π‘οΈ Domain & Email Deliverability Enricher (SPF/DMARC)
Pricing
$20.00 / 1,000 domain enricheds
π‘οΈ Domain & Email Deliverability Enricher (SPF/DMARC)
Enrich domains in bulk with email deliverability signals: MX + provider, SPF, DMARC + policy, DKIM, domain age (RDAP), HTTPS, plus a 0-100 email-security score and deliverability risk. Score prospects before cold outreach. No API key.
Pricing
$20.00 / 1,000 domain enricheds
Rating
0.0
(0)
Developer
Renzo Madueno
Maintained by CommunityActor stats
0
Bookmarked
2
Total users
1
Monthly active users
15 hours ago
Last modified
Categories
Share
π‘οΈ Domain & Email Deliverability Enricher (SPF / DMARC)
π₯ Video walkthrough
Turn a plain list of domains into a scored, B2B-ready enrichment table β no API key, no WHOIS account, no scraping. For each domain this actor runs live DNS + HTTP checks and returns whether the domain's email is real, modern and safe to cold-email, plus a domain-age and website signal you can use to score prospects by how sophisticated their infrastructure is.
Give it ["stripe.com", "gmail.com", "notion.so"] and get back one clean record per domain:
{"domain": "stripe.com","hasMx": true,"mxProvider": "Google Workspace","hasSpf": true,"hasDmarc": true,"dmarcPolicy": "reject","hasDkim": true,"domainAgeYears": 15.6,"registrar": "MarkMonitor Inc.","hasWebsite": true,"httpsValid": true,"emailSecurityScore": 100,"deliverabilityRisk": "low","checkedAt": "2026-07-03T12:00:00.000Z"}
Why domain & email health matters (before you send a single cold email)
Cold outreach lives and dies on domain reputation, and most senders check the inbox while ignoring the domain behind it. That's backwards. Before you email a list, you want to know two things about each prospect's domain:
- Is it safe to send to? A domain with no SPF and no DMARC is either a poorly-run mailbox or, worse, a spam trap / parked domain shape. Blasting those tanks your sender reputation and drives you into spam folders for everyone on the list. Filtering high-risk domains out first protects your deliverability.
- How sophisticated is this prospect? A domain running Google Workspace or Microsoft 365 with SPF + DKIM + DMARC
p=rejectis a company that takes its email infrastructure seriously β a strong tech-maturity signal for qualifying and prioritizing B2B leads. A brand-new domain on shared hosting with no auth is a very different lead.
This actor answers both, at bulk, per record β so you can clean a list, prioritize it, and send with confidence.
What each check means
| Field | Check | Why it matters |
|---|---|---|
hasMx / mxProvider | Live DNS MX lookup, classified to a provider (Google Workspace, Microsoft 365, Zoho, Proofpoint, Amazon SESβ¦) | Proves the domain actually receives mail, and who runs it β a maturity signal. |
hasSpf | TXT lookup for a v=spf1 record | SPF authorizes who can send as the domain. Missing SPF = spoofable, spam-prone, risky to email near. |
hasDmarc / dmarcPolicy | TXT at _dmarc.<domain> for v=DMARC1, plus the p= policy | DMARC ties SPF + DKIM together. reject/quarantine = a serious, enforcing sender; none = monitoring only. |
hasDkim | Best-effort TXT/CNAME probe of common selectors (google, default, selector1/2, k1, s1β¦) | DKIM cryptographically signs outbound mail. Present = modern, well-configured mail. (A miss is inconclusive β see FAQ.) |
domainAgeYears / registrar | RDAP lookup (rdap.org, the modern JSON successor to WHOIS) for the registration date and registrar | Age is a trust signal β brand-new domains are riskier and often disposable. Registrar adds context. |
hasWebsite / httpsValid | Short HTTP(S) GET of the domain, following redirects | A live site on valid HTTPS = a real, operating business. No site or broken TLS = a red flag. |
emailSecurityScore | 0β100, from MX + SPF + DKIM + DMARC presence and DMARC policy strength | One number to rank the auth sophistication of a domain. |
deliverabilityRisk | low / medium / high, derived from the auth stack | The go/no-go signal: high = don't cold-email this near your good domains. |
How the score & risk are derived
emailSecurityScorerewards the full stack: MX (+20), SPF (+25), DKIM (+20), DMARC present (+20) with a bonus for enforcement (quarantine+8,reject+15). A domain doing everything right scores 100.deliverabilityRisk:- high β no MX at all, or no SPF and no DMARC (no auth stack β spam-trap shape, unsafe to send near).
