Convergence Radar Convergence Engine

← Feed

C

Cloudflare MSP DMARC Rollup β€” multi-tenant enforcement dashboard on top of Cloudflare's free DMARC tier

50/100

An OAuth app for MSPs that connects every client's Cloudflare account, aggregates the now-free DMARC/SPF data into one cross-tenant dashboard, and sells enforcement-progress tracking and client-ready remediation reports per managed domain.

Interesting but not urgent. Β· created 2026-07-10 01:13 UTC

saasapirevisit later

Scorecard

newness 7/10
convergence 7/10
demand evidence 4/10
existing spend 6/10
solo feasibility 8/10
speed to mvp 7/10
speed to revenue 4/10
distribution 5/10
competitive gap 3/10
expansion 4/10
founder fit 5/10

Penalty flags
marketplace approval risk platform policy risk (βˆ’5 from raw 55)

Opportunity brief

What changed
Two platform shifts landed together: (1) Cloudflare made DMARC management (reporting + SPF auditing, through to full enforcement) generally available free to any Cloudflare DNS user [FACT: blog.cloudflare.com/dmarc-management-ga/], collapsing the floor under a paid category that charged $20-500/mo (Valimail, dmarcian, EasyDMARC) [FACT: same source]; (2) Cloudflare opened OAuth app registration to all developers, so a third party can act on a user's Cloudflare resources with delegated auth instead of needing a partner deal [FACT: blog.cloudflare.com/oauth-for-all/].
Why now
The free tier is single-tenant by design. An MSP managing 50-500 client domains gets zero rollup, no cross-client SLA view, and no branded reporting from Cloudflare's free feature. The OAuth-for-all change is the enabling wedge: a solo dev can now legitimately build the multi-tenant layer without a Cloudflare partnership. HYPOTHESIS: urgency is amplified by Google/Yahoo bulk-sender rules and PCI DSS 4.0 effectively mandating DMARC β€” plausible and widely reported, but NOT in the provided sources and must be independently verified.
Converging signals
Free incumbent baseline (DMARC Management GA) + open third-party app surface (OAuth for all) = the classic 'sell above the free tier' play: the platform commoditized the data collection, leaving aggregation, progress tracking, and client communication as the unpaid gap.
Customer pain
MSPs must move each client from p=none to p=quarantine/reject without breaking mail, prove progress to the client, and do it across dozens of tenants. Today that means logging into each Cloudflare account separately or paying a per-domain fee to a legacy DMARC vendor whose collection layer Cloudflare just made redundant. HYPOTHESIS: MSPs experience this as painful β€” inferred from the existence of MSP partner programs at every incumbent DMARC vendor, not directly evidenced in the provided sources.
Who pays
MSPs and IT service providers whose client base uses Cloudflare DNS. They already pay per-domain for dmarcian/EasyDMARC MSP plans [HYPOTHESIS: incumbent MSP pricing exists β€” verify current rates], so budget and buying behaviour exist; the pitch is 'same rollup, a fraction of the price, because Cloudflare now does the expensive part free.'
Solved today
(a) Pay dmarcian/EasyDMARC/PowerDMARC per domain (~$1-10/domain/mo at MSP tiers β€” HYPOTHESIS, verify); (b) manually check each client's Cloudflare dashboard; (c) ignore DMARC until a client's mail gets junked.
Why current solutions are bad
Incumbent pricing was set when they had to run the report-ingestion infrastructure; Cloudflare now does that free for Cloudflare-DNS domains, so the incumbent per-domain fee is paying for plumbing the MSP no longer needs. Manual per-account checking doesn't scale past ~10 clients and produces no client-facing artifact.
Proposed product
A Cloudflare OAuth app + web dashboard: MSP connects each client account (or clients grant scoped access), app pulls DMARC posture, report summaries, SPF audit results per zone, and produces (1) a cross-tenant grid (policy level, pass rate, unauthorized senders), (2) enforcement-progress tracking with target dates, (3) monthly white-label PDF/email reports per client, (4) alerts when a new unauthorized sender appears or pass-rate drops.
MVP version
2-3 weeks: OAuth flow + Cloudflare API read of DMARC management data across N accounts, single rollup table, and a generated per-client PDF report. No report-parsing infrastructure of your own β€” that is the whole point. CRITICAL PRE-BUILD CHECK (do this first, ~1 day): confirm the Cloudflare API actually exposes the DMARC Management report data to OAuth apps with readable scopes β€” if the free tier's data is dashboard-only, the entire product is dead. This is the single biggest unverified assumption.
30-day build
Days 1-3: API/scope feasibility spike (kill/continue gate). Days 4-14: MVP against your own + 2-3 friendly test accounts. Days 15-30: post walkthrough demos in r/msp, MSP Discord/Facebook groups, and MSPGeek; offer free onboarding to 5 design-partner MSPs in exchange for feedback and testimonials.
60-day build
White-label reports, alerting, Stripe billing at per-domain pricing. Submit to the Cloudflare app ecosystem/marketplace for discovery. Convert 2-3 design partners to paid.
90-day revenue plan
Target 5-10 paying MSPs at $49-149/mo (tiered by domain count) = $500-1,000 MRR. Modest, honest ceiling β€” this is a niche-of-a-niche (MSPs Γ— Cloudflare-DNS clients). HYPOTHESIS: conversion rates; no direct evidence.
Distribution path
Self-serve, no enterprise sales: r/msp and MSP peer communities (demonstrated-value posts fit the founder's selling style), Cloudflare app ecosystem listing, SEO on 'Cloudflare DMARC multi-tenant / MSP' (near-zero competition on that exact phrase today β€” HYPOTHESIS), and cold demo videos to MSPs advertising Cloudflare expertise.
Pricing hypothesis
$49/mo up to 25 domains, $99/mo to 100, $149/mo unlimited; undercuts incumbent per-domain MSP pricing precisely because Cloudflare eats the infrastructure cost. Per-domain overage keeps it transaction-flavored.
Technical difficulty
Low-moderate: OAuth flow, REST polling, a dashboard, PDF generation. No mail infrastructure, no report parsing. The hard part is not code, it's the unverified API surface (see MVP gate).
Legal / regulatory risk
Low. Read-only access to client-authorized data; standard DPA/ToS needed since you hold multi-tenant email-flow metadata. No regulated data.
Platform dependency
SEVERE β€” this is the product's defining risk. 100% dependent on Cloudflare: (a) they could ship multi-account rollups themselves (they built the free tier to drive DNS adoption; an MSP view is an obvious roadmap item), (b) API scope or app-ecosystem policy changes kill it, (c) it only works for the subset of an MSP's clients on Cloudflare DNS β€” a typical MSP book is heavy on Microsoft 365/registrar DNS, so the tool covers a fraction of their clients and can't be their single DMARC pane of glass. That last point is the strongest kill argument.
Founder fit
Moderate (5/10). Fits micro-SaaS/API/monitoring preferences, solo-buildable, demonstrated-value distribution. But it is NOT the proven government-mandate-filing shape: no regulation forces anyone to file anything through this tool, and email deliverability is outside his industrial/public-records/fire-service credibility zones. The Google/Yahoo/PCI quasi-mandates rhyme with his ELDT edge but there is no portal to submit into and no per-filing monetization.
Breakout potential
Limited by design: capped by MSPs Γ— Cloudflare-DNS overlap. Expansion path exists (add Microsoft 365/Google Workspace DMARC data sources to become DNS-provider-agnostic) but that walks straight into incumbents' core turf and rebuilds the parsing infrastructure the thesis avoided.
Final recommendation
CONDITIONAL PASS β€” do not build yet. Run the 1-day API-scope feasibility spike and post one validation thread in r/msp ('would you pay $99/mo for a Cloudflare-only multi-tenant DMARC rollup?') before writing product code. If the API exposes the data AND β‰₯3 MSPs say yes, build the 2-week MVP; otherwise kill. The idea is real but is a C+/B- opportunity: solo-feasible and fast to MVP, yet structurally capped and platform-fragile, and it does not exploit the founder's proven government-portal edge. His time is better spent on mandate-driven filing plays; this is a decent side-bet only if validation is cheap and positive.
Next action
Spend one day confirming via Cloudflare API docs and a test zone that DMARC Management report data is readable through an OAuth app token; simultaneously post the validation question in r/msp. Decide build/kill within 7 days.

