What’s included, what’s required from you, and what’s out of scope. Read this before your discovery call so we’re aligned from day one.
| Component | Done With You | Path to Reject |
|---|---|---|
| DMARC implementation (primary domain) | p=quarantine | p=reject |
| SPF management & macro flattening | ✓ | ✓ |
| DKIM configuration guidance | ✓ | ✓ |
| MTA-STS & TLS-RPT setup | ✓ | ✓ |
| BIMI setup (VMC or CMC-ready) | ✓ | ✓ |
| Expert consultation calls | 4 calls | 6 calls |
| DMARC Report subscription | 1 year (5M msg/mo) | 1 year (unlimited) |
| Quarantine → reject transition | — | ✓ |
| Post-enforcement stabilization monitoring | — | 30 days |
| Enforcement Guarantee | ✓ | ✓ |
You must have the ability to create and modify DNS records (TXT, CNAME) for your domain. If your DNS is managed by a third party (e.g., an MSP or hosting provider), you must be able to request changes within a reasonable timeframe. We cannot proceed if you don’t control your DNS.
The 90-day timeline (Done With You) or 6-month timeline (Path to Reject) assumes you complete assigned action items within 5 business days. If you need more time, the timeline extends accordingly — there’s no penalty. However, the Enforcement Guarantee requires active participation. If action items are not completed within 30 calendar days, the guarantee pauses until work resumes.
You must designate a point of contact with authority to make DNS changes and coordinate with internal teams (IT, marketing, operations) that manage sending services. This person attends the consultation calls and executes assigned action items.
You must be able to access the admin settings of your sending services (email marketing platforms, CRM, helpdesk, etc.) to configure SPF and DKIM records. We’ll tell you exactly what to change — you make the changes.
Phone calls are available 10 AM–3 PM in any time zone. We’ll work around your schedule, not the other way around. Calls are milestone-based (not recurring) — we meet when there’s something to discuss, not just to fill a calendar slot.
Round-the-clock technical support with SLA-backed response times on every ticket. You get enterprise-grade treatment regardless of your company size — same support, same SLAs, same priority.
1. Active participation required. The guarantee assumes you complete action items and attend scheduled calls. If action items are outstanding for more than 30 calendar days, the guarantee pauses until work resumes.
2. Primary domain only. The guarantee applies to the root domain specified in the engagement. Subdomains, parked domains, and additional domains are not covered unless purchased as separate engagements.
3. DMARC pass rate, not inbox placement. We guarantee DMARC authentication pass rates. Inbox placement depends on content, sender reputation, volume, and other factors outside the scope of email authentication.
4. Legitimate forwarding exceptions. DMARC failures caused by mailing list forwarding, auto-forwarding rules, and other legitimate forwarding scenarios are inherent to the DMARC protocol and do not count against the pass rate threshold.
5. Third-party cooperation. We provide configuration guidance for all sending services, but some third-party platforms may not support custom DKIM or have known limitations. We will identify these during the engagement and document workarounds where possible.
6. 12-month engagement window. The engagement — including any guarantee work — expires 12 months from the start date. This gives ample time for even the most complex domains to reach enforcement.
7. No pre-existing compromise. If the domain is actively compromised, sending malware, or on major blocklists, remediation of those issues is outside the scope of this engagement.
Schedule a 15-minute discovery call. We’ll review your current DMARC status and recommend the right engagement for your domain.
