Bulk Domain Email Security Checker

Audit SPF, DMARC, MX, and DKIM DNS records for many domains at once. This Apify Actor turns public DNS lookups into a clean dataset with scores, risk flags, raw records, and remediation-ready evidence.

What does Bulk Domain Email Security Checker do?

Bulk Domain Email Security Checker reviews the public email authentication posture of every domain you provide.

It checks:

• 📬 MX records for mail routing
• 🛡️ SPF TXT records on the root domain
• 📣 DMARC TXT records on _dmarc.domain
• 🔐 optional DKIM selectors such as google, selector1, selector2, and default
• 🚩 normalized risks such as missing DMARC, weak p=none, missing SPF, multiple SPF records, and SPF lookup-limit risk

The output is one row per domain, ready for CSV, JSON, Excel, BigQuery, Make, Zapier, or an internal remediation dashboard.

Who is it for?

This actor is designed for teams that manage many domains.

• Email deliverability agencies auditing customer domains
• MSPs checking Microsoft 365 or Google Workspace onboarding readiness
• Security auditors reviewing email authentication posture
• Cold-email operations teams cleaning prospect or sending-domain lists
• SaaS onboarding teams validating customer DNS setup
• RevOps teams monitoring domains after migrations
• Compliance teams creating recurring evidence exports

Why use this actor?

Single-domain web checkers are useful for one-off debugging, but they are slow when you need to audit 50, 500, or 5,000 domains.

This actor is bulk-first:

• Paste a list of domains.
• Run once.
• Export a structured dataset.
• Sort by score or risk flag.
• Send the remediation queue to the right owner.

What data can you extract?

Field	Description
domain	Normalized domain name checked
status	ok, warning, or error
score	0-100 posture score
riskFlags	Machine-readable remediation flags
mxHosts	MX hostnames sorted by priority
spfStatus	SPF status: pass, missing, multiple, or error
spfRecord	First SPF record found
spfLookupMechanismCount	Approximate SPF DNS lookup mechanism count
dmarcStatus	DMARC status: pass, missing, or error
dmarcPolicy	DMARC p= policy
dmarcRua	Aggregate report destinations
dkimResults	Results for requested DKIM selectors
rawTxtRecords	Optional raw TXT records
errors	DNS lookup errors captured per domain

How much does it cost to check domain email security?

This actor uses pay-per-event pricing.

• A small start event is charged once per run.
• A per-domain event is charged for each domain row saved to the dataset.
• Larger Apify subscription tiers receive lower per-domain prices.

The actor does not use proxies or browsers, so compute costs are low and predictable.

How to use it

1. Open the actor on Apify.
2. Add domains in the domains array or paste them into domainsText.
3. Optionally set DKIM selectors.
4. Choose whether to include raw DNS records.
5. Run the actor.
6. Export the dataset as CSV, JSON, Excel, or through the Apify API.

Input example

{
  "domains": ["google.com", "gmail.com", "example.com"],
  "dkimSelectors": ["google", "selector1", "selector2", "default"],
  "includeRawRecords": true,
  "riskOnly": false,
  "maxConcurrency": 20,
  "timeoutMs": 5000
}

Output example

{
  "domain": "example.com",
  "status": "warning",
  "score": 55,
  "riskFlags": ["missing_dmarc"],
  "mxHosts": ["."],
  "spfStatus": "pass",
  "spfRecord": "v=spf1 -all",
  "dmarcStatus": "missing",
  "dkimResults": [{ "selector": "google", "found": false }],
  "checkedAt": "2026-06-26T00:00:00.000Z"
}

Risk flags explained

The riskFlags array is built for filtering and remediation.

• no_mx — no MX record was found.
• missing_spf — no root SPF record was found.
• multiple_spf_records — more than one SPF record was found.
• spf_allows_all — SPF contains +all.
• spf_dns_lookup_limit_risk — SPF likely approaches or exceeds the 10 lookup limit.
• spf_uses_ptr_mechanism — SPF uses the discouraged PTR mechanism.
• missing_dmarc — no DMARC record was found.
• dmarc_policy_none — DMARC is in monitor-only mode.
• dmarc_missing_rua — DMARC does not publish aggregate reporting.
• multiple_dmarc_records — multiple DMARC records were found.
• no_requested_dkim_selector_found — none of the requested DKIM selectors resolved.

Scoring model

Each domain starts at 100 points. Risk flags subtract points based on likely operational impact. The score is not a legal or compliance certification; it is a practical prioritization signal for bulk remediation.

DKIM selector checks

DKIM is selector-based. There is no universal DNS record that lists every selector a domain uses.

The actor checks selectors you provide at:

selector._domainkey.domain

Use selectors from your mail provider or common defaults such as:

• google
• selector1
• selector2
• default
• k1
• mail

Tips for best results

• Use root domains such as example.com, not email addresses.
• Keep includeRawRecords enabled when you need audit evidence.
• Enable riskOnly when you only want remediation rows.
• Add provider-specific DKIM selectors for better DKIM coverage.
• Lower concurrency if a custom DNS resolver or very large batch gets intermittent timeouts.

