OrbTop

DNS, WHOIS, SPF/DMARC, SSL Domain Audit

DEVELOPER TOOLSAUTOMATIONLEAD GENERATION
Try on Apify

DNS, WHOIS, SPF/DMARC, SSL Domain Audit

Bulk domain audit covering DNS records, WHOIS registration, SPF / DMARC / DKIM email auth, SSL certificates, and reverse DNS. Pure Node, no browser, no proxies — sub-second per domain on most resolvers.

DNS Domain Audit Features

  • Resolves A, AAAA, MX, TXT, NS, SOA, CNAME, CAA, and SRV records in parallel.
  • Pulls WHOIS / RDAP metadata: registrar, created, expires, updated, status, and nameservers.
  • Probes the TLS certificate on port 443 — issuer, expiry, daysToExpiry, SANs, sigAlg, serial.
  • Validates SPF, DMARC, and DKIM records via mailauth and a 10-selector default sweep.
  • Computes a deliverability score (mxScore 0-100) plus an A / B / C / D / F audit grade with an issue list.
  • Optional reverse DNS resolves A / AAAA addresses back to PTR records.
  • Pure Node — no browser, no proxy, no captcha bills. 10,000 domains costs about $50.

Who Uses Domain Audit Data?

  • Sales-ops teams — qualify inbound domains by registration age, registrar, and email-auth posture.
  • DevOps and SRE — monitor SSL expiry windows across portfolios that long since outgrew a spreadsheet.
  • Security analysts — flag missing DMARC, weak SPF, dangling CNAMEs, and CAs without a CAA record.
  • Email deliverability auditors — score SPF / DMARC / DKIM alignment before a campaign launches, not after.
  • M&A due diligence — inventory the domain hygiene of an acquisition target without filing a ticket with IT.

How DNS Domain Audit Works

  1. Paste in a list of domains or URLs. URLs have their host extracted automatically and duplicates are removed.
  2. For each domain the actor runs DNS, WHOIS, TLS, and email-auth probes in parallel with per-check timeouts.
  3. Optional reverse DNS resolves the A / AAAA addresses back to PTRs.
  4. Each row gets a grade (A through D, F when checks fail) and an issues[] list with level, code, and message.

Input

{
  "domains": ["example.com", "github.com", "cloudflare.com"],
  "maxItems": 5,
  "recordTypes": ["A", "AAAA", "MX", "TXT", "NS", "SOA", "CAA"],
  "checkSpfDmarcDkim": true,
  "checkWhois": true,
  "checkSsl": true,
  "reverseDns": false,
  "concurrency": 25
}
Field Type Default Description
domains array required Domains or URLs to audit. URLs have host extracted automatically.
maxItems integer 5 Cap on audited domains after dedup. Range 1-10000.
recordTypes array A, AAAA, MX, TXT, NS, SOA, CNAME, CAA Which DNS record types to query. SRV is also supported.
checkSpfDmarcDkim boolean true Validate email auth records via mailauth.
checkWhois boolean true Look up WHOIS / RDAP registration metadata.
checkSsl boolean true Probe the TLS certificate on port 443.
dkimSelectors array Extra DKIM selectors on top of the default 10.
reverseDns boolean false Resolve A / AAAA addresses back to PTR records.
concurrency integer 25 Parallel domain audits. Hard cap at 50 to avoid resolver throttling.

