Labsco
Aiven-Open logo

DMARC MCP Server

from Aiven-Open

DMARC MCP Server provides programmatic read only access to DNS and email authentication data so developers and AI agents can validate DMARC, SPF, and DKIM configurations directly inside MCP compatible tools.

πŸ”₯πŸ”₯πŸ”₯βœ“ VerifiedFreeQuick setup

There's a 88.6% chance your domain can be spoofed right now.Run DMARC Check

DMARC MCP Server

Talk to your DMARC reports

Connect the DMARC MCP server to Claude, Cursor, VS Code or any MCP client and ask your AI assistant about your DMARC aggregate reports, failing senders, DNS history and TLS reports, in plain language. Sign in once: DNS, DMARC, DKIM and SPF lookup tools then work for any domain, no subscription needed.

Connect the MCP server

See pricing

Full per-client instructions live at app.dmarcdkim.com/mcp-instructions

What you can access

Two sets of tools over one MCP server, both behind a single sign-in: account tools that read your stored DMARC data, and free lookup tools that work for any domain with no subscription.

Your account data (paid plan)

DMARC Reports List and read your DMARC aggregate (RUA) reports: reporter, period, and pass/fail counts for SPF, DKIM and DMARC

Failing Senders Drill into per-source records and filter to DMARC, SPF or DKIM failures to find exactly what's breaking

DNS History See snapshots of your domains' DMARC, SPF, DKIM and MX records over time, and what changed

Change Alerts Read notifications about DNS and authentication changes, like a DMARC record being removed or altered

TLS Reports List SMTP TLS reporting (TLS-RPT) reports with successful and failed session totals per period

Free lookups (any domain)

DNS Lookup Look up A, AAAA, MX, TXT, SPF, DKIM, DMARC, PTR, NS, CNAME and WHOIS records for any domain

DMARC Check Validate DMARC and SPF records for any domain with clear error detection

DKIM Check Check a specific DKIM selector for any domain: key type, strength, revocation and syntax

SPF Check Check SPF syntax, the RFC 7208 ten-lookup limit, and circular include references

SPF Merge Merge SPF records or mechanisms into one optimized record with duplicates removed

Connect in under a minute

Pick your editor or agent, Claude Code, Codex, Cursor, VS Code, OpenCode or any MCP client, and run the one-line install. Interactive clients sign in through your browser; scripts and CI can use an API key.

Talk to your DMARC reports

Sign in once and your AI assistant can read your stored DMARC data, no dashboards, no XML. Ask in plain language and let it pull the reports, find the failures, and explain what to fix.

Try a prompt like:

Using DmarcDkim, summarize last week's DMARC reports for example.com β€” total messages, and the DMARC pass rate.

Which sending sources for example.com are failing DMARC right now? List them by message volume and say whether SPF or DKIM is the problem.

Has anything changed in example.com's DNS recently, and were there any DMARC change alerts I should know about?

Pull the latest TLS-RPT report for example.com and tell me if any sessions failed to negotiate TLS.

Connect your domain

MCP tools & use cases

Sign in once for both. Account tools read your stored DMARC data on a paid plan. Lookup tools work for any domain with no subscription. Copy a prompt to try it.

Account tools (your stored data)

DMARC Reports

List your DMARC aggregate (RUA) reports and read any one of them: reporter, period, message volume, and SPF/DKIM/DMARC pass and fail counts. Need the raw XML? Ask for it.

What you get:

  • A list of received reports, newest first, filterable by domain

  • Per-report summary: reporter, date range, totals and pass rate

  • Per-source records to see which senders pass or fail

  • Original report XML on request

Use Cases:

  • Get a weekly DMARC summary without opening a dashboard

  • Track your pass rate over time

  • Compare what different mailbox providers report

  • Hand a report to your AI and ask what to fix first

Example: Prompt

Using DmarcDkim, list my DMARC reports for example.com from the last 30 days, then summarize the overall DMARC pass rate and name the top 3 sending sources by volume.

Examplatory Outcome Found 14 reports for example.com (Jun 1–30). 248,113 messages total, 96.4% DMARC-aligned. Top sources: Google Workspace (181k, 99.9% pass), SendGrid (44k, 97.1%), and an unknown source on 203.0.113.0/24 (12k, 0% pass) β€” likely spoofing or an unauthenticated sender to investigate.

Failing Senders

List individual report records for a domain and filter straight to the failures. The fastest way to answer "who is failing DMARC, and is it SPF or DKIM?"

One row per sending source (IP), newest first

Filter to records that fail DMARC entirely

Filter to SPF-misaligned records

Filter to DKIM-misaligned records

Find unauthenticated or spoofed senders

Tell apart an SPF problem from a DKIM problem

Check who would be blocked before moving to p=reject

Spot a new vendor that isn't authenticated yet

Example: Prompt

Using DmarcDkim, show me the report records for example.com that are failing DMARC. For each source IP, tell me whether SPF or DKIM is the cause and the message count.

