Email Authentication Roll-out

Reduce the risk of spoofing and improve email trust.
We bring order to SPF, DKIM, and DMARC across your domains, ensuring only genuine systems can send on your behalf — without disrupting day-to-day operations.

Why teams use this

Email authentication is often half-finished or forgotten. Common signs include:

• Mail occasionally landing in spam or junk
• Third-party tools sending without proper authorisation
• DKIM left disabled after migration
• DMARC still set to “monitor” years later

This service tidies what’s there, fills in what’s missing, and leaves you with a reliable, evidenced setup.
It’s especially useful for MSPs managing several tenants, or for in-house teams wanting to tighten security without affecting live mail flow.

What you can expect

• A clear picture — who’s sending as you and where from
• Measured improvements — SPF simplified, DKIM working, DMARC reporting clean
• No surprises — gradual enforcement once genuine mail is verified
• Evidence included — before-and-after DNS records, screenshots, and short summaries
• Partner-friendly delivery — adaptable to multi-tenant or internal teams

Typical work we handle

SPF (Sender Policy Framework)
Review existing records, remove unused entries, and confirm legitimate senders.

DKIM (DomainKeys Identified Mail)
Enable or refresh signing keys in Microsoft 365, Google Workspace, and popular third-party platforms.

DMARC (Domain-based Message Authentication)
Move policies from monitoring to enforcement in a controlled way, supported by live reporting.

Parked or vanity domains
Close unused domains to spoofing attempts with simple, protective DNS entries.

Each change follows a concise, version-controlled runbook and leaves a verifiable record behind.

Governance

• A defined safe-change catalogue agreed in advance
• Every change documented with proof, rollback, and owner sign-off
• Evidence stored within your own environment — CygnusTech retains nothing
• A straightforward evidence ledger maintained during the engagement
• CAB-ready summaries provided for existing governance channels
• Delivered as a service with clear outcomes and supporting proof

Results you care about

• Fewer spoofing incidents and bounce-backs
• Consistent delivery across genuine mail sources
• Clean DMARC reporting for ongoing assurance
• Parked domains fully protected
• Straightforward guidance for adding new senders in future

How it works

1. Confirm scope and access. Identify active and parked domains, DNS access, and mail platforms.
2. Baseline and enable. Correct SPF, enable DKIM, and publish a DMARC monitoring policy.
3. Review and adjust. Use early reports to uncover any missed senders and correct them.
4. Apply enforcement. Move policies to reject once everything aligns cleanly.
5. Close out. Provide a tidy evidence pack and simple guidance for ongoing maintenance.

Most roll-outs complete within two to three weeks, using early-morning or evening windows to avoid disruption.

Systems and platforms we support

Microsoft 365 · Google Workspace · SendGrid · Mailchimp · Salesforce · Zendesk · ServiceNow · Freshdesk
AWS SES · Azure Logic Apps · Exchange on-premises
Cloudflare DNS · AWS Route 53 · Azure DNS · GoDaddy · Namecheap · Infoblox

…and other modern DNS and mail platforms.

Pricing (guide)

We price by outcome rather than by hours. A simple structure keeps everything predictable:

• Pilot window — a short, clearly defined engagement to demonstrate the approach
• Standard roll-out — a focused period to complete primary and parked domains
• Partner retainer — a recurring option for MSPs managing multiple tenants

Pricing typically starts at £3,200 for a pilot engagement and £3,950–£4,600 for a standard roll-out, depending on the number of domains involved - clear, fixed, and scoped to outcomes.

At a glance

Next step

Share a short list of your domains and we’ll prepare a simple outline showing how SPF, DKIM, and DMARC can be strengthened — with clear proof and minimal disruption.