You sell email security. You shouldn't have to also build it.
Every other MSP pitch in this category is “we also do DMARC, it's $50 per domain, here's an invoice.” Mailstinger is the platform you resell above the dashboard — with your brand on the PDF, your rua pointers in your client's DNS, and a fleet console that makes quarterly reviews a 15-minute export.
$149/mo flat.
That's $5.96 / client.
Not “we added a customer field to the reports table.”
Real tenant isolation
tenant_id is the first column of every table. Row-level filters are enforced in middleware, not “we hope the query has a WHERE.” Clients see only their own data. Even if they discover an API endpoint, they can't read another tenant's reports.
Platform-admin console
Your view across the fleet: DNS issues, TLS-RPT failures, email delivery status, which tenants are overdue for an alignment win. Sort, search, drill down. Quarterly reviews become a single pass through one screen.
White-label PDF reports
Monthly compliance PDF generated per client, with your logo, your brand colours, your support email. Clients receive a professional document, not a URL that says “mailstinger.com” across the top. You look like the SOC.
CNAME delegation
Clients don't manage their own rua pointers. They CNAME _dmarc to us, we manage the TXT, you don't get a 1 a.m. call because someone flattened the DMARC record during a zone migration. Works with Cloudflare today, GoDaddy / Route53 on the roadmap.
Per-tenant notification rules
Route alerts by severity and tenant: Bob's Widgets gets the full forensic email, Mega Corp's CISO gets the digest, your own ops team gets the triage webhook. Configured per tenant, per channel, one page.
API + webhooks
Full REST API for every entity a tenant has. Webhooks for new reports, new lookalikes, posture changes. Pipe findings into your PSA, your SIEM, or a channel in your Slack. Rate-limited, not gated.
Your client owns the domain. You own the DMARC record.
The pain point: DMARC records break every time a junior admin touches DNS. Zone flatteners strip them. Provider migrations drop them. A client's marketing agency adds a verification TXT and bumps yours off. You get paged.
Delegation fixes this at the root. The client adds _dmarc.their-domain.com as a CNAME to us once. From then on, you edit the record in our UI — it lives on your infrastructure, under your brand subdomain.
- Your rua pointers live under your brand subdomain, not ours
- Policy changes happen in Mailstinger, not the client's DNS
- Zone migrations on the client side don't break monitoring
- You can move a client between Mailstinger tenants without DNS edits
The report that lands in their inbox doesn't say “Mailstinger” anywhere.
Every month, each of your clients receives a PDF branded as yours. It opens with the big number — their alignment rate. It shows the top senders, the misaligned ones with plain-English reasons, any new lookalike domains, and a recommendation section signed as your company.
They forward it to their CFO. The CFO forwards it to the board. The board sees your brand.
inet45 runs Mailstinger for their own MSP stack.
inet45 is the MSP behind Mailstinger. Their own client portal lives at inet45.mailstinger.com with their shield in the header, their support email on the footer, and their CNAME-delegated DMARC for every domain in their book. The platform you'd resell is the same platform they ship to their own clients today.
That's the reason every architecture decision — tenant-scoped DNS slugs, per-tenant nginx upstream, hosted MTA-STS with id rotation — is wired the way it is. We didn't bolt on multi-tenant; we shipped it because we wouldn't use anything less for our own clients.
Price the outcome. Keep the delta.
Agency tier, $149/mo, 25 clients. Resell the reporting outcome at whatever you already charge for email security. The trial is 14 days, no card — long enough to onboard two of your nosiest clients.