Examplatory Outcome 3 sources failing DMARC for example.com: 203.0.113.10 (8,204 msgs β€” SPF not aligned, DKIM absent: likely spoofing), 198.51.100.4 (2,011 msgs β€” DKIM signature present but not aligned: misconfigured vendor), 192.0.2.55 (640 msgs β€” SPF soft-fail: new IP missing from your SPF record).

DNS History & Change Alerts

Read snapshots of your domains' DMARC, SPF, DKIM and MX records over time, and the notifications raised when something changes, so your AI can spot a removed DMARC record or a tampered SPF entry.

DNS record snapshots with values, nameservers, and what's current

Notifications with type, severity and a plain-language message

Filter both by domain

Alert messages localized to your language

Audit when and how a record changed

Catch a DMARC or SPF record that was removed or broken

Review recent alerts in one prompt

Reconstruct a DNS change during an incident

Example: Prompt

Using DmarcDkim, check example.com's DNS history for the last 90 days and list any DMARC or SPF changes, plus any change alerts raised β€” with dates and severity.

Examplatory Outcome 2 changes for example.com: on Jun 12 the SPF record gained include:_spf.newvendor.com (info); on Jun 28 the DMARC policy changed from p=quarantine to p=none (high severity alert β€” enforcement was weakened). 1 open alert: "DMARC policy downgraded", raised Jun 28.

TLS Reports

List SMTP TLS reporting (TLS-RPT) reports and read any one: reporter, period, policy count, and successful versus failed session totals. Catch TLS negotiation problems before they delay mail.

Received TLS-RPT reports, newest first, filterable by domain

Successful and failed session counts per report

Full report detail, with raw JSON on request

Policy counts per reporting period

Spot TLS handshake failures affecting delivery

Confirm MTA-STS and DANE are being honored

See which providers report TLS issues

Track TLS success rate over time

Example: Prompt

Using DmarcDkim, pull the latest TLS-RPT report for example.com and tell me whether any sessions failed to negotiate TLS, with the reporter and the failure count.

Examplatory Outcome Latest TLS-RPT for example.com (Google, Jun 25–26): 19,440 successful sessions, 12 failures β€” all "validation failure" from one sending host, suggesting a certificate or MTA-STS policy mismatch worth checking.

Lookup tools (any domain, free)

DNS Lookup

Performs comprehensive DNS lookups for domains and IP addresses with support for all standard and email authentication record types.

Supported Lookup Types:

Standard records: A, AAAA, MX, TXT, NS, CNAME

Email authentication: SPF, DMARC

Reverse DNS: PTR lookups

Domain information: WHOIS data

Bulk queries: "all" type for multiple records

Verify DNS record configuration

Check email server MX records

Retrieve SPF and DMARC email authentication records

Perform reverse DNS lookups for IP addresses

Retrieve domain WHOIS information

Example: Prompt

Using DmarcDkim, look up the DNS records for example.com β€” A, MX, SPF and DMARC β€” and tell me if anything important is missing for email.

Examplatory Outcome example.com resolves to 192.0.2.1 and 192.0.2.2; MX is mail.example.com (priority 10). SPF: v=spf1 include:_spf.google.com ~all. DMARC: v=DMARC1; p=none; rua=mailto: [emailΒ protected] . Everything is present, but DMARC is at p=none β€” you're monitoring only, not enforcing.

DMARC Check Tool

Validates DMARC policy records and SPF records for a domain with comprehensive error detection and reporting. This tool checks the _dmarc subdomain for DMARC policies and validates SPF record configuration.

What It Checks:

DMARC policy records from _dmarc subdomain

SPF records (TXT records starting with v=spf1)

DMARC configuration errors and syntax issues

DNS record availability and validity

Verify email authentication DNS setup for a domain

Diagnose email delivery issues related to authentication

Check if domain is properly configured for DMARC

Verify SPF records are present and correctly formatted

Get a quick overview of DMARC and SPF status

Example: Prompt

Using DmarcDkim, check the DMARC and SPF setup for example.com and tell me whether it's ready to enforce, with any errors.

Examplatory Outcome DMARC: v=DMARC1; p=quarantine; rua=mailto: [emailΒ protected] β€” valid, enforcing at quarantine. SPF: v=spf1 include:_spf.google.com ~all β€” valid, 4 DNS lookups (within the RFC 7208 limit). No errors. To reach full enforcement, move the policy to p=reject once your reports look clean.

DKIM Check Tool

Checks the DKIM record for a specific selector on a domain. DKIM keys live at ._domainkey, so you give the selector (for example "google" or "selector1"), and the tool resolves the record, parses the tags, and analyzes the public key.

Resolves ._domainkey, following CNAMEs

Key type and bit length (RSA strength)

Syntax errors, weak hashes and testing mode

Revoked keys (empty p= tag) and missing records

Confirm a selector is published and valid

Verify a new selector before rotating keys

Check the key is long enough (2048-bit or more)

Validate a sending vendor's DKIM setup

Example: Prompt

Using DmarcDkim, check the DKIM record for example.com on the "google" selector and tell me if the key is valid and strong enough.

