>Using 3rd party to manage email setup isn't really an indication, sometimes it's free with email filtering products

It was visible from their DNS that they were using a third party to manage their email, not that they were using Pax8 or something like that. The DNS entry linked to a website that says they will manage your email, configure DMARC. Basically they had an entry on their DNS when I checked the entry, it linked to a website that offers DMARC integration, when I checked the instructions for allowing that integration the instructions on what to add to the DNS record were the same, indicating they are using that company to set this up for them.

>MSPs often use client portals , so customers having to login to portal.mspnameinfra.com doesn't look nice.

My point is that when you go to the sales website mymsp.com you can check the DNS and see they've configured rmm.mymsp.com . If you're saying you don't think it looks nice to have rmm.mymspremote.com vs rmm.mymsp.com that is fine, I just don't think they way it looks matters to such a degree in this instance when weighted against the security of the company. If it were only the portal, I may grant an exception for that but I find they just link all their web applications off of their main website.

>If it's a targeted attack , they'll find it anyway, if it's just an attack they'll be using shodan to scan for targets online regardless of domain.

We are talking about significant risk reduction, just through changing a name. I don't know how you could possibly be willing to accept that hackers who want in your company will just find this information anyway. It just complete ignores the point of security which is risk mitigation to the highest degree balanced with the needs of the business. I know of many domain enumeration techniques, I'm not aware of any that would easily circumvent this. You'd literally have to brute force potential domain names or compromise an asset (a living or non living asset)

>For me an MSP that spends on tools to make management and reporting easier is indicative of a good place , whether that's email management or an SSO/ better MFA.

This is sort of circular logic. It almost like saying companies that hire MSPs to manage their IT are companies that are good at managing their own IT. That isn't the case, not because they cannot get the job done but because of a combinations of (a) quality of work (b) time (c) money. If you can manage a, b and c you don't outsource the role (however a, b and c are tied to skill level). In the case of DMARC and DKIM configuration, having a problem with a, b or c does indicate a lack of competency in managing email, we are talking about technologies that are 10 years old at this point and there are step by step videos on YouTube on how to implement them. I understand the concept but if you're an IT company who manages email and you outsource the management of your email, that to me indicates you're not very good with email.