DNS, WHOIS, SPF/DMARC, SSL Bulk Domain Audit API

Bulk domain audit and lookup API covering DNS records, WHOIS registration, SPF / DMARC / DKIM email authentication, SSL certificate expiry, and reverse DNS. One call runs a bulk DNS lookup, a WHOIS lookup, an SSL certificate check, and an email-auth check per domain. Pure Node, no browser, no proxies — sub-second per domain on most resolvers.

---

DNS Lookup, WHOIS, and SSL Certificate Checker Features

• Resolves A, AAAA, MX, TXT, NS, SOA, CNAME, CAA, and SRV records in parallel.
• Pulls WHOIS / RDAP metadata: registrar, created, expires, updated, status, and nameservers.
• Probes the TLS certificate on port 443 — issuer, expiry, daysToExpiry, SANs, sigAlg, serial.
• Validates SPF, DMARC, and DKIM records via mailauth and a 10-selector default sweep.
• Computes a deliverability score (mxScore 0-100) plus an A / B / C / D / F audit grade with an issue list.
• Optional reverse DNS resolves A / AAAA addresses back to PTR records.
• Pure Node — no browser, no proxy, no captcha bills. 10,000 domains costs about $50.

---

Who Uses Domain Audit Data?

• Sales-ops teams — qualify inbound domains by registration age, registrar, and email-auth posture.
• DevOps and SRE — monitor SSL expiry windows across portfolios that long since outgrew a spreadsheet.
• Security analysts — flag missing DMARC, weak SPF, dangling CNAMEs, and CAs without a CAA record.
• Email deliverability auditors — score SPF / DMARC / DKIM alignment before a campaign launches, not after.
• M&A due diligence — inventory the domain hygiene of an acquisition target without filing a ticket with IT.

---

How DNS Domain Audit Works

1. Paste in a list of domains or URLs. URLs have their host extracted automatically and duplicates are removed.
2. For each domain the actor runs DNS, WHOIS, TLS, and email-auth probes in parallel with per-check timeouts.
3. Optional reverse DNS resolves the A / AAAA addresses back to PTRs.
4. Each row gets a grade (A through D, F when checks fail) and an issues[] list with level, code, and message.

---

Input

{
  "domains": ["example.com", "github.com", "cloudflare.com"],
  "maxItems": 5,
  "recordTypes": ["A", "AAAA", "MX", "TXT", "NS", "SOA", "CAA"],
  "checkSpfDmarcDkim": true,
  "checkWhois": true,
  "checkSsl": true,
  "reverseDns": false,
  "concurrency": 25
}

Field	Type	Default	Description
domains	array	required	Domains or URLs to audit. URLs have host extracted automatically.
maxItems	integer	5	Cap on audited domains after dedup. Range 1-10000.
recordTypes	array	A, AAAA, MX, TXT, NS, SOA, CNAME, CAA	Which DNS record types to query. SRV is also supported.
checkSpfDmarcDkim	boolean	true	Validate email auth records via mailauth.
checkWhois	boolean	true	Look up WHOIS / RDAP registration metadata.
checkSsl	boolean	true	Probe the TLS certificate on port 443.
dkimSelectors	array	—	Extra DKIM selectors on top of the default 10.
reverseDns	boolean	false	Resolve A / AAAA addresses back to PTR records.
concurrency	integer	25	Parallel domain audits. Hard cap at 50 to avoid resolver throttling.

---

DNS Domain Audit Output Fields

{
  "domain": "cloudflare.com",
  "dns": {
    "A": ["104.16.132.229", "104.16.133.229"],
    "MX": ["10 mailstream-east.mxrecord.io"],
    "TXT": ["v=spf1 ip4:199.15.212.0/22 include:_spf.google.com ~all"],
    "NS": ["ns3.cloudflare.com", "ns4.cloudflare.com"],
    "CAA": ["issue: digicert.com"]
  },
  "whois": {
    "domain": "cloudflare.com",
    "created": "2009-02-17T22:07:54Z",
    "expires": "2033-02-17T22:07:54Z",
    "registrar": "CloudFlare, Inc.",
    "nameservers": ["ns3.cloudflare.com", "ns4.cloudflare.com"]
  },
  "email": {
    "spfRecord": "v=spf1 ip4:199.15.212.0/22 include:_spf.google.com ~all",
    "spfValid": true,
    "dmarcRecord": "v=DMARC1; p=reject; rua=mailto:dmarc@cloudflare.com",
    "dmarcPolicy": "reject",
    "dkimResults": { "google": { "found": true, "record": "v=DKIM1; k=rsa; p=..." } },
    "mxScore": 100
  },
  "ssl": {
    "issuer": "Google Trust Services / WE1",
    "validFrom": "2026-03-12T20:59:51.000Z",
    "validTo": "2026-06-10T21:59:46.000Z",
    "daysToExpiry": 41,
    "sans": ["cloudflare.com", "*.cloudflare.com"],
    "sigAlg": "prime256v1"
  },
  "reverseDns": { "ips": [], "ptrs": [] },
  "audit_summary": {
    "grade": "A",
    "issues": [{ "level": "info", "code": "no-caa", "message": "..." }]
  },
  "audited_at": "2026-04-30T12:00:00Z",
  "errors": []
}

