Email Deliverability & Domain Posture Auditor avatar

Email Deliverability & Domain Posture Auditor

Pricing

from $30.00 / 1,000 domain auditeds

Go to Apify Store
Email Deliverability & Domain Posture Auditor

Email Deliverability & Domain Posture Auditor

Audit email deliverability and domain posture in bulk: MX, SPF, DKIM (common selectors), DMARC policy, DNSSEC, MTA-STS, TLS-RPT, and BIMI. Returns a 0-100 posture score, a prioritized fix list, and per-record detail. Pure DNS-over-HTTPS — no scraping, no API keys.

Pricing

from $30.00 / 1,000 domain auditeds

Rating

0.0

(0)

Developer

Geo

Geo

Maintained by Community

Actor stats

0

Bookmarked

2

Total users

1

Monthly active users

2 days ago

Last modified

Share

Bulk audit email deliverability posture: MX · SPF · DKIM · DMARC · DNSSEC · MTA-STS · TLS-RPT · BIMI — with a 0–100 score and a prioritized fix list.

Audit a single domain or thousands. Pure DNS-over-HTTPS — no scraping, no proxies, no API keys. Built for cold-email teams, IT/security teams, email-marketing agencies, and MSPs who need to keep customer domains out of the spam folder.

What it checks

AreaWhat we look forWhy it matters
MXMail-exchange records present and validWithout MX, the domain can't receive mail at all
SPFTXT record at apex, v=spf1, includes, the all= policy, +all hazard, >10 lookupsReceiving servers reject spoofed mail from non-listed IPs
DKIMProbes common selectors (google, default, selector1, selector2, s1, k1, mail, …) for public signing keysCryptographic email signing — stops tampering and verifies sender
DMARC_dmarc TXT: policy p= (none/quarantine/reject), sp, pct, rua reportingThe master policy that tells receivers what to do with mail that fails SPF/DKIM
DNSSECAuthentic-Data flag on queriesCryptographic chain of trust for DNS — stops cache poisoning
MTA-STS_mta-sts TXT + policy file at mta-sts.<domain>/.well-known/mta-sts.txt (RFC 8461)Forces TLS on inbound SMTP — stops STARTTLS downgrade / MITM
TLS-RPT_smtp._tls TXT (RFC 8460)Daily reports on STARTTLS failures so you can detect misconfigurations
BIMIdefault._bimi TXTShows your logo in recipient inboxes (requires DMARC enforcement first)

Each domain gets a 0–100 posture score (A–F grade), a sorted issue list (critical → info) with an exact fix string per issue, and a top_fix summary.

Use cases

  • Cold-email / outreach teams — audit your sending domains before a campaign to maximize inbox placement.
  • MSPs & agencies — batch-audit your entire customer portfolio; flag every domain missing DMARC or with +all SPF.
  • Security / IT teams — detect email spoofing exposure (p=none DMARC, no MTA-STS, no DNSSEC) across your asset list.
  • Deliverability consultants — generate a prioritized fix list per domain in one run.
  • Compliance — confirm enforcement (p=reject, -all) before audits.

Example input

{
"domains": ["example.com", "github.com"],
"dkimSelectors": ["google", "default", "selector1"]
}

Example output (per domain)

{
"domain": "example.com",
"posture_score": 72,
"posture_grade": "C",
"spf_status": "fail",
"dkim_found": false,
"dmarc_policy": "none",
"mta_sts": "absent",
"dnssec": false,
"issue_count": 4,
"top_fix": "Publish an SPF TXT record at the domain apex, e.g. \"v=spf1 include:_spf.google.com -all\".",
"issues": [
{ "severity": "critical", "area": "DMARC", "message": "No DMARC record found…", "fix": "Publish a DMARC TXT at _dmarc.<domain>…" },
{ "severity": "high", "area": "DKIM", "message": "No DKIM public keys found…", "fix": "Enable DKIM signing in your email provider…" }
],
"mx": [],
"spf": { "found": true, "qualifier": "fail", "includes": [] },
"dmarc": { "found": false },
"dkim": { "selectors_probed": 7, "keys_found": 0, "keys": [] },
"mta_sts": { "found": false },
"tls_rpt": { "found": false },
"bimi": { "found": false }
}

Pricing (pay-per-event)

EventUnitPrice
actor-startper run$0.0005
domain-auditedper domain fully audited (all record sets pulled)$0.01
issue-flaggedper issue flagged (capped at 8/domain)$0.005

Worked cost example — auditing a portfolio of 100 domains, average 3 issues each: actor-start ($0.0005) + 100 × domain-audited (100 × $0.01 = $1.00) + 300 × issue-flagged (300 × $0.005 = $1.50) = ~$2.51 for 100 domains (≈ 2.5¢ per domain).

Compare: a one-off DMARC/SPF scan from a deliverability vendor runs $15–$50/domain.

Integration

  • API / SDK — standard Apify actor; call via HTTP API, JavaScript/Python SDK, or Schedule.
  • Webhooks — set an actor webhook to POST results to Make/n8n/Zapier on run completion.
  • Bulk — pass up to thousands of domains in the domains array; queries run sequentially with polite timeouts.
  • Clay / lead-enrichment — outputs are flat JSON, ready for Clay/GSC enrichment tables.

Limitations & honest notes

  • DKIM is selector-based. DKIM public keys live at <selector>._domainkey.<domain> — there is no "list all DKIM keys" DNS query. We probe the common selectors (google, default, selector1, selector2, s1, k1, mail) plus any custom selectors you provide. A domain using a non-standard selector without you supplying it will report dkim_found: false even though it signs mail.
  • DNSSEC detection uses the DoH resolver's AD (Authentic Data) flag. Rare split-horizon or private-DNS setups may report differently than a validating resolver on your network.
  • MTA-STS requires fetching a policy file over HTTPS from mta-sts.<domain> — a handful of domains do not have this subdomain configured even when they publish a _mta-sts TXT.
  • No SMTP handshake / mailbox-probe. This actor inspects published DNS posture, not live mailbox state. Pair with a dedicated SMTP-probe actor for bounce-list cleaning.
  • No personal data. All inputs are domain names; outputs are DNS records and posture scores. Incidental emails in SPF/DMARC rua reporting addresses are operator-published infrastructure config, not collected personal data.

Data sources

All DNS records resolved via DNS-over-HTTPS public resolvers (Cloudflare 1.1.1.1, Google Public DNS) using the standard DoH JSON API. MTA-STS policy fetched over HTTPS from the domain's own well-known endpoint. No third-party APIs, no scraping, no API keys.