DNS / SPF / DKIM / DMARC Audit API

Bulk-audit email security configuration (SPF, DKIM, DMARC, MX) across hundreds of domains. Get an A-F security grade with actionable recommendations for each domain.

Store Quickstart

• Start with store-input.example.json to validate the output shape with three known domains.
• If that matches your audit workflow, switch to store-input.templates.json and pick one of:
  • Quickstart (Dataset) for a cheap first run
  • Security Audit (DKIM Enabled) for fuller grading
  • Weekly Portfolio Monitor for recurring customer/domain checks
  • Webhook Alert for automated notifications

The Store example keeps checkDkim=false so the first run is fast and reliable. Turn DKIM checks back on once the response format fits your use case.

Who gets value fastest?

Team	Why
MSPs / agencies	Audit many client domains from one dataset-oriented run
IT / SecOps	Catch missing DMARC enforcement before deliverability or spoofing incidents
SaaS / RevOps	Validate sender domains before campaign launches or vendor onboarding

What does this actor do?

Queries DNS records directly using Node.js's built-in dns module to evaluate email authentication setup. Each domain receives a security score (0-100) and letter grade (A-F) based on industry best practices.

Key Features

• 📧 Complete email security audit — SPF, DKIM, DMARC, and MX records
• 📊 Security scoring — 0-100 points with A-F grade
• 🔍 DKIM multi-selector check — Tests 6 common selectors (Google, Microsoft, etc.)
• 💡 Actionable recommendations — Specific fix suggestions for each issue
• 📋 Bulk processing — Check up to 500 domains per run
• 🪝 Webhook support — Send results to Slack/Discord

Suggested recurring monitoring cadence

• Weekly portfolio checks with checkDkim=false for a fast baseline across many domains
• A deeper monthly audit with DKIM enabled before policy reviews or deliverability work
• Webhook delivery when you only need exceptions routed to Slack, Discord, or ticketing

Related security suite

• Pair with security-headers-checker for HTTP-layer posture checks
• Pair with ssl-certificate-monitor for certificate expiry and issuer drift
• Use all three as a lightweight recurring compliance stack inside Apify

Scoring Breakdown

Component	Max Points	What's Checked
MX Records	10	Mail servers configured
SPF	30	Exists + strict policy (-all) + mechanism count
DMARC	35	Exists + enforced policy + aggregate reports + 100% coverage
DKIM	25	Record found + multiple selectors

Grades: A (90+) · B (75+) · C (55+) · D (35+) · F (<35)

Input Example

{
  "domains": ["google.com", "github.com", "example.com"],
  "checkDkim": true,
  "concurrency": 5
}

Output Example

{
  "domain": "google.com",
  "score": { "total": 95, "grade": "A" },
  "spf": {
    "raw": "v=spf1 include:_spf.google.com ~all",
    "allPolicy": "~all",
    "isStrict": false
  },
  "dmarc": {
    "policy": "reject",
    "isEnforced": true,
    "rua": "mailto:mailauth-reports@google.com"
  },
  "dkim": [
    { "selector": "google", "found": true }
  ],
  "mx": [
    { "priority": 10, "exchange": "smtp.google.com" }
  ]
}

A fuller ready-to-share payload is available in sample-output.example.json for Store and README proof.

Cost

Zero external costs. Uses Node.js built-in DNS resolver — no API keys, no proxies. A run checking 100 domains takes ~15 seconds.

Store Listing Ops

npm run store:optimize
npm run store:kpi

Commercial Ops

Set up .env first:

$cp -n .env.example .env

Cloud Task/Schedule setup (idempotent):

$npm run apify:cloud:setup

Daily reliability checks:

npm run canary:check
npm run contract:test:live

OpenClaw cron commands:

• openclaw-cron-commands.md

Related actors

• security-headers-checker — cover browser-facing security posture for the same domains.
• ssl-certificate-monitor — watch certificate expiry and issuer drift on the same portfolio.
• rdap-domain-monitor — track registrar, nameserver, and ownership changes behind the same domains.