Examplatory Outcome DKIM found at google._domainkey.example.com: v=DKIM1; k=rsa; p=… β€” valid, RSA 2048-bit. Not in testing mode, key not revoked, no syntax issues. This selector is healthy and ready to sign mail.

SPF Check Tool

Validates SPF record syntax, checks DNS lookup count against RFC 7208 limits, and detects circular references.

Validation Features:

Syntax validation and error detection

DNS lookup count (RFC 7208 limit: 10 lookups)

Circular reference detection in include/redirect chains

SPF tree structure parsing with all mechanisms

Validate SPF record before deployment

Ensure compliance with RFC 7208 (10 lookup limit)

Detect configuration errors that could break email delivery

Understand SPF record structure and mechanisms

Example: Prompt

Using DmarcDkim, validate the SPF record for example.com β€” check the syntax, the RFC 7208 ten-lookup limit, and any circular includes.

Examplatory Outcome SPF: v=spf1 include:_spf.google.com include:_spf.salesforce.com include:_spf.mailchimp.com ~all. Problem: 12 DNS lookups required β€” over the RFC 7208 limit of 10, which causes permerror and can break delivery. No circular references found. Fix by flattening or removing an unused include (try SPF Merge).

SPF Merge Tool

Merges multiple SPF records or mechanisms into a single optimized record with duplicate removal and proper formatting.

Features:

Removes duplicate mechanisms

Sorts mechanisms by type and qualifier

Preserves qualifiers (-, ~, +, ?)

Adds recommended "~all" if missing

Handles modifiers (redirect, exp)

Consolidate multiple SPF records into one

Merge SPF records when migrating email providers

Optimize SPF records by removing duplicates

Combine existing domain SPF with new mechanisms

Example: Prompt

Using DmarcDkim, take example.com's current SPF record and merge in ip4:192.168.1.0/24 and include:_spf.newprovider.com, removing duplicates, and give me one record to deploy.

Examplatory Outcome Merged SPF for example.com: v=spf1 include:_spf.google.com include:_spf.newprovider.com ip4:192.168.1.0/24 ~all. Duplicates removed, mechanisms sorted, ~all preserved. Tip: run SPF Check on the result before deploying to confirm it stays within the 10-lookup limit.

Connect Your Domain

Add your domain to start reading your own DMARC reports, DNS history, change alerts and TLS reports through the MCP server. The lookup tools work for any domain with no subscription, once you're signed in.

DMARC MCP Server: Questions & Answers

What is the DMARC MCP server?

It's a Model Context Protocol (MCP) server that lets AI assistants such as Claude, Cursor, VS Code, Codex and other MCP clients work with your email authentication data. After you sign in, your AI can read your stored DMARC aggregate reports, per-source failure records, DNS history, change alerts and TLS-RPT reports. It also exposes free lookup tools (DNS, DMARC, DKIM, SPF check and SPF merge) that work for any domain with no subscription.

Can I really talk to my DMARC reports?

Yes. Once your domain is connected, you can ask your AI in plain language, "summarize last week's DMARC reports", "which senders are failing DMARC", "is it SPF or DKIM?", and it calls the right tools, reads your reports, and explains what to fix. No XML, no dashboard digging.

Do I need a paid plan to use it?

Every tool needs a sign-in, since the server connects to your account over OAuth, but the lookup tools are free. Once signed in, DNS Lookup, DMARC Check, DKIM Check, SPF Check and SPF Merge run against any domain with no subscription. The account tools (DMARC reports, failing senders, DNS history, change alerts and TLS reports) read your own stored data, so they need a connected domain on a paid plan.

Which tools are available?

Account tools (after sign-in): list and read DMARC aggregate reports, list per-source report records with SPF/DKIM/DMARC failure filters, list DNS history snapshots, read domain change notifications, and list and read TLS-RPT reports, including raw XML/JSON on request. Free lookup tools (any domain): DNS Lookup across all record types, DMARC Check, DKIM Check (a specific selector), SPF Check (RFC 7208 limits and circular references), and SPF Merge.

How do I connect it?

Add the MCP server URL to your client and pick your install method on the setup page. Claude Code, Codex and VS Code use a one-line command; Cursor has a 1-click install; OpenCode and other clients paste a small config. Interactive clients sign in through your browser (OAuth); scripts and CI can use an API key instead. Full per-client instructions are at app.dmarcdkim.com/mcp-instructions after you sign in.

Is my data safe?

Interactive clients authenticate with OAuth, your AI tool gets a scoped token after you authorize it, and you can revoke access at any time. API keys carry the same scope. The server only exposes data for the domains in your own organization.

Which AI tools work with it?

Any MCP-compatible client. We provide ready-made setup for Claude Code, Codex, Cursor, VS Code and OpenCode, plus a manual config that works with any other MCP client.