DNS + email auth, MCP native

Email authentication your AI operator can actually run.

Authwright turns DMARC, SPF, DKIM, MTA-STS, BIMI, and registrar DNS work into governed MCP tools. Lookup watches the domain book: snapshot first, write only when authorized, roll back when needed.

Public check, no signupDMARC / SPF / DKIM / MTA-STS / MX
Start freeSee MCP tools

GODADDY / NAMECHEAP / CLOUDFLARE / PORKBUN / ROUTE 53

One workflow across the registrar mix agencies already inherited.

Deliverability for

acme.com

C+

64/100

SPFwarn9/10 lookups used
DKIMfailselector missing on 2 senders
DMARCwarnpolicy still at p=none
MTA-STSfailpolicy host not found

Proposed changeset

+ TXT _dmarc "v=DMARC1; p=quarantine; rua=..."

- stale SPF include:spf.oldvendor.example

+ CNAME mta-sts - authwright managed policy host

Claude Code / MCPauthwright
> Run Email EasyPass on acme.com.
Lookup connected.
[ok] snapshot saved
[ok] 4 DNS fixes proposed
[ok] registrar write gate checked
[ok] rollback plan attached

Waiting for human approval.

November 2025

Gmail stopped asking nicely.

As of November 2025, Gmail and Yahoo reject non-compliant bulk email outright. Not spam-folder. Rejected at the SMTP edge. If your clients send outbound mail from a domain without valid DMARC, aligned SPF, and a proper DKIM signature, it doesn't land. It bounces.

Forty percent of IT leaders surveyed called DMARC deployment “too complex to own internally.” EasyDMARC alone reports 83,000 businesses and 175,000 domains on the meter. The market moved. The question is whether your agency is the one who fixes it for your book — or the one whose clients go elsewhere when their invoices stop arriving.

A missed DMARC record is now a missed invoice, a missed lead, and a missed appointment. Every day.

Email EasyPass

One call. The whole stack. Any domain.

Email EasyPassis Authwright's flagship product — TSA PreCheck for your mail. Under the hood it's the email_auth_wizard MCP tool. Your LLM calls it with a domain. It handles the rest:

  1. 01Reads

    The current state — existing SPF, DKIM selectors, DMARC policy, MX, MTA-STS status, BIMI record.

  2. 02Diagnoses

    The gaps against the current Gmail and Yahoo requirements — SPF ten-lookup limit, DKIM key length, alignment mode, policy enforcement.

  3. 03Writes

    Corrected records directly to the registrar — GoDaddy, Namecheap, Cloudflare, Porkbun, Route 53.

  4. 04Hosts

    The MTA-STS policy file at mta-sts.{your-client-domain}. We run the infrastructure, you get the credit.

  5. 05Waits

    For global DNS propagation and verifies end-to-end.

  6. 06Ingests

    DMARC aggregate reports on an ongoing basis and summarizes them in plain language.

You don't leave your editor. Your tech doesn't leave their terminal. The client doesn't have to learn what a TXT record is.

MCP, not SaaS

If your team lives in Claude, Cursor, or ChatGPT, this is the tool your stack was missing.

Every other DMARC vendor shipped a web dashboard in 2019 and never looked up. Authwright is built as a Model Context Protocol server — which means it's callable directly from the AI environments your operators already use.

A tech in Cursor can resolve a deliverability ticket without opening a browser tab. A founder in Claude can onboard a new client domain in a single prompt.

This is not a wrapper around someone else's API. It's a first-class MCP server designed for the way technical teams actually work in 2026.

Claude CodeLookup online
> Set up DMARC on acme.com with a reject policy.

Lookup calling email_auth_wizard...
  [ok] diagnose - score 32/100
  [ok] propose - 4 changes (SPF, DKIM, DMARC, MTA-STS)
  [ok] apply   - GoDaddy adapter, snapshot saved
  [ok] host    - mta-sts.acme.com live
  [ok] propagation - 8/8 resolvers
  [ok] re-diagnose - score 94/100

Email EasyPass complete in 47s.

What makes it different

Four things nobody else bundles.

  • LLM-callable, not click-callable.

    Native MCP server. Works in Claude Desktop, Claude Code, Cursor, Windsurf, and any MCP-compatible client. No dashboard tax.

  • We host your MTA-STS policy.

    MTA-STS requires a policy file served over HTTPS at a specific subdomain. Every other vendor tells you to set it up yourself. We host it, we rotate the certificate, we version the policy. Bundled.

  • SPF flattening for the 10-lookup limit.

    SPF caps at ten DNS lookups. Most growing domains blow through that silently. Authwright flattens, monitors, and re-flattens as upstream providers change their records. You don't get paged at 2 a.m.

  • Every registrar, one EasyPass.

    GoDaddy, Namecheap, Cloudflare, Porkbun, Route 53 — same call signature, same result. If you manage a portfolio of domains across vendors, you already know why this matters.

Beyond email auth

DMARC is where it starts. The MCP is your entire domain management solution.

Once Authwright is in your MCP session, the LLM has 42 tools across DNS, SSL, domain registration, bulk operations, and health diagnostics — every major registrar, one call signature.

  • Bulk DNS at portfolio scale

    Push records across fifty client domains in one call. Diff before write. Rollback snapshot every time.

    bulk_update_dns · dns_changeset_preview · replace_dns_records

  • SSL certificate lifecycle

    List, request, reissue, renew, revoke. Expiry sweeps flag anything due in 45 days — before it pages somebody.

    check_certificate_expiry · renew_certificate · reissue_certificate

  • Defensive registration at scale

    Suggestions, bulk availability, purchase with privacy — lock down the lookalike neighborhood in one conversation.

    get_domain_suggestions · bulk_check_availability · purchase_domain

  • DNSSEC without the dashboard slog

    Enable, verify, disable DNSSEC across any supported registrar — same call signature, different backend.

    enable_dnssec · get_dnssec · disable_dnssec

See the full 42-tool surface

Self-service setup

Create the workspace, prove the domain, connect keys, then install MCP.

