What changed
FACT (source 1): Cloudflare DMARC Management reached general availability, giving any Cloudflare DNS user full DMARC enforcement with reporting and SPF auditing at no cost. FACT (source 1, per the convergence note): the source itself frames this as displacing a paid $20-500/mo monitoring category (Valimail, dmarcian, EasyDMARC). FACT (source 2): a White House executive order sets a 2030 deadline for post-quantum cryptography migration across government and industry. INFERENCE: the recurring-revenue monitoring layer for email authentication is now commoditized inside the largest DNS provider, while a separate, newly dated compliance obligation appeared one layer up.
Why now
INFERENCE: two clocks started at once. The free tier removes the reason to pay for continuous DMARC monitoring, so incumbents must move upmarket or die, briefly leaving the low end of the audit/attestation layer unattended. Simultaneously the EO converts crypto posture from a research topic into a budgeted item with a named year. HYPOTHESIS: the 2030 date creates procurement activity in 2026-2027 as organizations discover they cannot describe their current cryptographic inventory, and the first thing anyone buys in that situation is an assessment, not a platform.
Converging signals
Signal one (platform, FACT): Cloudflare collapses the price of DMARC monitoring to zero. Signal two (regulation, FACT): a federal deadline attaches money and a date to cryptographic migration. The convergence is not 'sell DMARC' and not 'sell post-quantum' β it is that free telemetry now exists (Cloudflare's DMARC reports, plus universally public TLS/certificate data) and a new obligation now exists to prove something about it. The product sits between free data and a mandated attestation.
Customer pain
HYPOTHESIS (not established by either source): a small IT/security lead has turned on Cloudflare's free DMARC reporting, is now staring at aggregate XML, and is separately being asked by a prime contractor, insurer, or client questionnaire what their cryptographic posture is against 2030. They can see raw data and cannot produce a document. The pain is not 'I lack monitoring'; it is 'I have to hand someone a defensible artifact by a date and I do not know how to write it.' NOTE: neither source provides any evidence that this buyer exists or is currently spending. This is the weakest link in the entire thesis.
Who pays
HYPOTHESIS: MSPs and small security consultancies who must produce posture reports for many client domains and would rather buy the report generator than build it; secondarily, small vendors filling out security questionnaires from larger customers. Explicitly NOT the enterprise CISO β that buyer requires enterprise sales, which is disqualifying for this founder. INFERENCE: if the only realistic buyer turns out to be the enterprise CISO, the idea is dead on the founder-fit constraint alone, and that is the likeliest outcome.
Solved today
FACT (source 1): DMARC monitoring is handled by Valimail, dmarcian, EasyDMARC, and now Cloudflare for free. INFERENCE: post-quantum readiness assessment today is handled by consulting hours from the big four and specialist firms, plus free scanners (Qualys SSL Labs, testssl.sh, Hardenize) that produce technical output rather than an audit artifact. Nothing here is unserved for lack of tooling; it is served by people billing hourly.
Why current solutions are bad
INFERENCE: free scanners emit technical findings, not dated evidence with a methodology statement and a chain of custody. Consultants emit the artifact but cost thousands and take weeks. HYPOTHESIS: there is a gap for a $200-500 automated report that is good enough for a questionnaire response but not for a formal audit opinion. CAUTION: 'good enough for a questionnaire' may be a market that does not pay, because the buyer can also answer the questionnaire with a paragraph of prose for free.
Proposed product
A domain-in, PDF-out posture scanner. Input: a domain (optionally a Cloudflare API token to pull the free DMARC aggregate reports). Output: a dated report covering email authentication posture (SPF/DKIM/DMARC policy state, enforcement percentage, failing senders derived from the aggregate reports) and TLS/certificate posture (protocol versions, cipher suites, key exchange algorithms, certificate signature algorithms, hybrid post-quantum key agreement support), each mapped to the 2030 migration clock with a remediation checklist. Positioned as evidence, not monitoring.
MVP version
Two weeks of build. Python: pull DNS TXT records for SPF/DMARC/DKIM selectors; parse Cloudflare's DMARC aggregate report XML (already a solved parsing problem); run a TLS handshake enumeration against the domain's hosts to record negotiated groups and certificate signature algorithms; check for X25519MLKEM768 hybrid support; render a WeasyPrint PDF from an HTML template with a methodology appendix and a scan timestamp. No accounts, no database, no dashboard. Stripe payment link, then email delivery of the PDF. The founder's existing FastAPI/Postgres stack on cloud-scale.us is more than sufficient.
30-day build
Do not build first. Build the scanner in week one (it is genuinely two weeks of solo work at most), then spend weeks two through four exclusively on falsification: generate 30 free reports for real domains found via Cloudflare-hosted small-vendor lists, send each one cold with a single question β 'would you have paid $300 for this, and who inside your org would have signed?' The kill threshold is explicit: fewer than three credible yeses with a named budget holder means stop and do not proceed to day 31. Charging nothing in month one is the correct move here because the binding uncertainty is buyer existence, not build feasibility.