DNS Domain Audit Output Fields

{
  "domain": "cloudflare.com",
  "dns": {
    "A": ["104.16.132.229", "104.16.133.229"],
    "MX": ["10 mailstream-east.mxrecord.io"],
    "TXT": ["v=spf1 ip4:199.15.212.0/22 include:_spf.google.com ~all"],
    "NS": ["ns3.cloudflare.com", "ns4.cloudflare.com"],
    "CAA": ["issue: digicert.com"]
  },
  "whois": {
    "domain": "cloudflare.com",
    "created": "2009-02-17T22:07:54Z",
    "expires": "2033-02-17T22:07:54Z",
    "registrar": "CloudFlare, Inc.",
    "nameservers": ["ns3.cloudflare.com", "ns4.cloudflare.com"]
  },
  "email": {
    "spfRecord": "v=spf1 ip4:199.15.212.0/22 include:_spf.google.com ~all",
    "spfValid": true,
    "dmarcRecord": "v=DMARC1; p=reject; rua=mailto:dmarc@cloudflare.com",
    "dmarcPolicy": "reject",
    "dkimResults": { "google": { "found": true, "record": "v=DKIM1; k=rsa; p=..." } },
    "mxScore": 100
  },
  "ssl": {
    "issuer": "Google Trust Services / WE1",
    "validFrom": "2026-03-12T20:59:51.000Z",
    "validTo": "2026-06-10T21:59:46.000Z",
    "daysToExpiry": 41,
    "sans": ["cloudflare.com", "*.cloudflare.com"],
    "sigAlg": "prime256v1"
  },
  "reverseDns": { "ips": [], "ptrs": [] },
  "audit_summary": {
    "grade": "A",
    "issues": [{ "level": "info", "code": "no-caa", "message": "..." }]
  },
  "audited_at": "2026-04-30T12:00:00Z",
  "errors": []
}
Field Type Description
domain string Audited domain (host extracted if a URL was provided).
dns object Records keyed by type (A, AAAA, MX, TXT, NS, SOA, CNAME, CAA, SRV).
whois object created, expires, updated, registrar, status, nameservers.
email object spfRecord, spfValid, dmarcRecord, dmarcPolicy, dkimResults, mxScore (0-100).
ssl object issuer, subject, validFrom, validTo, daysToExpiry, sans, sigAlg, serialNumber.
reverseDns object ips and resolved ptrs (empty unless reverseDns=true).
audit_summary object grade (A/B/C/D/F) plus issues[] with level, code, message.
audited_at string ISO timestamp the audit completed.
errors array Labels for any check that failed (e.g. whois, ssl, dkim).

Common issue codes: no-spf, weak-spf, no-dmarc, dmarc-none, no-dkim, ssl-expired, ssl-expiring, ssl-expiring-soon, whois-expired, whois-expiring, no-caa.

Pricing

Single DATA_RECORD event — every audited domain bills at the same flat rate. Five DNS lookups, a WHOIS lookup, a TLS handshake, and a mailauth pass cost $0.005.

Event Price
Actor start $0.10
Per audited domain $0.005
Volume Cost
100 domains $0.60
1,000 domains $5.10
10,000 domains $50.10

Limits

  • maxItems caps at 10,000 per run; the resolver is the bottleneck, not the actor.
  • The Apify console tester has a 5-minute timeout — keep maxItems low (default 5) when testing in-browser.
  • concurrency caps at 50 to avoid public DNS resolver rate limits. Self-hosted resolvers can go higher with care.
  • WHOIS data quality varies by TLD. Some registries return sparse fields; the actor surfaces what the registry actually serves.
  • Reverse DNS is opt-in because most A records have no PTR set.
  • DKIM probes a 10-selector default list. If you use a non-standard selector, add it via dkimSelectors.

Related Actors

  • SSL & Security Headers Checker — pairs with this actor for full TLS-and-headers grading per URL.
  • Sitemap Walker Pro — discover URLs for a domain that you then audit here.
  • Structured Data Validator Pro — same primitive shape for SEO-side audits.

Need More Features?

Need extra DKIM selectors, custom record types, or a private resolver endpoint? File an issue or get in touch.

Why Use DNS Domain Audit?

  • Cheap — $0.005 per domain. 10,000 domains costs about a fast-food lunch.
  • Complete — DNS, WHOIS, SSL, and email auth in a single row, with a sortable grade. Most tools make you stitch three APIs together to get the same picture.
  • No proxies, captchas, or browsers — pure Node lookups. Nothing to break, nothing to debug at 3am.

Built by OrbTop.

Try on Apify