DNS & email security scanner — 51 tools for SPF, DMARC, DKIM, DNSSEC, SSL, and more.
DNS & email security scanner — 51 tools for SPF, DMARC, DKIM, DNSSEC, SSL, and more.
dns · v2.9.2
by Blackveilsecurity.com
BLACKVEIL DNS
Know where you stand.
Open-source DNS & email security scanner for Claude, Cursor, VS Code, and MCP clients across Streamable HTTP, stdio, and legacy HTTP+SSE.
Try it in 30 seconds
Claude Desktop (one-click install):
Download the Blackveil DNS extension and open it — all 51 tools available instantly. Verify your download.
Claude Code (one command):
claude mcp add --transport http blackveil-dns https://dns-mcp.blackveilsecurity.com/mcp
Then ask: scan anthropic.com
Smithery (one command):
smithery mcp add MadaBurns/bv-mcp
Verify the endpoint is live:
curl https://dns-mcp.blackveilsecurity.com/health
No install. No API key. One URL for hosted HTTP:
Endpoint https://dns-mcp.blackveilsecurity.com/mcp
Transport Streamable HTTP · JSON-RPC 2.0
Auth None required
Transport support:
Streamable HTTP:POST /mcp,GET /mcp,DELETE /mcpNative stdio:blackveil-dns-mcpCLI from theblackveil-dnsnpm packageLegacy HTTP+SSE:GET /mcp/ssebootstrap stream plusPOST /mcp/messages?sessionId=...
What you get
- 80+ checks across 20 categories — SPF, DMARC, DKIM, DNSSEC, SSL/TLS, MTA-STS, NS, CAA, MX, BIMI, TLS-RPT, subdomain takeover, lookalike domains, HTTP security headers, DANE, shadow domains, TXT hygiene, MX reputation, SRV, zone hygiene
- Maturity staging — Stage 0-4 classification (Unprotected to Hardened) with score-based capping to prevent inflated labels
- Trust surface analysis — detects shared SaaS platforms (Google, M365, SendGrid) and cross-references DMARC enforcement to determine real exposure
- Guided remediation —
generate_fix_planproduces provider-aware prioritized actions; record generators output ready-to-publish records;validate_fixconfirms whether a fix was applied successfully - Supply chain mapping —
map_supply_chaincorrelates DNS signals to build a full third-party dependency graph with trust levels and risk signals - Attack path simulation —
simulate_attack_pathsenumerates specific paths (spoofing, takeover, hijack) with severity, steps, and mitigations - Compliance mapping —
map_compliancemaps scan findings to NIST 800-177, PCI DSS 4.0, SOC 2, and CIS Controls - Self-tuning scoring — adaptive weights adjust category importance based on patterns seen across scans via Durable Object telemetry
- Per-tier analytics — usage tracking by auth tier with operator API for tier summaries, key-level usage, and daily digests
- Passive and read-only — all checks use public Cloudflare DNS-over-HTTPS; no authorization required from the target
Tools
51 MCP tools · 7 prompts · 6 resources
Email Auth Infrastructure Brand & Threats Meta
──────────── ──────────────── ───────────────── ──────────────────────
check_spf check_dnssec check_bimi scan_domain
check_dmarc check_ns check_tlsrpt batch_scan
check_dkim check_caa check_lookalikes compare_domains
check_mta_sts check_ssl check_shadow_domains compare_baseline
check_mx check_http_security explain_finding
check_mx_reputation check_dane Intelligence
check_subdomailing check_dane_https ────────────── Remediation
check_svcb_https get_benchmark ──────────────
DNS Hygiene check_srv get_provider_ generate_fix_plan
──────────── check_zone_hygiene insights generate_spf_record
check_txt_hygiene check_resolver_ assess_spoofability generate_dmarc_record
consistency map_supply_chain generate_dkim_config
resolve_spf_chain generate_mta_sts_policy
discover_subdomains generate_rollout_plan
map_compliance validate_fix
simulate_attack_paths
analyze_drift
+ check_subdomain_takeover (internal — runs inside scan_domain)
Quality & Reliability
The server is continuously validated using a comprehensive chaos test suite that covers all detected MCP client types:
- Interactive clients:
claude_mobile,claude_code,cursor,vscode,claude_desktop,windsurf(auto-format:compact) - Non-interactive clients:
mcp_remote,blackveil_dns_action,bv_claude_dns_proxy,bv_load_test,unknown(auto-format:full)
The bv_load_test class identifies internal load/chaos/tranco-scan traffic so it stays out of real-client analytics segments.
