# Email Security Scanner (`cerridwen/email-security-scanner`) Actor DNS-only email posture for any domain: MX, SPF, DMARC, DKIM probes, MTA-STS, BIMI. No email sent. Returns score + actionable tips. Batch-friendly for CRM domains and compliance snapshots. - **URL**: https://apify.com/cerridwen/email-security-scanner.md - **Developed by:** [Cerridwen](https://apify.com/cerridwen) (community) - **Categories:** Developer tools, Automation, Integrations - **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing from $1.00 / 1,000 results This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## Email Security Scanner (SPF / DMARC / DKIM / MX) Passive **DNS-only** scan of a domain’s **email authentication posture**: MX targets with provider hints, SPF (`v=spf1`) parsing, DMARC at `_dmarc`, DKIM discovery via a bounded list of common selectors, plus MTA-STS and BIMI when published. **No email is sent** — there is no SMTP verification step. Outputs a **0–100 email security score** with a letter grade, plus human-readable `issues` and `recommendations`. Optional DNS fields are **omitted from JSON** when not present (no `null` noise — easier to read and harder to mistake for an actor failure). ### What it does Given one or more domains (or URLs — host is extracted; apex domain optional), the actor: 1. **MX** — Resolves MX records, sorted by priority. Adds `inferredProvider` only when the MX hostname matches a known pattern (Google Workspace, Microsoft 365, Cloudflare Email, etc.). 2. **SPF** — Finds `v=spf1` in apex TXT, returns the raw record and a small parse (terminal `all` mechanism, `redirect`, include/mx/a flags, mechanism count). 3. **DMARC** — Reads `_dmarc.` TXT for `v=DMARC1` and returns only tags that exist in the record (`policy`, `rua`, `pct`, `sp`, …). 4. **DKIM** — Probes `{selector}._domainkey.` for a bounded set of common selectors. A miss is **inconclusive** (many providers use custom selectors). If there is **no** DKIM match **and** DMARC is `reject` with SPF ending in `-all` or `~all`, the hard “no DKIM” issue is **not** raised; instead a short informational recommendation explains the selector-list limitation. **If any selector matches, no extra DKIM recommendation is added** (avoids noise on strong domains like Cloudflare). 5. **MTA-STS / BIMI** — Detects `_mta-sts` and `default._bimi` TXT when present. 6. **Score** — Simple weighted model (MX + SPF strictness + DMARC policy + DKIM presence), capped 0–100 with grades A–F. ### Use cases - **Sales / RevOps** — Quick “does this domain look professionally managed?” signal before outreach - **Security & GRC** — Lightweight evidence of SPF/DMARC posture (not a full pen-test) - **Deliverability audits** — Baseline check for missing `_dmarc`, weak SPF defaults, missing MX - **Batch enrichment** — Feed domains from CRM or spreadsheets; compare scores in a spreadsheet export ### Input | Field | Type | Default | Description | |-------|------|---------|-------------| | `domains` | string[] | *required* | Domains or full URLs (host extracted). | | `useApexDomain` | boolean | `true` | Collapse to registrable domain (`mail.example.com` → `example.com`). | | `maxDomains` | integer | `25` | Max domains per run (1–100). | | `maxDkimProbes` | integer | `25` | How many DKIM selectors to try per domain (5–60). | | `dnsTimeoutSeconds` | number | `12` | Resolver timeout budget per query type (capped 4–30s). | #### Example input ```json { "domains": ["google.com", "https://www.cloudflare.com/"], "useApexDomain": true, "maxDomains": 25, "maxDkimProbes": 25, "dnsTimeoutSeconds": 12 } ```` ### Output One dataset item per input. Keys appear **only when meaningful** — e.g. `spf.record` exists only if SPF is present; `bimi.record` only if BIMI TXT exists; `inferredProvider` on an MX row only if a hint matched. Empty `issues` / `recommendations` arrays mean **nothing material was flagged** for that domain (not an error). #### Example shape (illustrative) ```json { "domain": "cloudflare.com", "input": "https://www.cloudflare.com/", "mx": [ { "priority": 5, "host": "mxa-canary.global.inbound.cf-emailsecurity.net", "inferredProvider": "Cloudflare Email Routing / Security" } ], "spf": { "present": true, "record": "v=spf1 ip4:199.15.212.0/22 ... -all", "parsed": { "raw": "v=spf1 ... -all", "allMechanism": "-all", "mechanismCount": 9, "hasInclude": true, "hasMx": false, "hasA": false } }, "dmarc": { "lookupName": "_dmarc.cloudflare.com", "present": true, "record": "v=DMARC1; p=reject; pct=100; rua=mailto:...", "parsed": { "raw": "v=DMARC1; ...", "policy": "reject", "percentage": "100", "aggregateReports": "mailto:..." } }, "dkim": { "validSelectors": [ { "selector": "mandrill", "recordPreview": "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/...", "queryName": "mandrill._domainkey.cloudflare.com" } ], "probedSelectors": ["default", "google", "..."] }, "mtaSts": { "present": false }, "bimi": { "present": true, "record": "v=BIMI1; l=https://www.cloudflare.com/....svg; a=....pem" }, "emailSecurityScore": { "score": 100, "grade": "A" }, "issues": [], "recommendations": [], "scannedAt": "2026-05-15T12:00:00.000000+00:00" } ``` #### Invalid input / errors If a row cannot be