Open Source · AI Published

Domain Security MCP Server

A TypeScript MCP server that gives an AI agent 19 read-only tools to audit the email and DNS security of any domain (SPF, DKIM, DMARC, DNSSEC, WHOIS…), with no API keys.

Role
Design & Development
Year
2026
Published
7 de junio de 2026
Cover of domain-security-mcp-server with a shield, an email envelope and network nodes on a dark background.

domain-security-mcp-server is a TypeScript MCP (Model Context Protocol) server that gives an AI agent —like Claude— 19 read-only tools to audit the email and domain security of any domain: SPF, DKIM, DMARC, MTA-STS, TLS-RPT, BIMI, DNSSEC, CAA, DNS, MX, WHOIS, SSL/TLS, blocklists (DNSBL), DNS propagation and email-header analysis. No API keys — everything runs on public DNS, TLS and WHOIS.

It grew out of a connected thread of work: a domain-security guide, then a collection of web tools, and finally this server that exposes the same capability to an agent. The network logic (DNS resolution, SPF/DMARC parsing, validation) lives in a shared core that powers both the ortamarco.me web tools and the MCP server.

Features

  • 19 tools with typed output: each tool declares an inputSchema and outputSchema (Zod) and returns SDK-validated structuredContent alongside readable markdown.
  • Headline email_auth_audit tool: audits SPF + DKIM + DMARC + MX in one call and returns an A–F grade with prioritised fixes.
  • Two transports: stdio for local clients (Claude Desktop / Claude Code) and stateless Streamable HTTP for self-hosting behind a reverse proxy (Coolify/Traefik), with a Dockerfile included.
  • No API keys and no side effects: every tool is read-only over public DNS, TLS, WHOIS and HTTPS.
  • Hardened and tested: an independent code review (which caught an SSRF and an SPF-parsing bug), a smoke test that validates all 19 outputs against their schema, and a 10-question evaluation suite that measures how well an LLM can use it.

Tech stack

  • TypeScript (strict, no any, outputSchema on all 19 tools)
  • @modelcontextprotocol/sdk with the modern registerTool API and server-level instructions
  • Zod for input and output validation
  • Express for the stateless HTTP transport
  • Node.js (public DNS, DNS-over-HTTPS, TLS/WHOIS sockets, geoip-lite)
  • Docker for self-hosted deployment

Repository

View on GitHub →

Goal

To show, end to end, how a production-grade agentic building block is made: from domain knowledge (email security) to reusable tools, and from there to an MCP server an AI agent can orchestrate — with strict typing, two transports, security and tests.

Tabla de Contenidos

    04 / Contact

    Ready to take your idea to the next level? Let's work together.

    Fill out the form and I'll reply within 24 hours. Or, if you prefer a quick call:

    Schedule a free 20-min call contacto@ortamarco.me