Skip to main content
Glama
OrtaMarco

domain-security-mcp-server

by OrtaMarco
OverviewSchemaRelated ServersScoreDiscussions
TypeScript
Remote

domain-security-mcp-server

An MCP server that lets an AI agent audit the email and domain security of any domain — SPF, DKIM, DMARC, MTA-STS, TLS-RPT, BIMI, DNSSEC, DNS, TLS/SSL and WHOIS — in plain language. No API keys required.

MCP TypeScript License: MIT

Ask Claude "Is acme.com protected against email spoofing?" and it runs a full authentication audit and hands you a graded report with prioritised fixes — instead of you pasting a domain into five different web tools.

> Is ortamarco.me protected against email spoofing?

  email_auth_audit(domain="ortamarco.me")

  Grade: A (95/100) · MX: present
  ✅ SPF ends in '-all' (hard fail). 3/10 DNS lookups.
  ✅ DMARC policy is enforced ('p=reject').
  ✅ DKIM key found for selector: google.
  Top recommendation: add a TLS-RPT record for delivery-failure reports.

Why this exists

The email-security ecosystem is full of single-purpose web checkers (SPF here, DMARC there, WHOIS somewhere else) and the few MCP equivalents are locked behind paid API tokens. This server brings the whole deliverability & domain-security toolkit to any MCP client, key-free, with one headline workflow tool that does the synthesis for you.

It is the agent-facing companion to the network tools at ortamarco.me and shares the same battle-tested core (public-resolver DNS, host validation, timeouts).

Tools

Tool

What it does

email_auth_audit

One-call SPF + DKIM + DMARC + MX audit → 0–100 score, A–F grade, prioritised fixes

spf_check

Parse SPF; recursively count DNS lookups vs the RFC 7208 limit of 10; flag +all/?all

dmarc_check

Parse DMARC policy (p, sp, rua, pct, aspf/adkim) with warnings

dkim_check

Probe <selector>._domainkey keys (supply selectors or use common ones)

mta_sts_check

Validate the _mta-sts TXT and the .well-known/mta-sts.txt policy + mode

tls_rpt_check

Check the _smtp._tls TLS-RPT record

bimi_check

Check the default._bimi BIMI record

dnssec_check

DS/DNSKEY presence + DNSSEC AD validation flag (via DoH)

dns_lookup

All record types (A/AAAA/CNAME/MX/NS/TXT/SOA) via public resolvers

ssl_certificate

TLS cert issuer, validity window, days-to-expiry, SANs, fingerprint

whois_lookup

Registrar, dates, name servers, status (raw port-43 WHOIS, IANA-resolved)

reverse_dns

PTR records for an IP

ip_geolocation

Offline IP geolocation + reverse DNS

mx_lookup

Mail servers (MX) with priority and resolved IPs

caa_check

Which CAs may issue TLS certificates (CAA records)

blacklist_check

IP/domain against open-access email DNSBLs

dns_propagation

Compare a record across 5 public resolvers worldwide

analyze_email_headers

Parse raw headers → SPF/DKIM/DMARC verdicts + Received hop chain with delays

Every tool is read-only, declares an outputSchema and returns structuredContent (validated by the SDK) alongside human-readable Markdown (default) or JSON (response_format="json"), plus actionable error messages.

Install

git clone https://github.com/ortamarco/domain-security-mcp-server.git
cd domain-security-mcp-server
npm install
npm run build

Use it with Claude Code

claude mcp add domain-security -- node /absolute/path/to/domain-security-mcp-server/dist/index.js

Use it with Claude Desktop

Add to claude_desktop_config.json (see examples/):

{
  "mcpServers": {
    "domain-security": {
      "command": "node",
      "args": ["/absolute/path/to/domain-security-mcp-server/dist/index.js"]
    }
  }
}

Restart Claude Desktop, then ask: "Audit the email security of stripe.com."

Self-host (HTTP transport)

The same server speaks stateless Streamable HTTP for remote/multi-client use — handy behind a reverse proxy such as Coolify or Traefik.

TRANSPORT=http PORT=3000 npm start
# POST JSON-RPC to http://localhost:3000/mcp   ·   health at /healthz

Or with Docker:

docker build -t domain-security-mcp .
docker run -p 3000:3000 -e TRANSPORT=http domain-security-mcp

Set ALLOWED_ORIGINS=https://your.app to enable Origin-based DNS-rebinding protection (leave empty when a trusted proxy already restricts access).

Develop

npm run dev      # tsx watch (stdio)
npm run inspect  # open the MCP Inspector against the built server
npm run build    # type-check + emit dist/
npm run smoke    # call all 19 tools and validate structuredContent vs outputSchema

evals/ holds a 10-question LLM evaluation set (stable, verifiable) and instructions for running it — see evals/README.md.

How it works

src/
├── index.ts        # transport selection (stdio | http)
├── server.ts       # registers every tool on one McpServer
├── core/           # pure logic, no MCP coupling — reusable & testable
│   ├── dns.ts      # public-resolver DNS + DoH client
│   ├── tls.ts      # certificate inspection
│   ├── whois.ts    # port-43 WHOIS with IANA/registrar referral
│   ├── http.ts     # security-header grading
│   ├── geoip.ts    # offline IP geolocation
│   └── email-auth.ts  # SPF/DKIM/DMARC/MTA-STS/TLS-RPT/BIMI/DNSSEC + scoring
└── tools/          # thin MCP wrappers (Zod schemas, descriptions, formatting)

The core/ layer is deliberately free of any MCP types, so the exact same logic powers both this server and the web tools on ortamarco.me.

License

MIT © Marco Orta

Install Server
A
license - permissive license
A
quality
C
maintenance

How are these scores calculated?

Maintenance

Maintainers
Response time
Release cycle
Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Tools

View all tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/OrtaMarco/domain-security-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server