Email Deliverability & Domain Posture Auditor
Pricing
from $30.00 / 1,000 domain auditeds
Email Deliverability & Domain Posture Auditor
Audit email deliverability and domain posture in bulk: MX, SPF, DKIM (common selectors), DMARC policy, DNSSEC, MTA-STS, TLS-RPT, and BIMI. Returns a 0-100 posture score, a prioritized fix list, and per-record detail. Pure DNS-over-HTTPS — no scraping, no API keys.
Pricing
from $30.00 / 1,000 domain auditeds
Rating
0.0
(0)
Developer
Geo
Maintained by CommunityActor stats
0
Bookmarked
2
Total users
1
Monthly active users
2 days ago
Last modified
Categories
Share
Bulk audit email deliverability posture: MX · SPF · DKIM · DMARC · DNSSEC · MTA-STS · TLS-RPT · BIMI — with a 0–100 score and a prioritized fix list.
Audit a single domain or thousands. Pure DNS-over-HTTPS — no scraping, no proxies, no API keys. Built for cold-email teams, IT/security teams, email-marketing agencies, and MSPs who need to keep customer domains out of the spam folder.
What it checks
| Area | What we look for | Why it matters |
|---|---|---|
| MX | Mail-exchange records present and valid | Without MX, the domain can't receive mail at all |
| SPF | TXT record at apex, v=spf1, includes, the all= policy, +all hazard, >10 lookups | Receiving servers reject spoofed mail from non-listed IPs |
| DKIM | Probes common selectors (google, default, selector1, selector2, s1, k1, mail, …) for public signing keys | Cryptographic email signing — stops tampering and verifies sender |
| DMARC | _dmarc TXT: policy p= (none/quarantine/reject), sp, pct, rua reporting | The master policy that tells receivers what to do with mail that fails SPF/DKIM |
| DNSSEC | Authentic-Data flag on queries | Cryptographic chain of trust for DNS — stops cache poisoning |
| MTA-STS | _mta-sts TXT + policy file at mta-sts.<domain>/.well-known/mta-sts.txt (RFC 8461) | Forces TLS on inbound SMTP — stops STARTTLS downgrade / MITM |
| TLS-RPT | _smtp._tls TXT (RFC 8460) | Daily reports on STARTTLS failures so you can detect misconfigurations |
| BIMI | default._bimi TXT | Shows your logo in recipient inboxes (requires DMARC enforcement first) |
Each domain gets a 0–100 posture score (A–F grade), a sorted issue list (critical → info) with an exact fix string per issue, and a top_fix summary.
Use cases
- Cold-email / outreach teams — audit your sending domains before a campaign to maximize inbox placement.
- MSPs & agencies — batch-audit your entire customer portfolio; flag every domain missing DMARC or with
+allSPF. - Security / IT teams — detect email spoofing exposure (
p=noneDMARC, no MTA-STS, no DNSSEC) across your asset list. - Deliverability consultants — generate a prioritized fix list per domain in one run.
- Compliance — confirm enforcement (
p=reject,-all) before audits.
Example input
{"domains": ["example.com", "github.com"],"dkimSelectors": ["google", "default", "selector1"]}
Example output (per domain)
{"domain": "example.com","posture_score": 72,"posture_grade": "C","spf_status": "fail","dkim_found": false,"dmarc_policy": "none","mta_sts": "absent","dnssec": false,"issue_count": 4,"top_fix": "Publish an SPF TXT record at the domain apex, e.g. \"v=spf1 include:_spf.google.com -all\".","issues": [{ "severity": "critical", "area": "DMARC", "message": "No DMARC record found…", "fix": "Publish a DMARC TXT at _dmarc.<domain>…" },{ "severity": "high", "area": "DKIM", "message": "No DKIM public keys found…", "fix": "Enable DKIM signing in your email provider…" }],"mx": [],"spf": { "found": true, "qualifier": "fail", "includes": [] },"dmarc": { "found": false },"dkim": { "selectors_probed": 7, "keys_found": 0, "keys": [] },"mta_sts": { "found": false },"tls_rpt": { "found": false },"bimi": { "found": false }}
Pricing (pay-per-event)
| Event | Unit | Price |
|---|---|---|
actor-start | per run | $0.0005 |
domain-audited | per domain fully audited (all record sets pulled) | $0.01 |
issue-flagged | per issue flagged (capped at 8/domain) | $0.005 |
Worked cost example — auditing a portfolio of 100 domains, average 3 issues each:
actor-start ($0.0005) + 100 × domain-audited (100 × $0.01 = $1.00) + 300 × issue-flagged (300 × $0.005 = $1.50) = ~$2.51 for 100 domains (≈ 2.5¢ per domain).
Compare: a one-off DMARC/SPF scan from a deliverability vendor runs $15–$50/domain.
Integration
- API / SDK — standard Apify actor; call via HTTP API, JavaScript/Python SDK, or Schedule.
- Webhooks — set an actor webhook to POST results to Make/n8n/Zapier on run completion.
- Bulk — pass up to thousands of domains in the
domainsarray; queries run sequentially with polite timeouts. - Clay / lead-enrichment — outputs are flat JSON, ready for Clay/GSC enrichment tables.
Limitations & honest notes
- DKIM is selector-based. DKIM public keys live at
<selector>._domainkey.<domain>— there is no "list all DKIM keys" DNS query. We probe the common selectors (google,default,selector1,selector2,s1,k1,mail) plus any custom selectors you provide. A domain using a non-standard selector without you supplying it will reportdkim_found: falseeven though it signs mail. - DNSSEC detection uses the DoH resolver's AD (Authentic Data) flag. Rare split-horizon or private-DNS setups may report differently than a validating resolver on your network.
- MTA-STS requires fetching a policy file over HTTPS from
mta-sts.<domain>— a handful of domains do not have this subdomain configured even when they publish a_mta-stsTXT. - No SMTP handshake / mailbox-probe. This actor inspects published DNS posture, not live mailbox state. Pair with a dedicated SMTP-probe actor for bounce-list cleaning.
- No personal data. All inputs are domain names; outputs are DNS records and posture scores. Incidental emails in SPF/DMARC
ruareporting addresses are operator-published infrastructure config, not collected personal data.
Data sources
All DNS records resolved via DNS-over-HTTPS public resolvers (Cloudflare 1.1.1.1, Google Public DNS) using the standard DoH JSON API. MTA-STS policy fetched over HTTPS from the domain's own well-known endpoint. No third-party APIs, no scraping, no API keys.