Supernet Domain Health - Email Reputation Audit

Audit any domain's email infrastructure in seconds. Check MX records, SPF, DKIM, DMARC, blacklists, SSL certificates, domain age, BIMI, MTA-STS, and more — returns a 0–100 health score with actionable fixes. Sending mode audits your domain's reputation before outreach. Receiving mode validates prospect domains before you waste sends. Batch thousands of domains or query one via instant API.

What does it check?

Email authentication — MX records, SPF (with recursive lookup counting), DKIM (38 selectors probed in parallel), DMARC (policy, alignment, reporting), and reverse DNS with forward confirmation. Gateway-aware DKIM scoring avoids false negatives for domains behind security gateways like Proofpoint and Mimecast.

Reputation signals — IP and domain blacklist scanning across 22 DNSBL zones including Barracuda, SpamCop, and SURBL. SSL certificate validation. Domain age via WHOIS. Website presence detection.

Advanced compliance — BIMI brand logo records with VMC certificate validation. MTA-STS TLS enforcement policy. TLSRPT delivery failure reporting. Email provider detection across 29+ providers including security gateways.

Receiving mode — MX existence, DNS resolution, disposable domain detection (~3,400 known providers), domain age, and SSL validation. Purpose-built scoring for prospect list hygiene.

Why audit email reputation?

Google (Feb 2024), Yahoo, and Microsoft (May 2025) now require SPF, DKIM, and DMARC for all email senders. Domains missing these records see emails rejected or sent to spam. Blacklisted IPs tank deliverability silently. Expired SSL certificates and young domains trigger spam filters.

For senders: Audit your domain's reputation before launching outreach. Catch misconfigurations that kill deliverability — missing SPF, no DKIM selectors, DMARC set to p=none, SPF exceeding the 10-lookup limit, or IP blacklistings you don't know about.

For sales and RevOps teams: Validate prospect domains at scale. A domain with no MX records can't receive email — don't waste sends on dead domains. Flag disposable domains before they inflate your bounce rate.

For agencies and MSPs: Audit client domains in bulk. Export scores and issues to identify which accounts need remediation.

Need raw records or registration data? DNS Lookup retrieves A, AAAA, MX, CNAME, TXT, NS, SOA, and DMARC records for any domain. WHOIS Lookup returns registrar, creation and expiry dates, domain age, registrant info, name servers, and DNSSEC status. Domain Health uses both under the hood — use the standalone actors when you need the raw data.

How to use

1. Go to Supernet Domain Health on Apify
2. Enter one or more domains in the Domains field
3. Select Check Mode: sending (audit your domain) or receiving (validate prospects)
4. Click Start — each domain gets a health score, summary, issues, and detailed findings

Standby mode (instant API)

For real-time, single-domain checks, use the Standby API. No cold starts — responses in under a second.

URL: https://superlativetech--supernet-domain-health.apify.actor

# Basic scan — sending mode
curl "https://superlativetech--supernet-domain-health.apify.actor?token=YOUR_TOKEN&domain=gmail.com"

# Advanced scan (+ blacklists, BIMI, MTA-STS, TLSRPT)
curl "https://superlativetech--supernet-domain-health.apify.actor?token=YOUR_TOKEN&domain=gmail.com&depth=advanced"

# Receiving mode — validate a prospect domain
curl "https://superlativetech--supernet-domain-health.apify.actor?token=YOUR_TOKEN&domain=gmail.com&mode=receiving"

Parameter	Required	Description
domain	Yes	Domain to check (e.g. gmail.com)
mode	No	sending (default) or receiving
depth	No	basic (default) or advanced
token	Yes	Your Apify API token

Authentication: ?token=YOUR_TOKEN or Authorization: Bearer YOUR_TOKEN header.

Health score

The actor produces a 0–100 composite score based on available modules, normalized to the scan depth.

Sending mode

Audits your domain's email infrastructure and reputation:

Score	Band	Meaning
90–100	Excellent	Fully configured. Strong email reputation.
75–89	Good	Minor improvements recommended.
50–74	Fair	Significant gaps. Fix before sending.
25–49	Poor	Major issues. Reputation at risk.
0–24	Critical	Unsafe. Likely unconfigured or compromised.

If any critical factor scores 0 — MX, SPF, or DKIM (basic scan) or blacklists (advanced scan) — the total is capped at 40.

