Free CLI · no account or API key

Find transport-security gaps across 25 email domains

Audit the public records that tie MTA-STS, TLS reporting, DMARC, MX coverage, SPF record count, and BIMI prerequisites together. The CLI returns stable issue codes and source-visible evidence—not a mystery score.

Download the free CLI

Node.js 22+ · MIT licensed · files are scanned before release · 25 domains per run

Checks the policy endpoint

Validates the fixed RFC 8461 HTTPS path, content type, syntax, mode, maximum age, and coverage of live MX hosts.

Separates transport from sender auth

Surfaces TLS-RPT and MTA-STS alongside DMARC enforcement, MX, and SPF record-count evidence without claiming inbox placement.

Built for portfolios

Accepts multiple public domains and produces structured JSON that an MSP or consultant can sort, compare, and archive.

What it can—and cannot—prove

  1. It is a point-in-time public configuration preflight. DNS and policy endpoints can change after the run.
  2. It checks RFC-visible relationships. It does not change DNS, read TLS aggregate reports, or test mailbox delivery.
  3. It deliberately skips guessed DKIM selectors. Selectors are not reliably discoverable, so the CLI does not turn guesses into a pass/fail claim.
  4. It is not a certification or guarantee. Review findings with the domain owner and mail provider before changing production records.