Domain Deliverability Checker: SPF, DKIM, DMARC, MX, Blacklist

Audit a domain's email deliverability and DNS health in one call. Give it a domain and get back SPF, DKIM, and DMARC authentication with policy, MX records and mail provider, DNS blacklist status, catch-all detection, domain age, and a single 0 to 100 health score. Flat JSON, one row per domain, ready to drop into a Clay table. Pure DNS and SMTP: no browser, no proxy, no paid third-party APIs.

Built for outbound agencies, sales operations teams, and Clay users who need to check domain health before sending cold email. Where most Apify actors check only one slice (just DNS, or just blacklists, or just DMARC), this one returns the complete deliverability verdict in a single flat row.

What's Inside

• Ready-to-Run Examples
• Features
• Input
• Output
• Pricing
• Usage Examples
• Error Handling
• Limitations
• Mamba Labs GTM Actor Fleet

Ready-to-Run Examples

Each example is a pre-configured version of this actor for a specific use case. Click any link to open it in the Apify Console and run it immediately.

Example	What it does
SPF DKIM DMARC Checker for Any Domain	Run a full email authentication check (SPF, DKIM, DMARC) on any domain.
Bulk Email Deliverability Checker for Cold Outreach	Score a list of domains for email deliverability before launching cold outreach.
DMARC Policy and Domain Blacklist Lookup	Check DMARC policy and scan for blacklist presence on a domain.
Live Domain Health Recheck (No Cache)	Force a fresh deliverability check with no cached result.
Catch-All Domain Detection for Email Lists	Detect whether a domain accepts all email addresses (catch-all configuration).

Looking for a different configuration? Open the Input tab to build your own.

Features

• Full email authentication audit. SPF record and qualifier policy, DMARC record and policy (none, quarantine, reject), and DKIM presence across the common provider selectors.
• Mail provider detection. Identifies Google Workspace, Microsoft 365, Zoho, Proofpoint, Mimecast, Amazon SES, and more from the MX records.
• DNS blacklist checks. Tests the domain's mail server IP against a curated set of DNSBL zones and reports listed, clean, or unknown.
• Catch-all detection. SMTP RCPT probe to flag accept-all domains. Off by default because the Apify platform blocks outbound port 25; see Limitations.
• Domain age. Registration date via RDAP, the modern registry protocol that survives GDPR redaction, with a DNS SOA fallback.
• Spam-trap risk heuristics. Advisory flags for young domains, mail without authentication, and blacklisted infrastructure.
• 0 to 100 deliverability score. A single transparent verdict with a low, medium, or high risk level.
• Batch and cache. Pass a domains array for bulk runs; results are cached for 24 hours to make repeat lookups free.

Input

Field	Type	Required	Default	Description
domain	string	no	stripe.com	Bare domain without https:// or trailing slash.
domains	array	no	none	List of bare domains for batch processing. Takes precedence over domain. One output row per domain.
batchSize	integer	no	5	Domains audited concurrently per wave in batch mode. Maximum 10.
skipCache	boolean	no	false	Force a fresh audit and ignore any cached result.
attempt_catch_all	boolean	no	false	Run the SMTP catch-all probe. Off by default because the Apify platform blocks port 25; enable only on a runner that allows port 25 egress.

Provide either domain or domains.

Output

One flat row per domain. Every field is always present; absent values are null.

Field	Type	Description	Example
domain	string	Normalized input domain	stripe.com
spf_record	string	Raw SPF TXT record, or null	v=spf1 include:_spf.google.com ~all
spf_valid	boolean	A valid v=spf1 record is present	true
spf_policy	string	Qualifier on all: fail, softfail, neutral, pass, or null	softfail
dkim_selectors_found	array	Common selectors that returned a key	["google","s1","s2"]
dkim_present	boolean	At least one common selector found	true
dmarc_record	string	Raw DMARC TXT record, or null	v=DMARC1; p=reject;
dmarc_policy	string	none, quarantine, reject, or null	reject
dmarc_valid	boolean	A valid v=DMARC1 record is present	true
mx_records	array	MX hosts with priority	[{"host":"aspmx.l.google.com","priority":10}]
has_mx	boolean	Domain has at least one MX	true
mail_provider	string	Detected provider, or null	Google Workspace
catch_all	boolean	SMTP accepts a random address, or null when unknown	null
catch_all_status	string	catch_all, not_catch_all, or unknown	unknown
blacklisted	boolean	Listed on any checked DNSBL	false
blacklists_listed	array	Zones that returned a listing	[]
blacklists_checked	array	Zones queried this run	["bl.spamcop.net", ...]
blacklist_status	string	listed, clean, or unknown	clean
spam_trap_risk	string	low, medium, or high heuristic	low
spam_trap_flags	array	Triggered heuristics	[]
domain_age_days	integer	Days since registration, or null	11238
domain_age_source	string	rdap, soa, or null	rdap
has_website	boolean	Domain has an A or AAAA record	true
deliverability_score	integer	0 to 100 composite verdict	95
risk_level	string	low, medium, or high	low
run_date	string	ISO timestamp of the run	2026-06-19T08:10:59Z

Score model: has MX +20; valid SPF +20 (hard -all +5); DKIM present +15; valid DMARC +15 (quarantine +5, reject +10); blacklist clean +15 (unknown +7); catch-all not detected +5 (detected -10). Capped 0 to 100. Risk: 80 or more low, 50 to 79 medium, under 50 high.

