Bulk MTA-STS & TLS-RPT Checker
Pricing
from $2.00 / 1,000 email transport-security audits
Bulk MTA-STS & TLS-RPT Checker
Audit up to 1,000 public domains for MTA-STS policy reachability, MX coverage, TLS-RPT, DMARC enforcement, SPF record count, MX, and BIMI readiness.
Pricing
from $2.00 / 1,000 email transport-security audits
Rating
0.0
(0)
Developer
Ben E
Maintained by CommunityActor stats
0
Bookmarked
2
Total users
1
Monthly active users
6 hours ago
Last modified
Categories
Share
Email Transport Security Auditor
Bulk-check public domains for the email transport and authentication records that are easy to misconfigure across a client portfolio:
- MX inventory
- SPF record count
- DMARC policy and enforcement posture
- MTA-STS discovery TXT record
- pinned HTTPS retrieval of
/.well-known/mta-sts.txt - MTA-STS version, mode,
max_age, MX patterns, and live MX coverage - SMTP TLS reporting (
TLS-RPT) version and aggregate report destinations - optional default-selector BIMI record and DMARC enforcement prerequisites
The Actor writes one deterministic dataset row per unique valid domain and a run summary to OUTPUT.
Why this Actor
MTA-STS uses both DNS and a fixed HTTPS policy endpoint. A record can exist while its policy is unreachable, malformed, served with the wrong content type, left in testing mode, or missing a live MX host. TLS-RPT is a separate DNS policy. This Actor checks those pieces together without asking for DNS credentials, mailbox access, private reports, or account data.
Input
{"domains": ["gmail.com", "yahoo.com"],"maxDomains": 100,"fetchTimeoutSecs": 15,"includeBimi": true}
Enter domain names only. URLs, email addresses, IP addresses, and private hostnames are rejected. Duplicate domains are audited once. Malformed inputs are reported in OUTPUT and are not charged as domain audits.
Output
Each row includes stable issue codes, error/warning counts, MX hosts, MTA-STS record and policy fields, uncovered MX hosts, TLS report destinations, DMARC posture, SPF record count, BIMI URLs, and audit time.
Useful issue codes include:
MTA_STS_NOT_CONFIGUREDMTA_STS_POLICY_UNREACHABLEMTA_STS_POLICY_HTTP_STATUSMTA_STS_POLICY_MX_NOT_COVEREDMTA_STS_TESTING_MODETLS_RPT_NOT_CONFIGUREDTLS_RPT_INVALID_RECORDDMARC_NOT_FOUNDDMARC_MULTIPLE_RECORDSSPF_MULTIPLE_RECORDSBIMI_DMARC_NOT_ENFORCED
Pricing
Pay per event:
$0.00005per Actor start$0.002per unique valid domain audit ($2 per 1,000 domains)
Standards and boundaries
- RFC 8461 — SMTP MTA Strict Transport Security
- RFC 8460 — SMTP TLS Reporting
- BIMI Group implementation guide
This is a public DNS and fixed-endpoint technical preflight, not a security certification, deliverability guarantee, mailbox-provider logo guarantee, legal review, or substitute for controlled rollout and monitoring. DKIM is not tested because selectors are not discoverable reliably without user input. BIMI logo and certificate files are not downloaded.
Network safety
The Actor never fetches a user-supplied URL. It constructs only the RFC-defined https://mta-sts.<domain>/.well-known/mta-sts.txt endpoint, resolves it first, rejects private/reserved addresses, pins the public IP for the TLS request, validates the hostname certificate, rejects redirects, limits responses to 100 KB, and never returns secrets.