Integrations

Use this actor in workflows such as:

• Weekly deliverability audit exported to Google Sheets
• Customer onboarding DNS checks before enabling email sending
• MSP domain inventory review in Airtable
• Security posture dashboard in BigQuery
• Slack alert for domains with missing DMARC
• Make or Zapier workflow that creates remediation tickets

API usage with Node.js

import { ApifyClient } from 'apify-client';

const client = new ApifyClient({ token: process.env.APIFY_TOKEN });
const run = await client.actor('automation-lab/bulk-domain-email-security-checker').call({
  domains: ['example.com', 'google.com'],
  includeRawRecords: true
});
console.log(run.defaultDatasetId);

API usage with Python

from apify_client import ApifyClient
import os

client = ApifyClient(os.environ['APIFY_TOKEN'])
run = client.actor('automation-lab/bulk-domain-email-security-checker').call(run_input={
    'domains': ['example.com', 'google.com'],
    'includeRawRecords': True,
})
print(run['defaultDatasetId'])

API usage with cURL

curl -X POST "https://api.apify.com/v2/acts/automation-lab~bulk-domain-email-security-checker/runs?token=$APIFY_TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{"domains":["example.com","google.com"],"includeRawRecords":true}'

MCP integration

Use this actor through Apify MCP from Claude Desktop, Claude Code, or other MCP-compatible clients.

$claude mcp add apify-domain-email-security "https://mcp.apify.com/?tools=automation-lab/bulk-domain-email-security-checker"

{
  "mcpServers": {
    "apify-domain-email-security": {
      "url": "https://mcp.apify.com/?tools=automation-lab/bulk-domain-email-security-checker"
    }
  }
}

Example prompts:

• "Use Apify to check these domains for SPF, DMARC, MX, and DKIM risk flags."
• "Run a bulk domain email security audit and return only domains with missing DMARC."
• "Create a remediation summary for these customer domains from the Apify MCP results."

MCP usage with Claude

Connect Apify MCP with this tool enabled:

https://mcp.apify.com/?tools=automation-lab/bulk-domain-email-security-checker

Example prompts:

• "Check these 200 customer domains for missing DMARC and summarize the riskiest ones."
• "Run a bulk email security audit and export risky domains to CSV."
• "Compare SPF and DMARC posture for these acquisition target domains."

MCP usage with Claude Desktop

Add Apify MCP to Claude Desktop, authorize your Apify account, and allow the automation-lab/bulk-domain-email-security-checker tool. Then paste domains directly into your prompt and ask Claude to run the audit.

MCP usage with Claude Code

Use the Apify MCP URL with:

?tools=automation-lab/bulk-domain-email-security-checker

Add it from the CLI:

$claude mcp add apify-domain-email-security "https://mcp.apify.com/?tools=automation-lab/bulk-domain-email-security-checker"

Or configure the MCP server in JSON:

{
  "mcpServers": {
    "apify-domain-email-security": {
      "url": "https://mcp.apify.com/?tools=automation-lab/bulk-domain-email-security-checker"
    }
  }
}

Claude Code can run checks during onboarding scripts, DNS migration reviews, or repository-driven domain inventory updates.

Legality

The actor only queries public DNS records. It does not bypass authentication, scrape private pages, log in to accounts, or access mailbox content. Always use the results responsibly and follow your agreements with customers and domain owners.

Limitations

• DKIM requires known selectors.
• DNS propagation can produce temporary differences by resolver and time.
• SPF lookup counting is a practical heuristic, not a full recursive SPF evaluator.
• DMARC p=none may be intentional during rollout.
• A high score does not guarantee complete email deliverability.

Troubleshooting: no DKIM found

DKIM records are selector-specific. Add the selectors used by your email provider. For Google Workspace, try google. For Microsoft 365, try selectors such as selector1 and selector2.

Troubleshooting: DNS timeout errors

Some domains have slow or broken DNS. Increase timeoutMs or reduce maxConcurrency. The actor records lookup errors in the errors field instead of failing the entire run.

FAQ

Can I check thousands of domains?

Yes. The actor uses DNS lookups and concurrency rather than a browser, so large batches are efficient.

Does it send email?

No. It only reads public DNS records.

Does it require proxies?

No. DNS checks do not require Apify Proxy.

Can it validate BIMI?

Not in the first version. BIMI can be added later if users request it.

Can it monitor domains over time?

Yes. Schedule the actor on Apify and compare datasets between runs.

Related scrapers and tools

Other automation-lab actors may complement this workflow:

• https://apify.com/automation-lab/website-contact-finder
• https://apify.com/automation-lab/bulk-url-status-checker
• https://apify.com/automation-lab/security-headers-checker

Support

If you need a new risk flag, a provider-specific DKIM selector preset, or another DNS record type, open an issue on the actor page.

Changelog

• Initial version: bulk SPF, DMARC, MX, and DKIM DNS audit with scores and risk flags.