scanned, you get `input`, `error`, and `scannedAt` (and `domain` when normalization succeeded). No fake `null` fields for “missing scan sections”. ### What makes this different | Aspect | This actor | “Full security suite” | |--------|------------|------------------------| | Data source | DNS only (fast, cheap) | Often includes SMTP, APIs, crawlers | | SMTP / send test | No | Sometimes yes | | DKIM certainty | Probes common selectors; custom selectors may not appear | May require provider API or live mail | | Output style | Omits absent fields; lists can be empty | Often many `null`s | | Pairing | Complements **Tech Stack Detector** (same “signal from domain/URL” family) | Broader scope, higher cost | ### Limitations - **Not SMTP verification** — The actor never connects to port 25 or sends mail; it cannot prove inbox deliverability. - **Heuristic score** — The 0–100 grade is a practical summary, not a certification or legal/compliance sign-off. - **DKIM coverage** — Only a fixed list of common selectors is probed; absence in output does not prove absence of signing infrastructure. ### Technology - **DNS**: `dnspython` (TXT, MX) - **Domain normalization**: `tldextract` for optional apex collapse - **Runtime**: Python 3.12 on `apify/actor-python` ### Local test ```bash cd actors/email-security-scanner python3 test_local.py google.com cloudflare.com ``` ### Deploy Same workflow as your other actors: from this folder, **`apify push`** builds a new Docker image and updates the **same** Apify actor (no separate “second deploy” flow — every push is a new build/version on that actor). Ensure you are logged in (`apify login`) and the folder is linked to the right actor if you use multiple accounts. ```bash cd actors/email-security-scanner apify push ``` # Actor input Schema ## `domains` (type: `array`): Domains or URLs to scan (MX, SPF, DMARC, DKIM). Apex/root domain is used by default. ## `useApexDomain` (type: `boolean`): If true, collapse subdomains to the registrable domain (e.g. mail.example.com → example.com). ## `maxDomains` (type: `integer`): Maximum domains per run. ## `maxDkimProbes` (type: `integer`): How many common DKIM selectors to probe per domain (DNS cost vs coverage). ## `dnsTimeoutSeconds` (type: `number`): Per-query resolver timeout budget (capped internally). ## Actor input object example ```json { "domains": [ "google.com", "cloudflare.com" ], "useApexDomain": true, "maxDomains": 25, "maxDkimProbes": 25, "dnsTimeoutSeconds": 12 } ``` # Actor output Schema ## `results` (type: `string`): Dataset URL for per-domain email authentication scan results. # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "domains": [ "google.com", "cloudflare.com" ] }; // Run the Actor and wait for it to finish const run = await client.actor("cerridwen/email-security-scanner").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "domains": [ "google.com", "cloudflare.com", ] } # Run the Actor and wait for it to finish run = client.actor("cerridwen/email-security-scanner").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "domains": [ "google.com", "cloudflare.com" ] }' | apify call cerridwen/email-security-scanner --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=cerridwen/email-security-scanner", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "Email Security Scanner", "description": "DNS-only email posture for any domain: MX, SPF, DMARC, DKIM probes, MTA-STS, BIMI. No email sent. Returns score + actionable tips. Batch-friendly for CRM domains and compliance snapshots.", "version": "0.1", "x-build-id": "wzkFFXAz1eunY6CVY" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/cerridwen~email-security-scanner/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-cerridwen-email-security-scanner", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/cerridwen~email-security-scanner/runs": { "post": { "operationId": "runs-sync-cerridwen-email-security-scanner", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/cerridwen~email-security-scanner/run-sync": { "post": { "operationId": "run-sync-cerridwen-email-security-scanner", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "required": [ "domains" ], "properties": { "domains": { "title": "Domains", "type": "array", "description": "Domains or URLs to scan (MX, SPF, DMARC, DKIM). Apex/root domain is used by default.", "items": { "type": "string" } }, "useApexDomain": { "title": "Use apex (registrable) domain", "type": "boolean", "description": "If true, collapse subdomains to the registrable domain (e.g. mail.example.com → example.com).", "default": true }, "maxDomains": { "title": "Max domains", "minimum": 1, "maximum": 100, "type": "integer", "description": "Maximum domains per run.", "default": 25 }, "maxDkimProbes": { "title": "Max DKIM selector probes", "minimum": 5, "maximum": 60, "type": "integer", "description": "How many common DKIM selectors to probe per domain (DNS cost vs coverage).", "default": 25 }, "dnsTimeoutSeconds": { "title": "DNS timeout (seconds)", "minimum": 4, "maximum": 30, "type": "number", "description": "Per-query resolver timeout budget (capped internally).", "default": 12 } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```