The test suite ensures session stability, authentication precedence, and transport-specific edge cases across Streamable HTTP and Legacy SSE.
Run the chaos tests locally: python3 scripts/chaos/chaos-test-clients.py
Architecture
MCP Client
│
│ POST /mcp (JSON-RPC 2.0)
│
┌───▼──────────────────────┐
│ Cloudflare Worker │
│ │
│ Hono ─► Origin check │
│ ─► Auth │
│ ─► Rate limiting │
│ ─► Session mgmt │
└───┬──────────────────────┘
│
┌───▼──────────────────────┐
│ Tool Handlers │
│ 16 checks in parallel │
└───┬──────────────────────┘
│
┌───▼──────────────────────┐
│ Generic Scoring Engine │
│ Three-tier model │
└───┬──────────────────────┘
│
┌───▼──────────────────────┐
│ Cloudflare DoH │
│ DNS-over-HTTPS │
└──────────────────────────┘
- Generic Scoring Engine: Runtime-agnostic, string-keyed three-tier scoring with configurable weights
- WASM Policy Engine: High-performance permission and token checks via
bv-wasm-core - Reliable Sessions: Hardened tombstone logic prevents race-condition revival of terminated sessions
- Adaptive Scoring: Durable Object telemetry adjusts weights based on real-world distributions
- Client Awareness: Automatic response formatting (
compactvsfull) based on clientUser-Agent
Client setup
The free tier requires no authentication. Authenticated requests bypass per-IP rate limits and follow your tier's daily quota. Three authentication methods are supported:
- Header:
Authorization: Bearer <KEY> - Query Param:
?api_key=<KEY>(for clients that can't send custom headers — Smithery, Claude Code) - OAuth 2.1: authorization-code flow with PKCE, discovered via
/.well-known/oauth-authorization-server— used by the Claude mobile custom connector.
For full hosted setup examples, stdio usage, OAuth setup, and legacy fallback endpoints, see docs/client-setup.md.
Pricing
| Free | Pro | Enterprise | |
|---|---|---|---|
| Price | $0 | $39/mo | Contact us |
| Scans/day | 75 | 500 | 10,000+ |
| Checks/day | 200 | 5,000 | Unlimited |
| Rate limit | 50 req/min | None | None |
| API access | Yes | Yes | Yes |
| MCP access | Yes | Yes | Yes |
Example prompts
These demonstrate core functionality — paste any of them into Claude with the Blackveil DNS connector enabled:
| Prompt | What it does |
|---|---|
Scan blackveilsecurity.com and tell me what needs fixing |
Full security audit — score, grade, prioritized findings |
Compare the email security of google.com and microsoft.com |
Side-by-side comparison of two domains' postures |
Generate a DMARC record for example.com with reject policy |
Produces a ready-to-publish DNS record |
What attack paths exist for example.com? |
Enumerates spoofing, takeover, and hijack vectors |
Map example.com's compliance against NIST 800-177 |
Maps findings to compliance framework controls |
Support
- Bug reports & feature requests: GitHub Issues
- Security vulnerabilities: security@blackveilsecurity.com (see SECURITY.md)
- General questions: GitHub Discussions
Responsible use
This tool is intended for authorized security assessments of domains you own or have explicit permission to test. Do not use it for unauthorized reconnaissance, harassment, or any activity that violates applicable laws. Findings from attack simulation, spoofability, and subdomain discovery tools should be used to improve your own security posture, not to exploit others.
If you discover a vulnerability in a third-party domain, please follow coordinated disclosure practices.
Built and maintained by BLACKVEIL — NZ-owned cybersecurity consultancy.
Privacy Policy · License (BUSL-1.1 → MIT on 2030-03-17)