DNS / SPF / DKIM / DMARC Audit API

Ensure your marketing and sales emails actually reach the primary inbox by validating the underlying infrastructure of your domains with this targeted deliverability and DNS checker. For growth marketers, SEO professionals, and B2B lead generation agencies, a misconfigured SPF or DMARC record means your carefully crafted outreach campaigns will end up in the spam folder instead of reaching your target contact. This tool acts as an automated scraper that can extract critical email authentication details directly from any list of target websites, giving you the hard data required to fix deliverability issues before you hit send on your next large-scale campaign. Built specifically for recurring email security compliance, you can schedule weekly or monthly runs to monitor the health of your sending domains and catch misconfigurations before they tank your sender reputation. The checker easily processes massive lists of URLs, using advanced techniques to scrape and extract the exact MX records, strict DMARC policies, and DKIM signatures associated with each web property. Whether you are conducting new client onboarding audits or running ongoing domain portfolio monitoring, you will receive structured output detailing missing records, formatting errors, and precise setup vulnerabilities.

Store Quickstart

• Start with Quickstart (Dataset) to validate the output shape with three known domains.
• For comprehensive audits, use Security Audit (DKIM Enabled) for fuller grading.
• For recurring monitoring, use Weekly Portfolio Monitor for automated domain health checks.
• For instant alerts, use Webhook Alert for automated notifications.

Key Features

• 📧 Complete email security audit — SPF, DKIM, DMARC, and MX records
• 📊 Security scoring — 0-100 points with A-F grade
• 🔍 DKIM multi-selector check — Tests 6 common selectors (Google, Microsoft, etc.)
• 💡 Actionable recommendations — Specific fix suggestions for each issue
• 📋 Bulk processing — Check up to 500 domains per run
• 🪝 Webhook support — Send results to Slack/Discord

Use Cases

Who	Why
Developers	Automate recurring data fetches without building custom scrapers
Data teams	Pipe structured output into analytics warehouses
Ops teams	Monitor changes via webhook alerts
Product managers	Track competitor/market signals without engineering time

Input

Field	Type	Default	Description
domains	array	prefilled	List of domains to check email security for. Maximum 500 per run.
checkDkim	boolean	true	Check for DKIM records (common selectors: google, default, selector1, selector2).
dkimSelectors	array	—	Custom DKIM selectors to check. Defaults: google, default, selector1, selector2, k1, dkim.
delivery	string	"dataset"	How to deliver results. 'dataset' saves to Apify Dataset (recommended), 'webhook' sends to a URL.
webhookUrl	string	—	Webhook URL to send results to (only used when delivery is 'webhook'). Works with Slack, Discord, or any HTTP endpoint.
concurrency	integer	5	Maximum number of parallel requests. Higher = faster but may trigger rate limits.
dryRun	boolean	false	If true, runs without saving results or sending webhooks. Useful for testing.

Input Example

{
  "domains": ["google.com", "github.com", "example.com"],
  "checkDkim": true,
  "concurrency": 5
}

Output

Field	Type	Description
meta	object
results	array
results[].domain	string
results[].mx	array
results[].spf	object
results[].dmarc	object
results[].dkim	array
results[].score	object
results[].error	null
results[].checkedAt	timestamp

Output Example

{
  "domain": "google.com",
  "score": { "total": 95, "grade": "A" },
  "spf": {
    "raw": "v=spf1 include:_spf.google.com ~all",
    "allPolicy": "~all",
    "isStrict": false
  },
  "dmarc": {
    "policy": "reject",
    "isEnforced": true,
    "rua": "mailto:mailauth-reports@google.com"
  },
  "dkim": [
    { "selector": "google", "found": true }
  ],
  "mx": [
    { "priority": 10, "exchange": "smtp.google.com" }
  ]
}

API Usage

Run this actor programmatically using the Apify API. Replace YOUR_API_TOKEN with your token from Apify Console → Settings → Integrations.

