Bulk MTA-STS & TLS-RPT Checker avatar

Bulk MTA-STS & TLS-RPT Checker

Pricing

from $2.00 / 1,000 email transport-security audits

Go to Apify Store
Bulk MTA-STS & TLS-RPT Checker

Bulk MTA-STS & TLS-RPT Checker

Audit up to 1,000 public domains for MTA-STS policy reachability, MX coverage, TLS-RPT, DMARC enforcement, SPF record count, MX, and BIMI readiness.

Pricing

from $2.00 / 1,000 email transport-security audits

Rating

0.0

(0)

Developer

Ben E

Ben E

Maintained by Community

Actor stats

0

Bookmarked

2

Total users

1

Monthly active users

6 hours ago

Last modified

Share

Email Transport Security Auditor

Bulk-check public domains for the email transport and authentication records that are easy to misconfigure across a client portfolio:

  • MX inventory
  • SPF record count
  • DMARC policy and enforcement posture
  • MTA-STS discovery TXT record
  • pinned HTTPS retrieval of /.well-known/mta-sts.txt
  • MTA-STS version, mode, max_age, MX patterns, and live MX coverage
  • SMTP TLS reporting (TLS-RPT) version and aggregate report destinations
  • optional default-selector BIMI record and DMARC enforcement prerequisites

The Actor writes one deterministic dataset row per unique valid domain and a run summary to OUTPUT.

Why this Actor

MTA-STS uses both DNS and a fixed HTTPS policy endpoint. A record can exist while its policy is unreachable, malformed, served with the wrong content type, left in testing mode, or missing a live MX host. TLS-RPT is a separate DNS policy. This Actor checks those pieces together without asking for DNS credentials, mailbox access, private reports, or account data.

Input

{
"domains": ["gmail.com", "yahoo.com"],
"maxDomains": 100,
"fetchTimeoutSecs": 15,
"includeBimi": true
}

Enter domain names only. URLs, email addresses, IP addresses, and private hostnames are rejected. Duplicate domains are audited once. Malformed inputs are reported in OUTPUT and are not charged as domain audits.

Output

Each row includes stable issue codes, error/warning counts, MX hosts, MTA-STS record and policy fields, uncovered MX hosts, TLS report destinations, DMARC posture, SPF record count, BIMI URLs, and audit time.

Useful issue codes include:

  • MTA_STS_NOT_CONFIGURED
  • MTA_STS_POLICY_UNREACHABLE
  • MTA_STS_POLICY_HTTP_STATUS
  • MTA_STS_POLICY_MX_NOT_COVERED
  • MTA_STS_TESTING_MODE
  • TLS_RPT_NOT_CONFIGURED
  • TLS_RPT_INVALID_RECORD
  • DMARC_NOT_FOUND
  • DMARC_MULTIPLE_RECORDS
  • SPF_MULTIPLE_RECORDS
  • BIMI_DMARC_NOT_ENFORCED

Pricing

Pay per event:

  • $0.00005 per Actor start
  • $0.002 per unique valid domain audit ($2 per 1,000 domains)

Standards and boundaries

This is a public DNS and fixed-endpoint technical preflight, not a security certification, deliverability guarantee, mailbox-provider logo guarantee, legal review, or substitute for controlled rollout and monitoring. DKIM is not tested because selectors are not discoverable reliably without user input. BIMI logo and certificate files are not downloaded.

Network safety

The Actor never fetches a user-supplied URL. It constructs only the RFC-defined https://mta-sts.<domain>/.well-known/mta-sts.txt endpoint, resolves it first, rejects private/reserved addresses, pins the public IP for the TLS request, validates the hostname certificate, rejects redirects, limits responses to 100 KB, and never returns secrets.