42 tools · one MCP server

Authwright isn't just DMARC. It's your entire domain management solution.

Email authentication is where most teams start. The rest of the surface area handles the day-to-day grind of managing domains at portfolio scale — DNS edits, SSL renewals, bulk operations, health audits, defensive registrations — all callable from the same MCP session your team already has open.

Start freeSee the 42 tools ↓

8

Email auth

10

DNS

9

Domains

7

SSL / TLS

6

Bulk

2

Health

Tool surface

Six categories. One MCP session.

Email EasyPass is the headline, but Authwright exposes the full domain-management surface — so the same LLM that fixes your DMARC can also renew the SSL cert, add a CNAME, and audit the portfolio.

  • 8 tools

    Email authentication

    Email EasyPass — the flagship. DMARC/SPF/DKIM/MTA-STS/BIMI set up and enforced across any registrar in one call.

    email_auth_wizardflatten_spfsetup_mta_sts_hosting+5 more

    Example prompt

    Get example.com to DMARC enforcement with MTA-STS hosted and SPF flattened.

  • 10 tools

    DNS records

    Read, preview, and write any record type on GoDaddy, Namecheap, Cloudflare, Porkbun, or Route 53 — with diffs before the write.

    dns_changeset_previewreplace_dns_recordsenable_dnssec+7 more

    Example prompt

    Show me the diff, then add an A record for api pointing at 203.0.113.10, TTL 300.

  • 9 tools

    Domain portfolio

    Inventory, availability, purchase, renewal, contacts, privacy — the lifecycle without the registrar dashboard.

    list_domainspurchase_domainupdate_domain_contacts+6 more

    Example prompt

    Register acme-support.com, acme-help.com, and acme-billing.com with privacy on and point them at our web app.

  • 7 tools

    SSL / TLS lifecycle

    Provision, renew, reissue, revoke — and proactively surface certs that are about to expire across the whole portfolio.

    check_certificate_expiryrenew_certificatereissue_certificate+4 more

    Example prompt

    List any cert expiring in the next 45 days across our domains and queue renewals.

  • 6 tools

    Bulk operations

    Portfolio-scale moves without N round-trips. Availability sweeps, DNS pushes, renewals, privacy flips, analysis, export.

    portfolio_analysisbulk_update_dnsexport_portfolio+3 more

    Example prompt

    Run portfolio analysis, then flip WHOIS privacy on for anything still public.

  • 2 tools

    Health + diagnostics

    A scored 0-100 report per domain — expiry, DNSSEC, SSL, MX, SPF, DKIM, DMARC, MTA-STS, BIMI, blacklist, nameserver drift — with async DNSBL checks.

    domain_health_checkdiagnose_email

    Example prompt

    Full health check on every domain in our portfolio — rank by risk score and flag anything under 70.

Example workflows

The high-leverage moves, in plain English.

These are the workflows self-service teams ask about first. Each is a real sequence the LLM composes from the 42-tool surface — no custom code, no dashboard hopping, no registrar-specific gotchas.

  1. 01

    Bulk DMARC rollout across 50 client domains

    You just inherited 50 domains from a new client. Gmail has been rejecting non-compliant mail since November 2025. Deliverability is already bleeding.

    50 domains at p=reject with MTA-STS hosted and SPF flattened. One afternoon.

    tool sequence
    01  portfolio_analysis  # inventory current email-auth posture
02  email_auth_diagnose  # score each domain 0-100
03  email_auth_wizard  # batch upgrade everything under 80
04  wait_for_propagation  # verify across 8 global resolvers
  2. 02

    SSL expiry sweep + renewal pipeline

    Somebody forgot to renew a cert last quarter. Downtime, angry client, post-mortem. You want that to never happen again.

    A single scheduled prompt that keeps the whole portfolio green. No more 2 a.m. pages.

    tool sequence
    01  list_certificates  # across the portfolio
02  check_certificate_expiry  # flag anything under 45 days
03  renew_certificate  # auto-queue renewals
04  domain_health_check  # verify post-renewal
  3. 03

    Defensive domain registration (brand protection)

    A client's brand is taking off. Typo-squatters and lookalikes are about to get expensive. You need to buy the neighborhood.

    A defensive registration sweep that used to take four hours now takes one conversation.

    tool sequence
    01  get_domain_suggestions  # generate the defensive set
02  bulk_check_availability  # filter for what's still open
03  purchase_domain  # register with privacy + auto-renew
04  setup_email_records  # park them with a no-mail SPF
  4. 04

    Post-acquisition DNS migration

    Your client just acquired another agency. Twelve domains need to move from Namecheap to Cloudflare without breaking production mail.

    Zero-downtime migration with a rollback point. Client didn't know it happened.

    tool sequence
    01  list_dns_records  # snapshot the source zone
02  dns_changeset_preview  # diff before write
03  replace_dns_records  # apply with rollback snapshot
04  email_auth_wizard  # re-verify DKIM after DNS switch
  5. 05

    Quarterly compliance audit export

    Board meeting Thursday. You need a one-page view of the entire domain portfolio — expiry, DNSSEC, SSL, email auth, health score.

    CSV in your hand, narrative in your deck, without logging into five different registrars.

    tool sequence
    01  export_portfolio  # dump the full inventory
02  domain_health_check  # score every domain
03  list_dmarc_reports  # attach the last 30 days of aggregate reports

Works where you work

No new dashboard. No new tab. No new UI.

Authwright is a Model Context Protocol server, not a SaaS dashboard. Whatever MCP-compatible client your team already lives in, the 42 tools show up there. The LLM calls them. You never leave your editor.

  • Claude Desktop

    First-class

    Anthropic's native MCP client

  • Claude Code

    First-class

    The terminal-native coding agent

  • Cursor

    Supported

    AI-first editor with MCP support

  • Windsurf

    Supported

    Codeium's agentic IDE

  • Continue

    Supported

    Open-source coding assistant

  • Any MCP client

    Standards-based

    Roll your own — Authwright speaks streamable HTTP MCP

Transport

Streamable HTTP MCP behind OAuth 2.1 + PKCE via Microsoft Entra ID. Multi-tenant, audit-logged, per-tenant rate-limited. Registrar credentials live in Azure Key Vault, zeroed from memory on every tool exit — not in a .env file on somebody's laptop.

Start here

Create your workspace and connect a registrar.

There is no separate sales form. Sign in, land in a free workspace, add a domain, prove ownership, then connect registrar API keys from the portal. Upgrade only when you need more domains.

Start freeRun a free audit