cURL

curl -X POST "https://api.apify.com/v2/acts/taroyamada~dns-dmarc-security-checker/run-sync-get-dataset-items?token=YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ "domains": ["google.com", "github.com", "example.com"], "checkDkim": true, "concurrency": 5 }'

Python

from apify_client import ApifyClient

client = ApifyClient("YOUR_API_TOKEN")
run = client.actor("taroyamada/dns-dmarc-security-checker").call(run_input={
  "domains": ["google.com", "github.com", "example.com"],
  "checkDkim": true,
  "concurrency": 5
})

for item in client.dataset(run["defaultDatasetId"]).iterate_items():
    print(item)

JavaScript / Node.js

import { ApifyClient } from 'apify-client';

const client = new ApifyClient({ token: 'YOUR_API_TOKEN' });
const run = await client.actor('taroyamada/dns-dmarc-security-checker').call({
  "domains": ["google.com", "github.com", "example.com"],
  "checkDkim": true,
  "concurrency": 5
});

const { items } = await client.dataset(run.defaultDatasetId).listItems();
console.log(items);

Tips & Limitations

• Schedule weekly runs against your production domains to catch config drift.
• Use webhook delivery to pipe findings into your SIEM (Splunk, Datadog, Elastic).
• For CI integration, block releases on critical severity findings using exit codes.
• Combine with ssl-certificate-monitor for layered cert + headers coverage.
• Findings include links to official remediation docs — share with dev teams via the webhook payload.

FAQ

Is running this against a third-party site legal?

Passive public-header scanning is generally permitted, but follow your own compliance policies. Only scan sites you have authorization for.

How often should I scan?

Weekly for production domains; daily if you have high config-change velocity.

Can I export to a compliance tool?

Use webhook delivery or Dataset API — formats map well to Drata, Vanta, OneTrust import templates.

Is this a penetration test?

No — this actor performs passive compliance scanning only. No exploitation, fuzzing, or auth bypass.

Does this qualify as a SOC2 control?

This actor produces evidence artifacts suitable for SOC2 CC7.1 (continuous monitoring). It is not itself a SOC2 certification.

Complete Your Website Health Audit

Website Health Suite — Build a comprehensive compliance and trust monitoring workflow:

1. Link & URL Health

• 🔗 Broken Link Checker — Find broken links across your entire site structure
• 🔗 Bulk URL Health Checker — Validate HTTP status, redirects, SSL, and response times

2. SEO & Metadata Quality

• 🏷️ Meta Tag Analyzer — Audit title tags, Open Graph, Twitter Cards, and hreflang
• Schema.org Validator — Validate JSON-LD and Microdata with quality scoring

3. Security & Email Deliverability (you are here)

• DNS/DMARC Security Checker — Audit SPF, DKIM, DMARC, and MX records

4. Historical Data & Recovery

• 📚 Wayback Machine Checker — Find archived snapshots for content recovery

Recommended workflow: Weekly email security audit → Fix SPF/DMARC/DKIM issues → Validate SSL with URL Health Checker → Monitor domain portfolio → Integrate with marketing automation.

Complete Security Stack:

• Privacy & Cookie Compliance Scanner — GDPR/CCPA banner audit
• Security Headers Checker — OWASP security headers
• SSL Certificate Monitor — SSL/TLS certificate expiry
• Domain Trust Monitor — All-in-one security audit

Cost

Pay Per Event:

• actor-start: $0.01 (flat fee per run)
• dataset-item: $0.003 per output item

Example: 1,000 items = $0.01 + (1,000 × $0.003) = $3.01

No subscription required — you only pay for what you use.

⭐ Was this helpful?

If this actor saved you time, please leave a ★ rating on Apify Store. It takes 10 seconds, helps other developers discover it, and keeps updates free.

Bug report or feature request? Open an issue on the Issues tab of this actor.