Kill arguments (adversarial)

Competitors

β€’ dmarcian (link) β€” Incumbent with an established MSP partner program and multi-tenant management β€” direct evidence the 'MSP rollup' gap is already partially served.
β€’ EasyDMARC (link) β€” Aggressive SMB/MSP pricing and white-label reporting; covers all DNS providers, not just Cloudflare.
β€’ PowerDMARC (link) β€” MSP/reseller portal with white-label dashboards; competes on the exact reporting layer proposed here.
β€’ Sendmarc (link) β€” MSP-first DMARC vendor built around partner-managed multi-tenant enforcement β€” the closest shape to this proposal.
β€’ Cloudflare (first-party risk) (link) β€” Not a competitor today, but the most dangerous one tomorrow: an account-level rollup is a natural free-tier extension.

Source citations (facts)

β€’ Cloudflare DMARC Management is now generally available β€” Cloudflare DNS users get DMARC enforcement, reporting, and SPF auditing free, commoditizing a paid category that charged roughly $20-500/mo (Valimail, dmarcian, EasyDMARC).
β€’ Unlocking the Cloudflare app ecosystem with OAuth for all β€” Any developer can register self-managed OAuth apps that act on a user's Cloudflare resources with delegated auth, enabling third-party multi-account tooling without a partner agreement.

Actions