60-day build
CONDITIONAL on clearing the 30-day threshold. Convert the three-plus yeses into paid reports at $300-500. Build the only feature that separates this from a free scanner: multi-domain batch runs with a consolidated portfolio report, aimed squarely at MSPs who manage 20-200 client domains. Approach 10 MSPs directly with a completed portfolio report for their actual client list already in hand β demonstrated value, no pitch. HYPOTHESIS: the MSP is the only buyer in this space that a solo operator can reach without enterprise sales.
90-day revenue plan
HYPOTHESIS, and deliberately modest: 3-6 MSPs at $199-399/mo for unlimited portfolio scans, plus intermittent one-off reports at $300, yielding roughly $1,000-2,500 MRR. This does not reach meaningful cash in 90 days. The honest framing is that this is a slow compliance product wearing a fast-cash costume, and the founder needs cash in 30-90 days.
Distribution path
INFERENCE: the free-report-as-cold-outreach motion is the only viable channel β it matches the founder's stated 'sells through demonstrated value' pattern exactly. Secondary: publishing a public post-quantum readiness index for the top few thousand domains, which is link-bait and generates inbound. Explicitly unavailable: paid acquisition (ad-spend-heavy, disqualified), conference presence (slow), partner channels (long trust cycle). The public index is the strongest single asset here and is worth building even if the paid product dies.
Pricing hypothesis
$300 one-shot report; $199-399/mo MSP portfolio tier. Do not price against Cloudflare's free tier β the moment a buyer perceives this as monitoring, the price ceiling is zero. FACT (source 1): the monitoring category's price floor is now free, which is precisely why the product must never be described as monitoring.
Technical difficulty
Low. DNS lookups, XML parsing, TLS handshake enumeration, and PDF generation are all solved, well-documented problems with mature Python libraries. INFERENCE: technical difficulty being low is a liability, not an asset β it means the moat is zero and a competitor can clone the scanner in a weekend. The only defensible asset is the report's credibility and the distribution list.
Legal / regulatory risk
Moderate and worth taking seriously. Emitting a document that a buyer presents to an auditor invites reliance. INFERENCE: the report must carry an explicit disclaimer that it is an automated technical scan and not a professional audit opinion or legal compliance certification. Scanning third-party domains for the public index raises CFAA-adjacent questions; restrict to passive DNS and standard TLS handshakes, which are ordinary client behavior, and honor removal requests. No PII is processed, so GDPR/CCPA exposure is minimal.
Platform dependency
Real but bounded. FACT (source 1): the DMARC report ingestion path depends on Cloudflare's DMARC Management feature. INFERENCE: Cloudflare shipping a 'download your posture report' button would end the email half of this product overnight, and given that they just shipped the free tier and separately published the post-quantum advocacy piece (source 2), they are visibly thinking about both halves of this exact convergence. That is not a coincidence to wave away β it is the single most likely cause of death. The TLS/PQC half depends on nothing and could stand alone.
Founder fit
Mixed, and worse than it first appears. Aligned: micro-SaaS shape, data/report product, compliance monitor, fast solo prototype, demonstrated-value selling, existing server infrastructure, systems thinking. Misaligned in ways that matter more: post-quantum compliance is a multi-year trust-building play against a 2030 clock, the credible buyer skews enterprise, the founder's genuine domain credibility is in industrial operations and public records rather than cryptography, and 'no degree but high operational credibility' does not transfer into a field where buyers screen for exactly the credentials he lacks. Selling a cryptographic attestation is a credentials market.
Breakout potential
Low to moderate. INFERENCE: the ceiling is a lifestyle report business or a small acquisition by an incumbent needing a low-end funnel. The 2030 deadline guarantees demand grows, but it also guarantees well-capitalized competitors enter, and they will win the buyer who can afford to pay. The public readiness index has genuine standalone value as an audience asset and might outlive the product.
Final recommendation
Do not build this. The convergence is real and the reasoning that produced it is sound β free telemetry plus a new obligation does create a gap at the audit layer, and that observation is worth keeping. But the gap is in the wrong place for this founder on three independent axes, any one of which is close to fatal. Timing: a 2030 deadline does not produce 2026 revenue, and the founder needs cash in 30-90 days. Buyer: the only buyer with budget for a cryptographic attestation is reached through enterprise sales, and the MSP alternative is invented rather than observed. Platform: Cloudflare generated both signals and is one product decision from occupying the space. The kill arguments are stronger than the case. What survives is narrow and worth naming precisely: the public post-quantum readiness index is a cheap, legal, link-worthy audience asset that costs a weekend and has standalone value regardless of whether any product follows it. Build that as a distribution experiment if the founder wants exposure to this space β but treat it as an option on a future market, not as revenue. It will not pay in 90 days. If the 30-day falsification test described above were somehow run and produced three named budget holders, that would be genuine new evidence and this recommendation should be revisited. Absent that, the correct move is to spend the next 30 days on an opportunity where the buyer already exists and is already paying someone.
Next action
Spend one weekend building the public post-quantum readiness index β passive DNS plus TLS handshake enumeration across a few thousand public domains, published as a free ranking. It is cheap, it is legal, it generates inbound, and it directly tests whether anyone in this space responds to anything at all. Do not build the paid report, do not build the scanner product, and do not treat this as the founder's primary line of work for the next 90 days.