Receiving mode

Validates whether a prospect domain can receive email:

Score	Band	Meaning
90–100	Safe	High-confidence deliverable target.
70–89	Likely Safe	Minor risk factors present.
50–69	Risky	Young domain or missing infrastructure, limit volume.
0–49	Avoid	Cannot receive email or is disposable.

If MX, domain resolution, or disposable check scores 0, the total is capped at 40.

Scan depths

Basic (default) — core email authentication and trust signals:

• Both modes: MX records, SSL certificate, domain age (WHOIS), website presence
• Sending: SPF record, DKIM selectors, DMARC record, reverse DNS (FCrDNS)
• Receiving: DNS resolution, disposable domain check

Advanced — everything in basic, plus reputation and compliance checks:

• Sending: blacklist scan (22 DNSBL zones), BIMI, MTA-STS, TLSRPT
• Receiving: BIMI, MTA-STS, TLSRPT

Issues detected

Each issue includes a severity level and actionable message. For detailed remediation steps, see the Domain Health documentation.

Critical (block sending)

Code	Module	Description
NO_MX_RECORDS	MX	Domain has no mail servers
MX_NO_RESOLVE	MX	MX hostname does not resolve to an IP
NO_SPF_RECORD	SPF	SPF missing — required by Google/Yahoo/Microsoft
SPF_PLUS_ALL	SPF	SPF authorizes the entire internet (+all)
SPF_TOO_MANY_LOOKUPS	SPF	SPF exceeds 10 DNS lookups (PermError)
MULTIPLE_SPF_RECORDS	SPF	Multiple v=spf1 records (PermError)
NO_DKIM_RECORD	DKIM	No DKIM selectors found — required by Google/Yahoo/Microsoft
DOMAIN_AGE_UNDER_7	WHOIS	Domain less than 7 days old
DISPOSABLE_DOMAIN	Disposable	Known disposable/temporary email domain
DOMAIN_NXDOMAIN	DNS	Domain does not exist in DNS

Warning (fix before scaling)

Code	Module	Description
NO_DMARC_RECORD	DMARC	Missing DMARC entirely
DMARC_POLICY_NONE	DMARC	DMARC monitoring-only, no enforcement
DMARC_NO_RUA	DMARC	No aggregate reporting configured
DMARC_EXTERNAL_RUA_UNAUTHORIZED	DMARC	External RUA domain missing authorization record
DKIM_KEY_1024	DKIM	Key should be upgraded to 2048-bit
DKIM_KEY_REVOKED	DKIM	DKIM key revoked (empty p= tag)
DKIM_UNVERIFIABLE	DKIM	Security gateway detected — DKIM selectors use custom names
SPF_MISSING_PROVIDER	SPF	SPF doesn't include detected email provider
SPF_CHARS_AFTER_ALL	SPF	Content after "all" mechanism is ignored
SPF_DEPRECATED_PTR	SPF	Uses deprecated ptr mechanism
SPF_VOID_LOOKUPS	SPF	Exceeds 2 void DNS lookups (RFC 7208)
NO_REVERSE_DNS	rDNS	MX server IPs have no PTR records
REVERSE_DNS_MISMATCH	rDNS	PTR hostname doesn't resolve back to MX IP
SSL_MISSING	SSL	No SSL certificate on port 443
SSL_EXPIRED	SSL	SSL certificate has expired
SSL_EXPIRING_7_DAYS	SSL	SSL expires within 7 days
DOMAIN_AGE_UNDER_30	WHOIS	Domain less than 30 days old
DOMAIN_AGE_UNDER_90	WHOIS	Domain less than 90 days old
BLACKLISTED_TIER1	Blacklists	Listed on a major blacklist
BIMI_REQUIRES_DMARC_ENFORCEMENT	BIMI	BIMI requires DMARC quarantine or reject
BIMI_VMC_EXPIRED	BIMI	VMC certificate has expired
MTA_STS_MULTIPLE_RECORDS	MTA-STS	Multiple MTA-STS TXT records
MTA_STS_EXPIRED_CERT	MTA-STS	MTA-STS endpoint has expired SSL
MTA_STS_MX_MISMATCH	MTA-STS	MTA-STS policy MX doesn't match actual MX
MTA_STS_INVALID_POLICY	MTA-STS	Policy file missing required fields
TLSRPT_INVALID_SYNTAX	TLSRPT	TLSRPT record has syntax errors
TLSRPT_MULTIPLE_RECORDS	TLSRPT	Multiple TLSRPT TXT records