Pricing

Tier	Discount	Per result	Per 1K results
Free (no plan)	0%	$0.005	$5.00
Starter (Bronze)	~5%	$0.00475	$4.75
Scale (Silver)	~10%	$0.0045	$4.50
Business (Gold)	~15%	$0.00425	$4.25

Free tier: 50 results per month included, resets monthly. Cached repeat lookups within 24 hours are free.

Usage Examples

Apify Console / API

curl -X POST "https://api.apify.com/v2/acts/0tVgxI7A6o9jMlxmc/run-sync-get-dataset-items?token=YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"domain":"stripe.com"}'

Batch:

{ "domains": ["stripe.com", "github.com", "mailchimp.com"], "batchSize": 5 }

Clay Integration

1. Add an Enrichment column of type HTTP API, or use the Apify integration.
2. Call this actor with domain mapped to your domain column.
3. Map the returned fields to columns: deliverability_score, risk_level, spf_valid, dmarc_policy, blacklist_status, mail_provider.
4. Gate downstream sends on a formula like deliverability_score >= 70 to skip risky domains before they enter a sequence.

The output is flat and one row per domain, so every field maps directly to a Clay column with no JSON unwrapping.

MCP Integration

$npm install @mambalabsdev/mcp-domain-deliverability-checker

{
  "mcpServers": {
    "domain-deliverability": {
      "command": "npx",
      "args": ["-y", "@mambalabsdev/mcp-domain-deliverability-checker"],
      "env": { "APIFY_TOKEN": "YOUR_TOKEN" }
    }
  }
}

Tool: check_domain_deliverability with { "domain": "stripe.com" }.

Prefer one install for the whole fleet? The Mamba Labs GTM Suite (https://www.npmjs.com/package/@mambalabsdev/mcp-gtm-suite) exposes eleven of these actors as tools in a single MCP server.

Error Handling

Condition	Behavior	Output
Empty or invalid domain	Empty record pushed, run continues	all checks null or false, score 0
No MX or NXDOMAIN	Row emitted, blacklist and SMTP skipped	has_mx:false, not treated as an error
Port 25 blocked or SMTP timeout	Catch-all reported as unknown	catch_all:null, catch_all_status:"unknown"
DNSBL zone blocks or errors	That zone dropped to unknown, others continue	blacklist_status may be unknown
RDAP unavailable	Falls back to SOA serial, then null	domain_age_source:"soa" or null
One domain throws in a batch	Caught per domain, empty record pushed	other rows unaffected

Limitations

• Catch-all is off by default. The Apify platform blocks outbound SMTP on port 25, so the catch-all probe returns unknown here. Enable attempt_catch_all only when running this actor on infrastructure that permits port 25 egress.
• DNS blacklist coverage is best-effort. Spamhaus and Barracuda block queries from cloud IPs and public resolvers without a paid data-query key, so some zones return unknown. A clean result means clean on the zones that answered, not an authoritative all-clear.
• DKIM uses common-selector probing. DKIM selectors cannot be enumerated from DNS, so the actor checks a fixed list of provider selectors. An empty result means not found on a common selector, not a guarantee that DKIM is absent.
• Domain age depends on the registry. RDAP returns the registration date for most TLDs; some registries omit or redact it, in which case the value is null or an approximate SOA-based fallback.
• Data freshness. Results are cached for 24 hours. Pass skipCache: true for a live audit.

---

Mamba Labs GTM Actor Fleet

Actor	What it does	Price/result
GTM Hiring Signal Scraper	Detects GTM hiring from career pages (Greenhouse, Lever, Ashby)	$0.05
GTM Tech Stack Signal Enrichment	Detects CRM, sequencer, and marketing automation from a public site	$0.015
GTM Signals Aggregator	Combines hiring and tech signals into one composite GTM score	$0.09
Job Board Keyword Signal Scanner	Scans 5 ATS platforms for roles in any category	$0.05
Domain to LinkedIn URL Resolver	Resolves a domain or name to its LinkedIn URL with firmographics	$0.006
ICP Fit Scorer	Scores a company against your ideal customer profile	$0.05
Domain Deliverability Checker	Audits email deliverability: SPF, DKIM, DMARC, MX, health score	$0.005
Company Firmographic Enricher	Enriches a domain into employee band, industry, HQ, revenue	$0.004
Company Social Presence Mapper	Maps a domain to social URLs and follower counts	$0.015
Company Identity Resolver	Resolves name, domain, or LinkedIn into one canonical identity	$0.007
Company Change-Event Feed	Monitors a domain and returns only what changed since last run	$0.06
Funding & Press Signal Scanner	Scans news and press for funding, exec moves, launches, M&A	$0.03

One-install option: the Mamba Labs GTM Suite MCP server exposes eleven of these actors as tools in a single package. Each actor also has its own MCP wrapper.

All actors: apify.com/mambalabs | Website: mambabuilt.com

Built by Mamba Labs.