agencies, businesses, or niches where email is clearly critical to their operation. Run the audit on their domain. If it's F-grade, write them a specific cold email:
"Ran a free DMARC audit on [yourdomain.com] — scored F. Main issue is [specific]. I help agencies fix this; happy to share the full report if useful."
Conversion rate on cold: 2-5%. Low but scalable. This is the one that lets you grow past your warm network once you've saturated it.
Once you're delivering these audits at volume, the monitoring tier becomes your recurring revenue backbone. The maths:
The monitoring service itself requires very little ongoing work from you if you're using a proper back-end. You're not reading DMARC reports by hand; the tool flags changes and you respond to alerts. Most clients will need 15 minutes of your attention per month on average, often less.
DMARC Sentinel's Agency tier — the product I'm building alongside the free audit — is designed specifically for this use case: multi-tenant dashboards, white-label client reports, API access for your own client portal integration. If you'd rather use a different monitoring back-end, that's fine too; the economics of the service offering work regardless of the tool underneath.
The free audit at dmarcsentinel.com is free forever, doesn't require signup, and is designed to be the artefact you walk into sales conversations with.
Run the free audit, screenshot the grade, send a one-page proposal, charge £500-1,500, upsell monitoring for recurring margin. Rinse and repeat.
Jon Morby has run email and DNS infrastructure since the early 1990s. He built DMARC Sentinel after watching too many agencies discover their clients' email was going to spam the hard way.
Founded by Jon Morby, whose team has been running UK servers since 1992. Hosting built by engineers who care about deliverability and uptime.
Get in touch →In October 2023, Google and Yahoo jointly announced new requirements for anyone sending more than 5,000 emails a day to their users. The rules were to take effect in February 2024. They were, at the time, the biggest change to bulk email deliverability in more than a decade.
The domain owner is baffled. Everything is "correct." Nothing is working. Legitimate transactional mail is being rejected by receiving servers and landing in nobody's inbox.
The standards break more domains than any other wingle thing in email authentication