Headline tool. Audits a domain's email-authentication posture in one call — SPF, DKIM, DMARC and MX — then returns a 0–100 score, an A–F grade and a prioritised list of fixes. Use this first; reach for the per-record tools (spf_check, dmarc_check, dkim_check) only when you need the full detail of one mechanism.

Args:

• domain (string): the domain to audit.

• dkim_selectors (string[], optional): DKIM selectors to probe. If omitted, common provider selectors are tried (absence is then inconclusive).

• response_format ('markdown' | 'json'): output format (default 'markdown').

Returns (JSON): { "domain": string, "grade": "A".."F", "score": number, // 0-100 "has_mx": boolean, "mx_hosts": string[], "spf": { found, record, all_qualifier, lookup_count, exceeds_lookup_limit, findings[] }, "dmarc":{ found, policy, tags, findings[] }, "dkim": { any_found, selectors[], findings[] }, "top_recommendations": string[] }

Examples:

• "Is example.com protected against email spoofing?" -> email_auth_audit(domain="example.com")

• "Audit acme.com, our DKIM selector is 'k1'" -> email_auth_audit(domain="acme.com", dkim_selectors=["k1"])

Errors: returns an error only if the domain is malformed; missing records are reported as findings, not errors.

Fetch and analyse a domain's SPF record. Detects: missing/multiple records, the trailing 'all' qualifier (+all/?all/~all/-all), and counts DNS-querying terms recursively against the RFC 7208 limit of 10.

Args:

• domain (string): the domain to check.

• response_format ('markdown' | 'json'): output format (default 'markdown').

Returns: { found, record, multiple_records, all_qualifier, lookup_count, exceeds_lookup_limit, findings[] }.

Example: "Does sendgrid.net's SPF exceed the 10-lookup limit?" -> spf_check(domain="sendgrid.net").

Fetch and parse a domain's DMARC record (_dmarc.). Reports the policy (p=), subdomain policy (sp=), reporting addresses (rua/ruf), pct and alignment (aspf/adkim), and warns on monitor-only or partial deployments.

Args:

• domain (string): the domain to check.

• response_format ('markdown' | 'json'): output format (default 'markdown').

Returns: { found, record, policy, tags{}, findings[] }.

Example: "What is paypal.com's DMARC policy?" -> dmarc_check(domain="paypal.com").

Look up DKIM public keys at ._domainkey.. Because DKIM selectors are arbitrary and undiscoverable, you should pass the selector(s) your mail provider uses for a definitive answer; otherwise a curated list of common selectors is probed and a miss is inconclusive.

Args:

• domain (string): the domain to check.

• selectors (string[], optional): DKIM selectors to probe.

• response_format ('markdown' | 'json'): output format (default 'markdown').

Returns: { any_found, probed_selectors, selectors[{selector, found, record, key_type}], findings[] }.

Examples:

• "Does acme.com publish a DKIM key for selector 'google'?" -> dkim_check(domain="acme.com", selectors=["google"])

• "Find any DKIM keys for acme.com" -> dkim_check(domain="acme.com")

Check a domain's MTA-STS deployment: the _mta-sts TXT record AND the policy file at https://mta-sts./.well-known/mta-sts.txt. Reports the enforcement mode (enforce/testing/none) and the listed MX hosts. MTA-STS forces TLS for inbound SMTP and blocks downgrade attacks.

Args:

• domain (string): the domain to check.

• response_format ('markdown' | 'json'): output format (default 'markdown').

Returns: { dns_record_found, policy_found, mode, policy{}, findings[] }.

Example: "Does gmail.com enforce MTA-STS?" -> mta_sts_check(domain="gmail.com").

Check a domain's TLS-RPT record (_smtp._tls. TXT). TLS-RPT lets you receive reports about TLS delivery failures to your domain.

Args:

• domain (string): the domain to check.

• response_format ('markdown' | 'json'): output format (default 'markdown').

Returns: { found, record, findings[] }.

Example: "Does microsoft.com publish TLS-RPT?" -> tls_rpt_check(domain="microsoft.com").

Check a domain's BIMI record (default._bimi. TXT), which points to the brand logo (and optional VMC) displayed next to authenticated mail. BIMI requires an enforced DMARC policy to take effect.

Args:

• domain (string): the domain to check.

• response_format ('markdown' | 'json'): output format (default 'markdown').

Returns: { found, record, findings[] }.

Example: "Does cnn.com have BIMI set up?" -> bimi_check(domain="cnn.com").

Resolve all common DNS record types (A, AAAA, CNAME, MX, NS, TXT, SOA) for a domain in one call, using public resolvers (Cloudflare/Google/Quad9).

Args:

• domain (string): the domain to query, e.g. "example.com".

• response_format ('markdown' | 'json'): output format (default 'markdown').

Returns: a map of record type -> list of records. Each record has { type, host, value, priority? }.

Examples:

• "What are the MX records for stripe.com?" -> dns_lookup(domain="stripe.com")

• Use ssl_certificate for TLS details, whois_lookup for registration data.

Errors: returns an error if the domain is malformed or has no resolvable records.

Resolve the PTR (reverse DNS) records for an IP address — the hostname(s) the IP maps back to.

Args:

• ip (string): IPv4 or IPv6 address.

• response_format ('markdown' | 'json'): output format (default 'markdown').

Returns: { ip, hostnames: string[] }.

