# dns MCP server

DNS and email security scanner with 80 MCP tools for SPF, DMARC, DNSSEC, SSL, and brand audits.

## Links
- Registry page: https://www.getdrio.com/mcp/com-blackveilsecurity-dns
- Repository: https://github.com/MadaBurns/bv-mcp

## Install
- Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- Auth: Not captured

## Setup notes
- Remote endpoint: https://dns-mcp.blackveilsecurity.com/mcp

## Tools
- check_mx - Look up MX records for a domain. Identifies which mail servers receive inbound email for the domain and which email hosting provider is used (Google Workspace, Microsoft 365, Proofpoint, etc.). Use when asked which email provider hosts inbound mail for a domain, or to see MX record configuration. Part of the scan_domain audit. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_spf - Look up and validate the SPF record for a domain. Lists all IP addresses and third-party senders authorised to send email on behalf of the domain, flags syntax errors, and shows the trust surface (which mail servers are whitelisted). Use when you need to know who is permitted to send email as a domain. Part of the scan_domain audit. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_dmarc - Look up and validate the DMARC record for a domain. Shows the enforcement level (none/quarantine/reject), alignment mode (strict/relaxed), and aggregate/forensic reporting destinations. Use to determine a domain's DMARC enforcement level, whether it sends aggregate reports, or if it is protected against email impersonation — distinct from check_shadow_domains (which checks TLD variants) and assess_spoofability (composite score). Part of the scan_domain audit. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_dkim - Look up DKIM records for a domain. Probes common selectors, validates the signing algorithm used for outgoing email (RSA-1024/2048, Ed25519), and reports key strength. Use to verify that outbound email signatures are cryptographically sound. Part of the scan_domain audit. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_dnssec - Check DNSSEC status for a domain. Verifies whether DNS is tamper-proof and protected against cache poisoning and DNS spoofing attacks by validating DNSKEY and DS records. Reports whether DNSSEC is enabled and validating. Part of the scan_domain audit. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_ssl - Check the SSL/TLS certificate for a domain. Shows the issuer (Certificate Authority), expiry date (when the certificate expires), supported protocol versions (TLS 1.2/1.3), and HTTPS configuration. Use to verify certificate validity and who issued it. Part of the scan_domain audit. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_mta_sts - Check whether a domain enforces SMTP TLS for inbound mail via MTA-STS, protecting against downgrade attacks. Queries _mta-sts.<domain> and fetches the policy file, reports mode (enforce/testing/none) and MX coverage. Use to verify whether inbound SMTP is protected against TLS downgrade or MITM — distinct from check_dane which uses TLSA pinning. Part of the scan_domain audit. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_ns - Look up NS (nameserver) records for a domain. Identifies the DNS nameserver provider (Cloudflare, Route53, NS1, etc.) and shows delegation and redundancy. Use to find out which authoritative nameserver or DNS hosting service is used for a domain. Part of the scan_domain audit. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_caa - Look up CAA records for a domain. Shows which Certificate Authorities are authorized to issue certificates. Part of the scan_domain audit. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_bimi - Check the BIMI brand-logo record at default._bimi.<domain>. Validates the logo URL (l=) and VMC certificate evidence (a=), and verifies the DMARC enforcement prerequisite (p=quarantine/reject) that mail clients require before displaying a BIMI logo. Returns findings for a missing/malformed record or unmet prerequisites. Use to assess brand-indicator readiness in inboxes. Part of the scan_domain audit. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_tlsrpt - Check whether a domain has SMTP TLS Reporting (TLS-RPT) configured. Queries _smtp._tls.<domain> for the v=TLSRPTv1 record and validates its reporting destination (rua= mailto:/https:), flagging a missing record, duplicate records, or an invalid/absent reporting URI. Complements MTA-STS by giving visibility into TLS delivery failures. Part of the scan_domain audit. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_http_security - Audit a domain's browser-facing HTTP security headers over HTTPS. Inspects Content-Security-Policy (flagging unsafe-inline/unsafe-eval/wildcards), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and the cross-origin isolation headers (COOP/COEP/CORP), and detects CDN/WAF interception. Returns per-header findings for missing or weak protections against XSS, clickjacking, and cross-origin attacks. Part of the scan_domain audit. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_dane - Check DANE/TLSA certificate pinning for SMTP at port 25. Resolves the domain's MX hosts and looks up TLSA records at _25._tcp.<mx-host>, verifying whether SMTP mail-server certificates are bound in DNS (DNSSEC-backed protection against CA misissuance and MITM on inbound mail). Use when asked if SMTP connections are protected by DANE/TLSA pinning. For HTTPS DANE at port 443, use check_dane_https instead. Part of the scan_domain audit. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_ptr - Verify forward-confirmed reverse DNS (PTR/FCrDNS) for mail servers. Part of the scan_domain audit. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_dane_https - Verify DANE certificate pinning for HTTPS connections. Looks up TLSA records at _443._tcp.{domain} (port 443) to confirm the web certificate is pinned in DNS. Distinct from check_dane which covers SMTP at port 25. Part of the scan_domain audit. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_svcb_https - Validate HTTPS/SVCB records (RFC 9460) for modern transport capability advertisement. Part of the scan_domain audit. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_lookalikes - Detect active typosquat and lookalike/homoglyph domains that impersonate your brand and could be used in phishing. Identifies character-substitution and visual-confusion domains registered by attackers. Distinct from check_shadow_domains (TLD variants with auth gaps) and discover_brand_domains (legitimate brand portfolio). Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_subdomailing - Detect SubdoMailing risk: analyzes the SPF include chain for dangling or hijackable subdomains that could let an attacker send email as the domain. Use when you want to know if an SPF include chain can be hijacked through a dangling domain, or to detect subdomain mailing risk hidden in SPF includes. Part of the scan_domain audit. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- scan_domain - Run a full DNS and email security audit for a single domain. Aggregates every scan-included check in parallel (SPF, DKIM, DMARC, DNSSEC, TLS/SSL, MTA-STS, CAA, BIMI, subdomain takeover, and more) and returns an overall security score, NIST-aligned letter grade (6-band A+/A/B/C/D/F), maturity stage, and prioritized findings. Use for a comprehensive single-domain audit, to get a domain's overall security grade, or to assess email security maturity. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- batch_scan - Bulk-scan up to 10 domains in parallel. Runs a full security audit on each domain in the list and returns score, NIST-aligned letter grade (6-band A+/A/B/C/D/F), and finding counts per domain. Use when you want to audit multiple domains at once or do a bulk scan of several domains simultaneously — distinct from compare_domains which does a side-by-side analysis of 2–5 domains. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- compare_domains - Side-by-side security comparison of 2–5 domains. Shows relative scores, category gaps, and unique weaknesses for each domain. Use when comparing your security posture against a competitor, or doing a head-to-head comparison between multiple domains. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- compare_baseline - Compare a domain's current security configuration against a fixed policy baseline to determine compliance. Use to check whether a domain meets a policy requirement — not for tracking improvement/regression over time (use analyze_drift) and not for comparing multiple domains (use compare_domains). Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_shadow_domains - Find alternate TLD variants of a domain (e.g. example.net, example.co) that have weak or missing email authentication and could be used to spoof email. Use when asked about TLD variants with email auth gaps — distinct from check_lookalikes which detects typosquat/homoglyph impersonation domains. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_txt_hygiene - Audit TXT records for stale entries and SaaS exposure. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_mx_reputation - Check whether the mail server (MX) IP addresses are listed on spam blocklists (Spamhaus, Barracuda, SORBS, and other RBLs). Also verifies reverse DNS for MX hosts. Use when you want to know if your mail server IP is blacklisted, or if your MX is on any blocklist — distinct from check_rbl which checks a specific IP directly. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_srv - Map a domain's DNS-visible service footprint by probing ~16 common SRV record prefixes (email, calendar, messaging, web, directory) in parallel. Returns discovered services and flags insecure service advertisements — e.g. plaintext IMAP/POP3 without an encrypted variant. Use when asked to map DNS-visible services or flag insecure service advertisements. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_zone_hygiene - Audit DNS zone hygiene: identifies sensitive or forgotten subdomains exposed in DNS, stale SOA records, and zone propagation issues. Use to find any sensitive subdomains that should not be publicly visible, or to audit overall DNS zone cleanliness. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- generate - Generate a DNS/email security remediation artifact. Artifact types: spf_record (build a new SPF record), dmarc_record (create a DMARC policy), dkim_config (DKIM key setup), mta_sts_policy (generate an MTA-STS policy file), fix_plan (prioritized remediation plan for all findings), or rollout_plan (phased DMARC enforcement timeline). Use when asked to generate or create a record or policy. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- get_domain_rank - Rank a domain against its country or global cohort using the GSI benchmark corpus. Accepts a domain score (from scan_domain) and optional country/sector; returns a percentile: "scores better than X% of peers". Owner-gate exempt — public cohort data only. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- get_benchmark - Get industry benchmark data: shows what percentile a domain's security score ranks at within its sector or country cohort, the mean score, and the most common DNS security failures across the industry. Use when asked how a score compares to the industry average, what percentile a score is in, or what the most common security failures are in an industry or sector. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- get_provider_insights - Get security benchmarks and common configuration issues for a specific email or DNS service-provider cohort (e.g. Google Workspace customers, Microsoft 365 customers). Use when asked how an email service provider compares to competitors on security posture, or to see typical misconfigurations for a named vendor's customers. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- assess_spoofability - Compute a composite email spoofability risk score (0–100, higher = more spoofable) by combining SPF trust surface, DMARC enforcement, and DKIM coverage. Returns a risk level (minimal→critical), per-control sub-scores, and plain-language summary of how easy it would be to spoof email from the domain. Use when asked how easy it is to spoof email from a domain, or for a composite email spoofing risk score. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_resolver_consistency - Check DNS consistency across 4 public resolvers. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- explain_finding - Explain a finding with impact and remediation. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- map_supply_chain - Map DNS-visible third-party service dependencies for a domain. Correlates SPF, NS, TXT verifications, SRV services, and CAA records to reveal which third-party vendors can send email as the domain, control DNS, or access integrated services. Use when asked to map third-party or supply-chain dependencies — not for listing who can send email (use check_spf for that). Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- analyze_drift - Measure whether a domain's DNS security posture improved or regressed by comparing the current state against a prior scan snapshot. Returns a drift classification (improving/stable/regressing/mixed), score delta, and lists of improvements and regressions. Use to answer "did our security score improve or regress since last time?" — distinct from compare_baseline which checks compliance against a fixed policy (not improvement over time). Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- validate_fix - Re-check a specific security control after applying a fix, to confirm the finding is now resolved. Use only when a fix has already been applied and you want to verify or confirm the remediation was successful — not for initial inspection of a record. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- resolve_spf_chain - Trace the full SPF include chain for a domain. Recursively resolves all includes, shows lookup count, tree depth, and flags circular includes or exceeding the 10-lookup limit. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- discover_subdomains - Find subdomains of a domain using Certificate Transparency logs. Reveals shadow IT, forgotten services, and unauthorized certificate issuance. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- map_compliance - Map scan findings to compliance frameworks: NIST 800-177, PCI DSS 4.0, SOC 2, CIS Controls. Shows pass/fail/partial status per control. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- prioritize_csc_leads - Rank a brand’s portfolio (or an explicit domain set) into prioritized CSC sales leads by product-gap value × severity. Multi-domain, paid. Reuses map_csc_products per domain, then ranks. Distinct from map_csc_products (per-domain product mapping) and batch_scan (raw scores). Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- simulate_attack_paths - Analyze current DNS posture and enumerate specific attack paths an adversary could exploit, with severity, feasibility, steps, and mitigations. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_dbl - Check domain reputation against DNS-based Domain Block Lists (Spamhaus DBL, URIBL, SURBL). Returns listing status with decoded return codes. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_rbl - Check MX server IP reputation against 7 DNS-based Real-time Blocklists (SpamCop, UCEProtect, Mailspike, Barracuda, PSBL, SORBS). Resolves MX hosts to IPs first. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- cymru_asn - Map domain IPs to Autonomous System Numbers via Team Cymru DNS. Returns ASN, prefix, country, registry, and organization for each IP. Flags high-risk hosting ASNs. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- rdap_lookup - Fetch domain registration data via RDAP (modern WHOIS replacement). Returns the domain registrar (the company the domain was registered with), registrant contact, creation/expiration dates, EPP status codes, and domain age. Use when asked who registered the domain, who the registrar is, or when the registration expires — distinct from check_ns which identifies the DNS nameserver provider. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_realtime_threat_feed - Check a domain against BlackVeil real-time threat intelligence (curated intel-gateway feed). Distinct from DNSBL checks. Operator-deploy only; degrades to info when unprovisioned. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_nsec_walkability - Assess zone walkability risk by analyzing NSEC3PARAM configuration. Detects plain NSEC zones, weak NSEC3 parameters, and opt-out flags. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_dnssec_chain - Walk the full DNSSEC chain of trust from the DNS root down to the target domain, tracing DS/DNSKEY records and algorithm usage at each zone level. Use when asked to trace the chain of trust from the DNS root, or to see the full DNSSEC delegation path step by step. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_agent_discovery - Assess the security posture of IETF BANDAID agent-discovery records (draft-mozleywilliams-dnsop-dnsaid). Detects SVCB agent records under _agents/_index._{protocol}._agents, reports whether the discovery zone is DNSSEC-anchored (unsigned = spoofable agent endpoints), evaluates DANE/TLSA binding trust (RFC 6698 §10.1), and checks capability-document integrity (cap / cap-sha256). Read-only; uses Private-Use SVCB param code points pending IANA assignment. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_dnskey_strength - Audit the cryptographic strength of DNSKEY signing algorithms used for DNSSEC. Reports which algorithm is used for DNSSEC signing keys (RSA/SHA-1, RSA/SHA-256, ECDSA P-256, Ed25519, etc.), flags deprecated algorithms (RSA/SHA-1, DSA), independent of whether the DNSSEC chain validates. Use when asked what algorithm is used for DNSSEC signing keys, or if deprecated DNSKEY algorithms are in use. Part of the scan_domain audit. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_fast_flux - Detect fast-flux DNS behavior: performs multiple rounds of A/AAAA queries and checks whether IP addresses are rotating rapidly on each DNS query (a sign of botnet or malicious infrastructure). Compares IP answer sets and TTLs across rounds to identify rapidly rotating infrastructure used to hide malicious activity. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_subdomain_takeover - Sweep subdomains for dangling CNAMEs pointing to deprovisioned cloud services that could be claimed by an attacker (subdomain takeover vulnerabilities). Detects 16 provider families (AWS S3/CloudFront, Azure Front Door/CDN/Blob/App Service, GCP Cloud Storage, Heroku, GitHub Pages, Vercel, Firebase, Shopify, etc.). Use when asked if subdomains are pointing to deprovisioned cloud services. Pair with discover_subdomains for full inventory. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_authoritative_dns_infra - Check authoritative DNS infrastructure posture for a hostname. Uses BV_INFRA_PROBE when available for raw DNS, routing, RPKI, and vantage-point evidence. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_root_server_set - Check the DNS root server set against official root hints, root glue, delegation, serial, and DNSKEY cross-root evidence. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- discover_brand_domains - Discover all domains that belong to a brand's portfolio by aggregating certificate, DNS, redirect, and mail-policy signals. Use when asked what domains are part of a brand portfolio, or to find all domains related to a brand. Pass the EXACT seed domain verbatim — do NOT normalize or substitute a canonical domain. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- discover_brand_domains_start - Start an async brand-domain discovery for the EXACT seed domain provided (the async sibling of discover_brand_domains, which can run ~24s and time out interactive clients). Same args as discover_brand_domains. Returns { auditId, queuedAt, etaSeconds } immediately; poll with discover_brand_domains_status and fetch ranked candidates with discover_brand_domains_findings once complete. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- discover_brand_domains_status - Poll the status of an async brand-domain discovery started with discover_brand_domains_start. Returns status (queued | running | completed | failed) and progress. Owner-scoped — operationIds owned by other principals surface as notFound. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- discover_brand_domains_findings - Fetch the ranked candidate domains (the discovery CheckResult) for an async run started with discover_brand_domains_start. Returns notReady while the discovery is still in-flight; the discovery result once complete. Owner-scoped. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- brand_audit_single - Run a full brand audit on a single target with optional standard/deep discovery depth, brand aliases, and caller-supplied candidate domains. Discovers brand-related domains, looks up registrar + registrant for each candidate, and classifies each into consolidated, real registrar-sprawl shadowIt, authorized vendor dependency, indeterminate, or impersonation relationships. Gated tier-wide by monthly BRAND_AUDIT_QUOTAS (free/agent=0, developer=50, partner=200, enterprise=500, owner=unlimited). Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- brand_audit_batch_start - Enqueue an async brand audit across up to 50 target domains with optional standard/deep discovery depth, brand aliases, and caller-supplied candidate domains. Returns { auditId, queuedAt, targetCount, etaSeconds } immediately; poll with brand_audit_status and fetch results with brand_audit_get_report once complete. Each target consumes 1 unit of the monthly BRAND_AUDIT_QUOTAS budget. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- brand_audit_status - Poll the status of an enqueued brand audit. Returns audit-level status (queued | running | completed | failed), progress 'N/M', and per-target statuses. Owner-scoped — auditIds owned by other principals surface as notFound. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- brand_audit_get_report - Fetch the result JSON for a completed brand audit. With `target` set, returns the per-target CheckResult; without, returns the audit-level aggregate. Returns notReady when polling an in-flight audit. When a rendered PDF sidecar exists and the R2 binding is configured, metadata includes a signed PDF URL; completed targets without a PDF URL include pdfPending so callers can poll again. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- list_brand_audit_watches - Returns the caller's recurring brand-audit watches: watchId, domain, interval, webhook presence, last-run time, and active state. Owner-scoped. Read-only. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- register_brand_audit_watch - Creates a recurring brand-audit watch for a domain on a daily/weekly/monthly cadence. Each run enqueues a fresh brand_audit_batch_start and (when a webhook is configured) POSTs a diff webhook on classification drift. Returns the new watchId. Owner-scoped; per-principal cap of 20 active watches. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- delete_brand_audit_watch - Permanently removes a recurring brand-audit watch by watchId. Owner-scoped — a watchId owned by another principal surfaces as notFound. Returns confirmation of deletion. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- scan_buckets_start - Start an async cloud-bucket discovery scan for a target domain. Operator-deploy only; degrades to info when unprovisioned. Returns a scanId immediately — poll progress with scan_buckets_status and retrieve results with scan_buckets_findings. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- scan_buckets_status - Poll the status of a cloud-bucket discovery scan by scanId. Operator-deploy only; degrades to info when unprovisioned. Returns scan status (running | completed | failed) and progress metadata. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- scan_buckets_findings - Retrieve findings from a completed cloud-bucket discovery scan. Operator-deploy only; degrades to info when unprovisioned. Optionally scoped to a specific scanId, target, and provider list; omit scanId to retrieve the most recent findings. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- osint_investigate_domain_start - Start an async OSINT investigation for a domain. Operator-deploy only; degrades to info when unprovisioned. Returns an investigationId immediately — poll with osint_investigation_status and retrieve results with osint_investigation_report. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- osint_investigate_infrastructure_start - Start an async deep-infrastructure OSINT investigation for a query (domain, IP, or org). Operator-deploy only; degrades to info when unprovisioned. Returns an investigationId immediately — poll with osint_investigation_status. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- osint_investigate_supply_chain_start - Start an async supply-chain OSINT investigation for a query. Operator-deploy only; degrades to info when unprovisioned. Returns an investigationId immediately — poll with osint_investigation_status. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- osint_investigate_username_start - Start an async OSINT investigation for a username (cross-platform presence, breach correlation). Owner/enterprise tier only — people-centric OSINT is restricted to prevent misuse. Returns an investigationId immediately — poll with osint_investigation_status and retrieve results with osint_investigation_report. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- osint_investigate_email_start - Start an async OSINT investigation for an email address (breach exposure, account correlation). Owner/enterprise tier only — people-centric OSINT is restricted to prevent misuse. Returns an investigationId immediately — poll with osint_investigation_status and retrieve results with osint_investigation_report. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- osint_investigation_status - Poll the status of an OSINT investigation by investigationId. Operator-deploy only; degrades to info when unprovisioned. Returns current status (running | completed | failed) and progress metadata. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- osint_investigation_report - Retrieve the final report of a completed OSINT investigation by investigationId. Operator-deploy only; degrades to info when unprovisioned or not yet complete. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- query_signins - Query Microsoft Entra sign-in logs for a tenant. Optionally filter by user principal name, failure status, or lookback window. Requires m365Proxy service binding; returns { unprovisioned: true } when absent. A `representative: true` field in the response marks sample (non-live) data until live Graph reads land. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- query_ual - Query the Microsoft 365 Unified Audit Log for a tenant. Optionally filter by operation type, user, or lookback window. Requires m365Proxy service binding; returns { unprovisioned: true } when absent. A `representative: true` field in the response marks sample (non-live) data until live Graph reads land. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- get_ca_policies - Retrieve Conditional Access policies for a Microsoft Entra tenant. Requires m365Proxy service binding; returns { unprovisioned: true } when absent. A `representative: true` field in the response marks sample (non-live) data until live Graph reads land. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- assess_coverage - Assess Conditional Access coverage gaps for a Microsoft Entra tenant — identifies users and apps not protected by any enforced policy. Requires m365Proxy service binding; returns { unprovisioned: true } when absent. A `representative: true` field in the response marks sample (non-live) data until live Graph reads land. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp

## Resources
- dns-security://guides/security-checks - Overview of all DNS/email security checks performed by Blackveil DNS, including SPF, DMARC, DKIM, DNSSEC, SSL/TLS, MTA-STS, NS, CAA, MX, and Subdomain Takeover. MIME type: text/markdown
- dns-security://guides/scoring - How DNS/email security scores and grades are calculated, including category weights and severity penalties. MIME type: text/markdown
- dns-security://guides/record-types - List of DNS record types queried by this server and their purpose in security analysis. MIME type: text/markdown
- dns-security://guides/agent-workflows - Recommended tool usage patterns and decision trees for common DNS security tasks. MIME type: text/markdown
- dns-security://guides/intelligence - How benchmark and provider cohort features work, privacy guarantees, and data freshness. MIME type: text/markdown
- dns-security://guides/remediation - Step-by-step DNS record fix patterns for each check category, using generate_* tools. MIME type: text/markdown

## Prompts
- full-security-audit - DNS & email security audit with remediation Arguments: domain
- email-auth-check - Email auth posture: SPF, DMARC, DKIM, MTA-STS Arguments: domain
- policy-compliance-check - Check domain against security policy baseline Arguments: domain, minimum_grade
- remediation-workflow - Scan, plan fixes, generate DNS records Arguments: domain
- email-hardening-guide - Email hardening plan with DNS record generation Arguments: domain
- provider-benchmark - Benchmark domain against email provider cohort Arguments: domain
- attack-surface-assessment - Spoofability, lookalikes, shadow domain analysis Arguments: domain

## Metadata
- Owner: com.blackveilsecurity
- Version: 3.16.1
- Runtime: Streamable Http
- Transports: HTTP
- License: Not captured
- Language: Not captured
- Stars: Not captured
- Updated: Jun 8, 2026
- Source: https://registry.modelcontextprotocol.io
