Email Authentication Auditor
Pricing
from $0.005 / actor start
Email Authentication Auditor
Audit a domain's SPF, DMARC, and DKIM email authentication DNS records for deliverability and security readiness.
Pricing
from $0.005 / actor start
Rating
0.0
(0)
Developer
Sanskar Jaiswal
Maintained by CommunityActor stats
0
Bookmarked
2
Total users
1
Monthly active users
a day ago
Last modified
Categories
Share
Fetches and audits a domain's SPF, DMARC, and DKIM email authentication DNS records. It reports enforcement policies, DKIM key availability, configuration issues, a readiness score, and actionable recommendations.
Use cases
- Email deliverability checks before sending campaigns or migrating email providers.
- Security audits for SPF, DMARC, and DKIM configuration across client domains.
- Compliance checks for email authentication standards.
- Onboarding checks when adding a new domain to an email infrastructure.
- Scheduled monitoring for email authentication drift or misconfiguration.
Input
| Field | Type | Required | Description |
|---|---|---|---|
startUrl | string | Yes | Public domain or URL to audit. The actor extracts the hostname and checks DNS TXT records for SPF, DMARC, and DKIM. HTTP and HTTPS only. Private IP ranges are blocked. |
dkimSelectors | array | No | Optional list of DKIM selectors to check. If empty, the actor checks common selectors: google, selector1, selector2, default, s1, s2, k1. |
timeoutSeconds | integer | No | Timeout for each DNS TXT lookup. Default: 10, range: 3 to 30. |
Output
Each run pushes one dataset item.
| Field | Type | Description |
|---|---|---|
inputUrl | string | Original input URL or domain. |
domain | string | Extracted domain name used for DNS lookups. |
checkedAt | string | ISO timestamp for the audit. |
spf | object | SPF audit results (see below). |
dmarc | object | DMARC audit results (see below). |
dkim | object | DKIM audit results (see below). |
score | integer | Email authentication score from 0 to 100. |
grade | string | Letter grade from A to F. |
issues | array | Human-readable issues found. |
recommendations | array | Recommended fixes. |
error | string or null | Error message, if any. |
SPF object
| Field | Type | Description |
|---|---|---|
found | boolean | Whether an SPF record exists. |
record | string or null | The raw SPF TXT record. |
allPolicy | string or null | Enforcement policy: hardfail, softfail, neutral, pass, or none. |
dnsLookups | integer | Number of DNS-lookup mechanisms (top-level only). |
lookupLimitExceeded | boolean | True when DNS lookups exceed the SPF 10-lookup limit. |
mechanisms | array | Parsed SPF mechanisms. |
issues | array | SPF-specific issues. |
DMARC object
| Field | Type | Description |
|---|---|---|
found | boolean | Whether a DMARC record exists. |
record | string or null | The raw DMARC TXT record. |
policy | string or null | Enforcement policy: none, quarantine, or reject. |
pct | integer or null | Percentage of mail the policy applies to. |
rua | string or null | Aggregate report destination. |
ruf | string or null | Forensic report destination. |
adkim | string or null | DKIM alignment mode: s (strict) or r (relaxed). |
aspf | string or null | SPF alignment mode: s (strict) or r (relaxed). |
sp | string or null | Subdomain policy. |
issues | array | DMARC-specific issues. |
DKIM object
| Field | Type | Description |
|---|---|---|
selectorsChecked | array | DKIM selectors that were checked. |
foundSelectors | array | Selectors where a DKIM record was found. |
records | array | Found DKIM records with selector, record, and parsed fields. |
issues | array | DKIM-specific issues. |
Example input
{"startUrl": "https://example.com","dkimSelectors": [],"timeoutSeconds": 10}
Example output
{"inputUrl": "https://example.com","domain": "example.com","checkedAt": "2026-07-13T00:00:00.000Z","spf": {"found": true,"record": "v=spf1 include:_spf.google.com -all","allPolicy": "hardfail","dnsLookups": 1,"lookupLimitExceeded": false,"mechanisms": ["include:_spf.google.com", "-all"],"issues": []},"dmarc": {"found": true,"record": "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s","policy": "reject","pct": 100,"rua": "mailto:dmarc@example.com","ruf": null,"adkim": "s","aspf": "s","sp": null,"issues": []},"dkim": {"selectorsChecked": ["google", "selector1", "selector2", "default", "s1", "s2", "k1"],"foundSelectors": ["google"],"records": [{"selector": "google","record": "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A","parsed": { "version": "DKIM1", "keyType": "rsa", "publicKey": "present", "hasPublicKey": true, "notes": null }}],"issues": []},"score": 100,"grade": "A","issues": [],"recommendations": [],"error": null}
Security
- Accepts only public HTTP and HTTPS URLs or domains.
- Rejects URL credentials.
- Rejects localhost, private IPv4, private IPv6, link-local, and private DNS resolutions.
- Performs DNS TXT record lookups only; does not fetch URLs or require login.
- Does not collect credentials or private data.
Pricing
Suggested pay-per-event pricing:
| Event | Price |
|---|---|
| Actor start | $0.005 |
| Domain audited | $0.01 |
Typical one-domain run cost: about $0.015 before Apify platform charges. Apify keeps its standard commission and the actor owner receives the remainder.
FAQ
Does this check DKIM for all possible selectors?
No. It checks common selectors used by major email providers (google, selector1, selector2, default, s1, s2, k1). You can pass custom selectors via the dkimSelectors input to check specific ones.
Does it count nested SPF DNS lookups?
No. It counts top-level lookup mechanisms (include, a, mx, exists, redirect). Nested lookups within include chains are not expanded, so the actual lookup count may be higher than reported.
Does it fetch the domain's website?
No. It only performs DNS TXT record lookups for SPF, DMARC, and DKIM. The URL input is used to extract the domain name safely.
What is the scoring based on?
The score starts at 100 and is reduced for missing or weak SPF enforcement, missing or lenient DMARC policy, missing DKIM records, and missing aggregate report destinations.
Kill or keep metric
Keep this actor if it gets organic Store impressions, runs, revenue, or inbound questions within 60 to 90 days. Improve the listing or pricing if impressions arrive without runs. Archive it if there is no discovery or usage.