Email Authentication Auditor avatar

Email Authentication Auditor

Pricing

from $0.005 / actor start

Go to Apify Store
Email Authentication Auditor

Email Authentication Auditor

Audit a domain's SPF, DMARC, and DKIM email authentication DNS records for deliverability and security readiness.

Pricing

from $0.005 / actor start

Rating

0.0

(0)

Developer

Sanskar Jaiswal

Sanskar Jaiswal

Maintained by Community

Actor stats

0

Bookmarked

2

Total users

1

Monthly active users

a day ago

Last modified

Share

Fetches and audits a domain's SPF, DMARC, and DKIM email authentication DNS records. It reports enforcement policies, DKIM key availability, configuration issues, a readiness score, and actionable recommendations.

Use cases

  • Email deliverability checks before sending campaigns or migrating email providers.
  • Security audits for SPF, DMARC, and DKIM configuration across client domains.
  • Compliance checks for email authentication standards.
  • Onboarding checks when adding a new domain to an email infrastructure.
  • Scheduled monitoring for email authentication drift or misconfiguration.

Input

FieldTypeRequiredDescription
startUrlstringYesPublic domain or URL to audit. The actor extracts the hostname and checks DNS TXT records for SPF, DMARC, and DKIM. HTTP and HTTPS only. Private IP ranges are blocked.
dkimSelectorsarrayNoOptional list of DKIM selectors to check. If empty, the actor checks common selectors: google, selector1, selector2, default, s1, s2, k1.
timeoutSecondsintegerNoTimeout for each DNS TXT lookup. Default: 10, range: 3 to 30.

Output

Each run pushes one dataset item.

FieldTypeDescription
inputUrlstringOriginal input URL or domain.
domainstringExtracted domain name used for DNS lookups.
checkedAtstringISO timestamp for the audit.
spfobjectSPF audit results (see below).
dmarcobjectDMARC audit results (see below).
dkimobjectDKIM audit results (see below).
scoreintegerEmail authentication score from 0 to 100.
gradestringLetter grade from A to F.
issuesarrayHuman-readable issues found.
recommendationsarrayRecommended fixes.
errorstring or nullError message, if any.

SPF object

FieldTypeDescription
foundbooleanWhether an SPF record exists.
recordstring or nullThe raw SPF TXT record.
allPolicystring or nullEnforcement policy: hardfail, softfail, neutral, pass, or none.
dnsLookupsintegerNumber of DNS-lookup mechanisms (top-level only).
lookupLimitExceededbooleanTrue when DNS lookups exceed the SPF 10-lookup limit.
mechanismsarrayParsed SPF mechanisms.
issuesarraySPF-specific issues.

DMARC object

FieldTypeDescription
foundbooleanWhether a DMARC record exists.
recordstring or nullThe raw DMARC TXT record.
policystring or nullEnforcement policy: none, quarantine, or reject.
pctinteger or nullPercentage of mail the policy applies to.
ruastring or nullAggregate report destination.
rufstring or nullForensic report destination.
adkimstring or nullDKIM alignment mode: s (strict) or r (relaxed).
aspfstring or nullSPF alignment mode: s (strict) or r (relaxed).
spstring or nullSubdomain policy.
issuesarrayDMARC-specific issues.

DKIM object

FieldTypeDescription
selectorsCheckedarrayDKIM selectors that were checked.
foundSelectorsarraySelectors where a DKIM record was found.
recordsarrayFound DKIM records with selector, record, and parsed fields.
issuesarrayDKIM-specific issues.

Example input

{
"startUrl": "https://example.com",
"dkimSelectors": [],
"timeoutSeconds": 10
}

Example output

{
"inputUrl": "https://example.com",
"domain": "example.com",
"checkedAt": "2026-07-13T00:00:00.000Z",
"spf": {
"found": true,
"record": "v=spf1 include:_spf.google.com -all",
"allPolicy": "hardfail",
"dnsLookups": 1,
"lookupLimitExceeded": false,
"mechanisms": ["include:_spf.google.com", "-all"],
"issues": []
},
"dmarc": {
"found": true,
"record": "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s",
"policy": "reject",
"pct": 100,
"rua": "mailto:dmarc@example.com",
"ruf": null,
"adkim": "s",
"aspf": "s",
"sp": null,
"issues": []
},
"dkim": {
"selectorsChecked": ["google", "selector1", "selector2", "default", "s1", "s2", "k1"],
"foundSelectors": ["google"],
"records": [
{
"selector": "google",
"record": "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A",
"parsed": { "version": "DKIM1", "keyType": "rsa", "publicKey": "present", "hasPublicKey": true, "notes": null }
}
],
"issues": []
},
"score": 100,
"grade": "A",
"issues": [],
"recommendations": [],
"error": null
}

Security

  • Accepts only public HTTP and HTTPS URLs or domains.
  • Rejects URL credentials.
  • Rejects localhost, private IPv4, private IPv6, link-local, and private DNS resolutions.
  • Performs DNS TXT record lookups only; does not fetch URLs or require login.
  • Does not collect credentials or private data.

Pricing

Suggested pay-per-event pricing:

EventPrice
Actor start$0.005
Domain audited$0.01

Typical one-domain run cost: about $0.015 before Apify platform charges. Apify keeps its standard commission and the actor owner receives the remainder.

FAQ

Does this check DKIM for all possible selectors?

No. It checks common selectors used by major email providers (google, selector1, selector2, default, s1, s2, k1). You can pass custom selectors via the dkimSelectors input to check specific ones.

Does it count nested SPF DNS lookups?

No. It counts top-level lookup mechanisms (include, a, mx, exists, redirect). Nested lookups within include chains are not expanded, so the actual lookup count may be higher than reported.

Does it fetch the domain's website?

No. It only performs DNS TXT record lookups for SPF, DMARC, and DKIM. The URL input is used to extract the domain name safely.

What is the scoring based on?

The score starts at 100 and is reduced for missing or weak SPF enforcement, missing or lenient DMARC policy, missing DKIM records, and missing aggregate report destinations.

Kill or keep metric

Keep this actor if it gets organic Store impressions, runs, revenue, or inbound questions within 60 to 90 days. Improve the listing or pricing if impressions arrive without runs. Archive it if there is no discovery or usage.