I'm consulting for an organization managing over 200 domains, each with individually configured SPF, DKIM, and DMARC records. Maintaining separate configurations for each domain is highly inefficient and error-prone. These are all A/C repair companies and plumbing companies.

What are the best approaches to centralize and streamline SPF, DKIM, and DMARC management across all domains? Potential solutions I'm considering include:

• Organizational DMARC Policies – Implementing a single DMARC record at the apex domain to enforce policy inheritance for subdomains.
• Centralized SPF Configuration – Using a shared SPF include record to standardize mail server authorizations across all domains.
• Unified DKIM Signing – Configuring DKIM keys at a central relay or using a single domain for signing.
• Email Gateway Enforcement – Routing outbound mail through a dedicated relay or secure email gateway (e.g., Proofpoint, Mimecast) for consistent authentication.
• Automated DNS Management – Deploying infrastructure-as-code (Terraform, Ansible) or DNS API automation to apply uniform policies across domains.

Has anyone implemented similar solutions at scale? Are there best practices or specific tools that have worked well for consolidating email authentication in large enterprise environments?