domain-security-mcp-server
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@domain-security-mcp-serverAudit email security for google.com"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
domain-security-mcp-server
An MCP server that lets an AI agent audit the email and domain security of any domain — SPF, DKIM, DMARC, MTA-STS, TLS-RPT, BIMI, DNSSEC, DNS, TLS/SSL and WHOIS — in plain language. No API keys required.
Ask Claude "Is acme.com protected against email spoofing?" and it runs a full authentication audit and hands you a graded report with prioritised fixes — instead of you pasting a domain into five different web tools.
> Is ortamarco.me protected against email spoofing?
email_auth_audit(domain="ortamarco.me")
Grade: A (95/100) · MX: present
✅ SPF ends in '-all' (hard fail). 3/10 DNS lookups.
✅ DMARC policy is enforced ('p=reject').
✅ DKIM key found for selector: google.
Top recommendation: add a TLS-RPT record for delivery-failure reports.Why this exists
The email-security ecosystem is full of single-purpose web checkers (SPF here, DMARC there, WHOIS somewhere else) and the few MCP equivalents are locked behind paid API tokens. This server brings the whole deliverability & domain-security toolkit to any MCP client, key-free, with one headline workflow tool that does the synthesis for you.
It is the agent-facing companion to the network tools at ortamarco.me and shares the same battle-tested core (public-resolver DNS, host validation, timeouts).
Related MCP server: @deliveriq/mcp
Tools
Tool | What it does |
| One-call SPF + DKIM + DMARC + MX audit → 0–100 score, A–F grade, prioritised fixes |
| Parse SPF; recursively count DNS lookups vs the RFC 7208 limit of 10; flag |
| Parse DMARC policy ( |
| Probe |
| Validate the |
| Check the |
| Check the |
| DS/DNSKEY presence + DNSSEC |
| All record types (A/AAAA/CNAME/MX/NS/TXT/SOA) via public resolvers |
| TLS cert issuer, validity window, days-to-expiry, SANs, fingerprint |
| Registrar, dates, name servers, status (raw port-43 WHOIS, IANA-resolved) |
| PTR records for an IP |
| Offline IP geolocation + reverse DNS |
| Mail servers (MX) with priority and resolved IPs |
| Which CAs may issue TLS certificates (CAA records) |
| IP/domain against open-access email DNSBLs |
| Compare a record across 5 public resolvers worldwide |
| Parse raw headers → SPF/DKIM/DMARC verdicts + Received hop chain with delays |
Every tool is read-only, declares an outputSchema and returns
structuredContent (validated by the SDK) alongside human-readable Markdown
(default) or JSON (response_format="json"), plus actionable error messages.
Install
git clone https://github.com/ortamarco/domain-security-mcp-server.git
cd domain-security-mcp-server
npm install
npm run buildUse it with Claude Code
claude mcp add domain-security -- node /absolute/path/to/domain-security-mcp-server/dist/index.jsUse it with Claude Desktop
Add to claude_desktop_config.json (see examples/):
{
"mcpServers": {
"domain-security": {
"command": "node",
"args": ["/absolute/path/to/domain-security-mcp-server/dist/index.js"]
}
}
}Restart Claude Desktop, then ask: "Audit the email security of stripe.com."
Self-host (HTTP transport)
The same server speaks stateless Streamable HTTP for remote/multi-client use — handy behind a reverse proxy such as Coolify or Traefik.
TRANSPORT=http PORT=3000 npm start
# POST JSON-RPC to http://localhost:3000/mcp · health at /healthzOr with Docker:
docker build -t domain-security-mcp .
docker run -p 3000:3000 -e TRANSPORT=http domain-security-mcpSet ALLOWED_ORIGINS=https://your.app to enable Origin-based DNS-rebinding
protection (leave empty when a trusted proxy already restricts access).
Develop
npm run dev # tsx watch (stdio)
npm run inspect # open the MCP Inspector against the built server
npm run build # type-check + emit dist/
npm run smoke # call all 19 tools and validate structuredContent vs outputSchemaevals/ holds a 10-question LLM evaluation set (stable, verifiable)
and instructions for running it — see evals/README.md.
How it works
src/
├── index.ts # transport selection (stdio | http)
├── server.ts # registers every tool on one McpServer
├── core/ # pure logic, no MCP coupling — reusable & testable
│ ├── dns.ts # public-resolver DNS + DoH client
│ ├── tls.ts # certificate inspection
│ ├── whois.ts # port-43 WHOIS with IANA/registrar referral
│ ├── http.ts # security-header grading
│ ├── geoip.ts # offline IP geolocation
│ └── email-auth.ts # SPF/DKIM/DMARC/MTA-STS/TLS-RPT/BIMI/DNSSEC + scoring
└── tools/ # thin MCP wrappers (Zod schemas, descriptions, formatting)The core/ layer is deliberately free of any MCP types, so the exact same logic
powers both this server and the web tools on ortamarco.me.
License
MIT © Marco Orta
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/OrtaMarco/domain-security-mcp-server'
If you have feedback or need assistance with the MCP directory API, please join our Discord server