Info (nice-to-have)

Code	Module	Description
DMARC_UPGRADE_AVAILABLE	DMARC	Can upgrade from quarantine to reject
DMARC_PARTIAL_PCT	DMARC	pct tag below 100% — partial enforcement
DMARC_EXTERNAL_RUA	DMARC	RUA points to a different domain
DKIM_MULTIPLE_SELECTORS	DKIM	Multiple selectors found (good redundancy)
SPF_DUPLICATE_INCLUDE	SPF	Duplicate include wastes lookup budget
MX_NO_FALLBACK	MX	Single MX record — no redundancy
SSL_SELF_SIGNED	SSL	Self-signed certificate
SSL_EXPIRING_SOON	SSL	SSL expires within 30 days
SHORT_REGISTRATION	WHOIS	Registered for 1 year or less
BLACKLISTED_TIER2	Blacklists	Listed on a minor blacklist
HAS_BIMI	BIMI	Brand logo record configured
BIMI_VMC_VALID	BIMI	VMC certificate valid and recognized
BIMI_VMC_INVALID_ISSUER	BIMI	VMC not from DigiCert or Entrust
BIMI_NO_VMC	BIMI	BIMI record but no VMC certificate
NO_MTA_STS	MTA-STS	No MTA-STS TLS enforcement policy
MTA_STS_TESTING	MTA-STS	MTA-STS in testing mode
MTA_STS_ENFORCED	MTA-STS	MTA-STS enforces TLS (excellent)
TLSRPT_PUBLISHED	TLSRPT	TLS reporting is configured
NO_TLSRPT	TLSRPT	No TLSRPT record configured
DOMAIN_NO_WEB_PRESENCE	Website	No website found at the domain

Diagnostics

Scan-level notes are returned in a separate diagnostics array (not mixed with domain issues):

Code	Description
WHOIS_LOOKUP_FAILED	WHOIS data unavailable (some TLDs restrict access)
BLACKLIST_CHECK_PARTIAL	Some blacklist zones timed out
BLACKLIST_CHECK_FAILED	All blacklist queries failed
BIMI_VMC_FETCH_FAILED	Could not fetch VMC certificate
MTA_STS_POLICY_FETCH_FAILED	MTA-STS policy file unreachable

How many domains can you check?

Domains are checked 10 at a time with controlled concurrency. Times vary by scan depth and DNS response times:

Batch Size	Basic	Advanced
10	~5 seconds	~10 seconds
100	~1 minute	~2 minutes
1,000	~8 minutes	~15 minutes
5,000	~30 minutes	~60 minutes

The default timeout is 30 minutes, which covers most workloads. For 5,000+ domain advanced scans, increase the timeout in Settings → Run configuration (e.g., 3600 seconds for 5K advanced). Memory can stay at the default 128 MB for any batch size.

For single-domain checks, use the Standby API for sub-second responses.

How we test

Every deployment is validated against a suite of 50+ automated tests covering each check module, score stability on known domains, API edge cases, and burst concurrency. A categorized fixture of 67 real-world domains — spanning all issue types across MX, SPF, DKIM, DMARC, blacklists, BIMI, MTA-STS, and more — ensures issue detection stays accurate as DNS records change. Batch validation runs against 5,000+ domains confirm zero schema or scoring failures at scale. An hourly test task on Apify monitors uptime and correctness continuously. All 22 DNSBL zones are individually validated for reliability from Apify's infrastructure — zones that silently fail from cloud resolvers have been removed rather than returning incomplete results.

Pricing

Pay-per-event — you only pay for what you use:

Scan Depth	What's included	Per 1,000
Basic	MX, SPF, DKIM, DMARC, reverse DNS, SSL, WHOIS, website	$2.50
Advanced	Basic + blacklists, BIMI, MTA-STS, TLSRPT	$5.00

Example: 5,000 prospect domains at basic depth costs $12.50.

Input parameters

Parameter	Type	Default	Description
domains	string[]	—	Domains to check
domain	string	—	Single domain (shorthand for API callers)
mode	string	sending	sending or receiving
depth	string	basic	basic or advanced

Output format

Each domain produces one dataset item with flat top-level fields — no nested objects for score, input, or metadata. Works directly in Clay columns, Make/n8n JSON parsers, and spreadsheet exports.