  1. 1Step 1

    Create a workspace.

    Sign in with Google, Microsoft, or a magic link. First login creates a free workspace automatically.

  2. 2Step 2

    Add and prove a domain.

    Save a domain, publish the one-time TXT proof, then verify ownership in the portal.

  3. 3Step 3

    Connect registrar keys.

    Paste GoDaddy API key and secret or a Cloudflare API token into the broker-owned ingest form.

  4. 4Step 4

    Generate MCP access.

    Issue a workspace-scoped bridge token for Claude Code, Cursor, Codex, or VS Code and start running governed DNS workflows.

Pricing

Priced for the way agencies actually work.

Per-agency pricing, not per-seat. Every tier includes MTA-STS hosting, SPF flattening, DMARC report ingestion, and multi-registrar support.

RECOMMENDED
Team$99 /mo
25 domains · 5 registrars
  • RBAC + SSO
  • Up to 10 seats
  • 30-day snapshots
Choose Team
Free$0 /mo
1 domain · 1 registrar
  • Public audit, unlimited
  • MCP server access
  • 7-day snapshots
Choose Free
Pro$29 /mo
5 domains · 1 registrar
  • Everything in Free
  • 30-day snapshots
  • Email + chat support
Choose Pro
Agency$299 /mo
100 domains · 15 registrars
  • Multi-tenant workspaces
  • Priority support
Choose Agency
Agency Plus$799 /mo
500 domains · unlimited
  • Dedicated success mgr
  • 99.95% SLA
Choose Agency Plus
EnterpriseTalk to us
500+ · unlimited
  • Custom contract
  • VPC peering
Contact sales

All tiers include: DMARC / SPF / DKIM / MTA-STS / BIMI automation, hosted MTA-STS policy, SPF flattening, DMARC aggregate report ingestion, multi-registrar support, Claude/Cursor/ChatGPT MCP compatibility. Start free. Upgrade, downgrade, or cancel from the portal.

Talk to the founder →

Free public audit

Not ready to sign up? Audit a domain in 30 seconds.

Drop any domain into our free checker. We'll show you the current DMARC posture, SPF lookup count, DKIM selector status, MTA-STS presence, and a grade against the current Gmail and Yahoo requirements. No login. No email gate. No upsell pop-up.

Run a free check →

FAQ

Questions MSPs actually ask.

Q1.We already use EasyDMARC / Dmarcian / Valimail. Why switch?
You probably don't need to switch wholesale on day one. Authwright's starting point is the MCP interface and the bundled MTA-STS hosting. If your team works in Claude or Cursor and you're tired of paying extra for MTA-STS hosting or configuring it by hand, Authwright replaces the painful parts without forcing a full migration. Many teams run us alongside their existing reporting tool first and then consolidate.
Q2.Is this just a wrapper around an existing DMARC vendor?
No. Authwright talks directly to registrar APIs and operates its own MTA-STS hosting infrastructure. Report ingestion is our own parsing pipeline. There is no upstream SaaS we're reselling.
Q3.What does “MCP server” actually mean for my workflow?
It means your engineers call Authwright from inside Claude Desktop, Claude Code, Cursor, Windsurf, or any other MCP-compatible client. Instead of logging into a dashboard and clicking through a wizard, they type “set up DMARC on acme.com with a reject policy” and the model calls our email_auth_wizard tool. You can also script it headlessly.
Q4.What if my client is on a registrar you don’t support yet?
At launch we cover GoDaddy, Namecheap, Cloudflare, Porkbun, and Route 53, which map to the overwhelming majority of agency books. If your registrar isn't covered yet, start with the supported path or email founder@authwright.com. Signed-in workspace requests drive adapter priority.
Q5.How does the MTA-STS hosting work? Is it secure?
We serve the policy file over HTTPS at mta-sts.{your-client-domain} via a CNAME we set up during an Email EasyPass run. Certificates are issued via Let's Encrypt and rotated automatically. Policies are versioned and you can roll back in a single call. The hosted file contains no secrets — it's a public policy document by design.
Q6.Can I white-label this for my clients?
White-label is on the roadmap for the Agency Plus and Enterprise tiers. If you need it now, email founder@authwright.com from the workspace owner address.
Q7.What about BIMI and VMCs?
Authwright will generate and publish your BIMI record and help you stage the logo file. We don't issue the Verified Mark Certificate — that's a separate purchase from a certificate authority like DigiCert or Entrust — but we handle every piece on either side of it.
Q8.How do you handle registrar API credentials?
Credentials are encrypted at rest in Azure Key Vault, scoped per-domain where the registrar API supports it, and never logged. We recommend creating a dedicated API user on each registrar for Authwright. Full detail lives in the security doc we send during onboarding.
Q9.What happens to DMARC aggregate reports?
Your DMARC record gets a rua= pointing to an Authwright-hosted address. We parse incoming XML, deduplicate, aggregate by source, and surface the results to your LLM as structured data. You can ask Claude “show me the top five failing sources for acme.com this week” and get a real answer.
Q10.Who’s behind this?
Authwright is built by Milton Hubbard. Background: infrastructure, MCP ecosystem, domain/DNS tooling. The product grew out of a production GoDaddy MCP server already in use. Founder email is founder@authwright.com and it reaches a human.

Start here

Create your workspace and connect a registrar.

There is no separate sales form. Sign in, land in a free workspace, add a domain, prove ownership, then connect registrar API keys from the portal. Upgrade only when you need more domains.

Start freeRun a free audit