Example: "What hostname does 8.8.8.8 reverse to?" -> reverse_dns(ip="8.8.8.8"). Errors: returns an error if the IP is invalid or has no PTR record.

Geolocate an IP address (country, region, city, coordinates, time zone) using an offline database, plus its reverse-DNS hostname. No external API.

Args:

• ip (string): IPv4 or IPv6 address.

• response_format ('markdown' | 'json'): output format (default 'markdown').

Returns: { ip, country_iso, country_name, region, city, latitude, longitude, time_zone, hostname }.

Example: "Where is 151.101.1.69 located?" -> ip_geolocation(ip="151.101.1.69"). Note: geolocation is approximate (city-level at best) and offline data may lag reality.

Inspect the TLS certificate served by a host: issuer, subject, validity window, days-until-expiry, SANs, serial and SHA-256 fingerprint. Flags expired or soon-to-expire certificates.

Args:

• domain (string): host to connect to.

• port (number): TLS port (default 443).

• response_format ('markdown' | 'json'): output format (default 'markdown').

Returns: certificate fields plus { days_until_expiry, expired, expires_soon }.

Example: "When does github.com's certificate expire?" -> ssl_certificate(domain="github.com"). Errors: returns an error if the host is unreachable or serves no certificate.

Look up domain registration data over the raw WHOIS protocol (port 43): registrar, creation/update/expiry dates, name servers and domain status. Resolves the correct WHOIS server via IANA and follows registrar referrals. No API key.

Args:

• domain (string): the domain to look up.

• response_format ('markdown' | 'json'): output format (default 'markdown'). JSON includes the raw WHOIS text.

Returns: { domain, registrar, created, updated, expires, name_servers[], status[], whois_server }.

Example: "Who is the registrar for openai.com and when does it expire?" -> whois_lookup(domain="openai.com"). Errors: returns an error if no WHOIS server answers (some ccTLDs restrict or rate-limit WHOIS).

Fetch a URL and grade its HTTP security headers (HSTS, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP). Returns a 0–100 score, an A–F grade, and per-header notes.

Args:

• url (string): URL or host to check (scheme defaults to https://).

• response_format ('markdown' | 'json'): output format (default 'markdown').

Returns: { url, final_url, status, grade, score, checks[{header, present, value, note}], missing[] }.

Example: "Grade the security headers on https://news.ycombinator.com" -> http_security_headers(url="https://news.ycombinator.com"). Errors: returns an error if the URL is invalid or the host is unreachable.

Check whether a domain is protected by DNSSEC. Queries DS and DNSKEY records over DNS-over-HTTPS and reads the resolver's Authenticated Data (AD) flag to confirm the chain of trust validates.

Args:

• domain (string): the domain to check.

• response_format ('markdown' | 'json'): output format (default 'markdown').

Returns: { enabled, validated, ds_records, dnskey_records, findings[] }.

Example: "Is cloudflare.com DNSSEC-signed?" -> dnssec_check(domain="cloudflare.com").

Check a domain's CAA (Certification Authority Authorization) records — which CAs are allowed to issue TLS certificates for it. Absence means any CA may issue.

Args:

• domain (string): the domain to check.

• response_format ('markdown' | 'json'): output format (default 'markdown').

Returns: { found, issue[], issuewild[], iodef[] }.

Example: "Which CAs can issue certs for google.com?" -> caa_check(domain="google.com").

Look up a domain's mail servers (MX records) with priority and the IPs they resolve to.

Args:

• domain (string): the domain to query.

• response_format ('markdown' | 'json'): output format (default 'markdown').

Returns: array of { exchange, priority, ips[] }.

Example: "What are the mail servers for github.com?" -> mx_lookup(domain="github.com").

Check whether an IPv4 address (or a domain's A records) appears on email DNS blocklists (DNSBLs). Only open-access lists are queried (SORBS, SpamCop, UCEPROTECT-1, DroneBL, s5h); Spamhaus and Barracuda refuse public-resolver queries and are excluded.

Args:

• query (string): an IPv4 address or a domain.

• response_format ('markdown' | 'json'): output format (default 'markdown').

Returns: { ips[], listedCount, checked, results[{ip, hits[{list, listed, reason}]}], note }.

Example: "Is 203.0.113.5 blacklisted?" -> blacklist_check(query="203.0.113.5").

Compare a domain's DNS records across multiple public resolvers worldwide (Cloudflare, Google, Quad9, OpenDNS, AdGuard) to see whether a change has propagated.

Args:

• domain (string): the domain to check.

• type ('A'|'AAAA'|'CNAME'|'MX'|'NS'|'TXT'): record type (default 'A').

• response_format ('markdown' | 'json'): output format (default 'markdown').

Returns: { type, consistent, resolvers[{name, server, values[], error}] }.

Example: "Has the A record for example.com propagated?" -> dns_propagation(domain="example.com").

Parse raw email headers and report the SPF/DKIM/DMARC verdicts (from Authentication-Results), key fields (From, Subject, Date, Message-ID, Return-Path) and the Received hop chain with per-hop delays and total transit time.

Args:

• headers (string): the raw email headers.

• response_format ('markdown' | 'json'): output format (default 'markdown').

Returns: { auth{spf,dkim,dmarc}, fields{}, hops[{index,from,by,date,delaySec}], totalSec }.

Example: paste the headers from "Show original" in Gmail to trace a message's path and authentication.