Field	Type	Description
domain	string	Audited domain (host extracted if a URL was provided).
dns	object	Records keyed by type (A, AAAA, MX, TXT, NS, SOA, CNAME, CAA, SRV).
whois	object	created, expires, updated, registrar, status, nameservers.
email	object	spfRecord, spfValid, dmarcRecord, dmarcPolicy, dkimResults, mxScore (0-100).
ssl	object	issuer, subject, validFrom, validTo, daysToExpiry, sans, sigAlg, serialNumber.
reverseDns	object	ips and resolved ptrs (empty unless reverseDns=true).
audit_summary	object	grade (A/B/C/D/F) plus issues[] with level, code, message.
audited_at	string	ISO timestamp the audit completed.
errors	array	Labels for any check that failed (e.g. whois, ssl, dkim).

Common issue codes: no-spf, weak-spf, no-dmarc, dmarc-none, no-dkim, ssl-expired, ssl-expiring, ssl-expiring-soon, whois-expired, whois-expiring, no-caa.

---

Pricing

Single DATA_RECORD event — every audited domain bills at the same flat rate. Five DNS lookups, a WHOIS lookup, a TLS handshake, and a mailauth pass cost $0.005.

Event	Price
Actor start	$0.10
Per audited domain	$0.005

Volume	Cost
100 domains	$0.60
1,000 domains	$5.10
10,000 domains	$50.10

---

Limits

• maxItems caps at 10,000 per run; the resolver is the bottleneck, not the actor.
• The Apify console tester has a 5-minute timeout — keep maxItems low (default 5) when testing in-browser.
• concurrency caps at 50 to avoid public DNS resolver rate limits. Self-hosted resolvers can go higher with care.
• WHOIS data quality varies by TLD. Some registries return sparse fields; the actor surfaces what the registry actually serves.
• Reverse DNS is opt-in because most A records have no PTR set.
• DKIM probes a 10-selector default list. If you use a non-standard selector, add it via dkimSelectors.

---

FAQ

How do I run a bulk WHOIS and DNS lookup for many domains at once? Paste your domain list into domains and the actor runs a bulk DNS lookup, WHOIS / RDAP lookup, SSL certificate check, and SPF / DMARC / DKIM email-authentication check on each one in parallel, returning one JSON row per domain.

Can I use this as a DNS lookup API or SSL certificate expiry checker? Yes. Call the actor over the Apify API and read the dns, whois, ssl, and email fields. The ssl.daysToExpiry field makes it usable as an SSL certificate expiry monitor across a portfolio of domains.

Does it check SPF, DMARC, and DKIM email authentication records? It validates SPF, DMARC, and DKIM via mailauth and a 10-selector default sweep, then reports spfValid, dmarcPolicy, dkimResults, and an mxScore deliverability score from 0 to 100.

---

Related Actors

• SSL & Security Headers Checker — pairs with this actor for full TLS-and-headers grading per URL.
• Sitemap Walker Pro — discover URLs for a domain that you then audit here.
• Structured Data Validator Pro — same primitive shape for SEO-side audits.

---

Need More Features?

Need extra DKIM selectors, custom record types, or a private resolver endpoint? File an issue or get in touch.

Why Use DNS Domain Audit?

• Cheap — $0.005 per domain. 10,000 domains costs about a fast-food lunch.
• Complete — DNS, WHOIS, SSL, and email auth in a single row, with a sortable grade. Most tools make you stitch three APIs together to get the same picture.
• No proxies, captchas, or browsers — pure Node lookups. Nothing to break, nothing to debug at 3am.

---

Built by OrbTop.