- medium β partial auth (SPF or DMARC missing), or both present but DMARC is only
p=none(monitoring, not enforcing). - low β MX + SPF + DMARC with an enforcing policy (
quarantine/reject).
Example input
{"domains": ["stripe.com", "gmail.com", "notion.so", "some-parked-domain.xyz"],"maxConcurrency": 5}
URLs and emails are accepted too β https://stripe.com/pricing and john@stripe.com both reduce to stripe.com automatically.
Example output (dataset)
| domain | risk | score | SPF | DMARC | policy | MX provider | age |
|---|---|---|---|---|---|---|---|
| stripe.com | low | 100 | β | β | reject | Google Workspace | 15.6 |
| gmail.com | low | 100 | β | β | reject | Google Workspace | 30+ |
| notion.so | low | 92 | β | β | quarantine | Google Workspace | 12.x |
Export the full dataset as JSON, CSV, Excel, or via API β drop it straight into your CRM, spreadsheet, or sequencing tool.
Use cases
- Score a lead list β enrich thousands of prospect domains and sort by
emailSecurityScore/deliverabilityRiskto prioritize the real, serious companies. - Avoid emailing risky domains β filter out
deliverabilityRisk: "high"before importing into your cold-email tool to protect your sender reputation and stay out of spam. - Tech-maturity signal for qualification β a domain on Microsoft 365 with
p=rejectis a different buyer than a brand-new domain with no auth; use it to segment and personalize. - Data-quality gate β flag parked / dead / newly-registered domains in an inbound or purchased list before they cost you.
- Competitive / partner recon β quickly profile the email posture of a set of companies.
FAQ
Does this need an API key?
No. Every check is keyless: DNS via Node's resolver, RDAP via the public rdap.org bootstrap, and a plain HTTP(S) GET for the website probe.
Why is hasDkim sometimes false for a domain I know signs its mail?
DKIM selectors are chosen freely by each domain and can't be enumerated from DNS β we probe the most common ones (google, default, selector1/2, k1, s1, dkim, mail). A hit proves DKIM is present; a miss is inconclusive, not proof of absence. We reflect this by not over-penalizing a DKIM miss in the risk score.
Why RDAP instead of WHOIS?
RDAP is the modern, structured, rate-friendly JSON replacement for WHOIS and is far more reliable from cloud IPs. If a registry doesn't expose a registration date (some ccTLDs don't), domainAgeYears comes back null β handled gracefully, the rest of the record is still complete.
Do you probe SMTP / port 25? No β like our email-verifier actor, we skip live-SMTP probing. It's blocked and throttled on cloud IPs and produces false signals (greylisting, catch-all accept-all). We do the honest, reliable DNS/HTTP checks instead.
How is it priced?
Pay-per-event: you're charged once per enriched domain record (domain-enriched). No monthly fee, no per-run minimum β bulk-friendly and predictable. The run respects your ACTOR_MAX_TOTAL_CHARGE_USD cap.
How fast is it?
All checks per domain run in parallel, and domains run concurrently (maxConcurrency, default 5). A few hundred domains finish in a couple of minutes.
Automate it
Run on a schedule (e.g. re-score your CRM's active domains weekly) with Apify Schedules, or trigger from your stack via the Apify API / webhooks / integrations (Make, Zapier, n8n). Point the output dataset at Google Sheets or your CRM and keep your lead list continuously scored.
Related actors
Pair this with the rest of our B2B enrichment stack:
- Bulk Email Verifier β verify individual email addresses (syntax, MX, disposable, role-based, free-provider, 0-100 score). Use it after this actor tells you which domains are worth sending to.
- Company Enrichment β turn a domain into firmographics, tech stack and contacts.
Domain Health Enricher is the domain-level layer: check the domain's posture first, then verify the addresses on the good ones.
Found this useful? A 30-second β review helps other teams find it.