{
  "checkId": "dhc_a1b2c3d4",
  "domain": "example.com",
  "score": 82,
  "band": "Good",
  "summary": "example.com (82/100 Good): 2 warnings. Google Workspace.",
  "provider": "Google Workspace",
  "hasMx": true,
  "hasSpf": true,
  "hasDkim": true,
  "hasDmarc": true,
  "dmarcPolicy": "none",
  "isBlacklisted": null,
  "hasWebsite": true,
  "redirectsTo": null,
  "issuesCritical": 0,
  "issuesWarning": 2,
  "issuesInfo": 1,
  "issuesList": "DMARC_POLICY_NONE, DMARC_NO_RUA, DKIM_MULTIPLE_SELECTORS",
  "mode": "sending",
  "depth": "basic",
  "checkedAt": "2026-02-08T14:30:00Z",
  "durationMs": 1200,
  "issues": [
    { "severity": "warning", "code": "DMARC_POLICY_NONE", "message": "..." },
    { "severity": "info", "code": "DKIM_MULTIPLE_SELECTORS", "message": "..." }
  ],
  "diagnostics": [],
  "scoreBreakdown": { "mx": { "score": 15, "max": 15 }, "spf": { "score": 15, "max": 15 } },
  "details": { }
}

Receiving mode replaces sending-specific fields (hasSpf, hasDkim, hasDmarc, dmarcPolicy, isBlacklisted) with domainResolves and isDisposable. Both modes include hasWebsite and redirectsTo.

Integrations

Clay

Use as a Clay enrichment step:

1. Add a Run Actor enrichment → select superlativetech/supernet-domain-health
2. Map your domain column to the domains input
3. Extract score, band, provider, summary directly — all flat fields, no dot-notation

Make / n8n

Call the Standby API from an HTTP module:

• URL: https://superlativetech--supernet-domain-health.apify.actor?token=YOUR_TOKEN&domain={{domain}}
• Parse JSON response for score and issues

Using with the Apify API

Node.js

import { ApifyClient } from 'apify-client';

const client = new ApifyClient({ token: 'YOUR_TOKEN' });
const run = await client.actor('superlativetech/supernet-domain-health').call({
    domains: ['gmail.com', 'apify.com', 'microsoft.com'],
    mode: 'sending',
    depth: 'advanced',
});

const { items } = await client.dataset(run.defaultDatasetId).listItems();
for (const item of items) {
    console.log(`${item.domain}: ${item.score}/100 (${item.band})`);
}

Python

from apify_client import ApifyClient

client = ApifyClient("YOUR_TOKEN")
run = client.actor("superlativetech/supernet-domain-health").call(run_input={
    "domains": ["gmail.com", "apify.com", "microsoft.com"],
    "mode": "sending",
    "depth": "advanced",
})

for item in client.dataset(run["defaultDatasetId"]).iterate_items():
    print(f"{item['domain']}: {item['score']}/100 ({item['band']})")

What else can Superlative do?

If you're cleaning lead data or auditing email infrastructure, you might also need:

• Superclean Company Names — Normalize messy company names for CRM and outreach
• Superclean Job Titles — Standardize job titles for lead scoring and personalization
• Superclean Person Names — Clean person names for cold email personalization
• Superclean Product Names — Normalize product and brand names from e-commerce data
• Superclean Places — Parse and standardize location strings from lead exports
• Superclean URLs — Clean and normalize URLs from lead data
• Superclean Phone Numbers — Format and standardize phone numbers
• Supernet DNS Lookup — Instant DNS record lookups (MX, TXT, A, AAAA, CNAME, NS, SOA, PTR)
• Supernet WHOIS Lookup — Domain registration data: registrar, dates, domain age, registrant, name servers
• HTTP API — General-purpose HTTP request utility
• Superlead ICP Scorer — Score leads against your Ideal Customer Profile with AI

Your feedback

We're always improving Supernet Domain Health. If you have feature requests, find a bug, or need help with a specific use case, please open an issue in the Actor's Issues tab.

When Apify asks to share your run data with us, we encourage you to opt in — it's the fastest way for us to spot edge cases and improve results. Sharing is completely optional (you can toggle it anytime under Account Settings → Privacy), and shared runs are automatically deleted by Apify based on your plan's data retention period. We only use shared data to debug issues and improve this Actor.

Leave a review

If Supernet Domain Health saves you time or improves your email reputation, please leave a review. Your feedback helps other users discover the tool and helps us understand what's working well.

---

Built by Superlative