42 tools · one MCP server

Authwright isn't just DMARC. It's your entire domain management solution.

Email authentication is where most teams start. The rest of the surface area handles the day-to-day grind of managing domains at portfolio scale — DNS edits, SSL renewals, bulk operations, health audits, defensive registrations — all callable from the same MCP session your team already has open.

Join the pilotSee the 42 tools ↓

8

Email auth

10

DNS

9

Domains

7

SSL / TLS

6

Bulk

2

Health

Tool surface

Six categories. One MCP session.

Email EasyPass is the headline, but Authwright exposes the full domain-management surface — so the same LLM that fixes your DMARC can also renew the SSL cert, add a CNAME, and audit the portfolio.

  • 8 tools

    Email authentication

    Email EasyPass — the flagship. DMARC/SPF/DKIM/MTA-STS/BIMI set up and enforced across any registrar in one call.

    email_auth_wizardflatten_spfsetup_mta_sts_hosting+5 more

    Example prompt

    Get example.com to DMARC enforcement with MTA-STS hosted and SPF flattened.

  • 10 tools

    DNS records

    Read, preview, and write any record type on GoDaddy, Namecheap, Cloudflare, Porkbun, or Route 53 — with diffs before the write.

    dns_changeset_previewreplace_dns_recordsenable_dnssec+7 more

    Example prompt

    Show me the diff, then add an A record for api pointing at 203.0.113.10, TTL 300.

  • 9 tools

    Domain portfolio

    Inventory, availability, purchase, renewal, contacts, privacy — the lifecycle without the registrar dashboard.

    list_domainspurchase_domainupdate_domain_contacts+6 more

    Example prompt

    Register acme-support.com, acme-help.com, and acme-billing.com with privacy on and point them at our web app.

  • 7 tools

    SSL / TLS lifecycle

    Provision, renew, reissue, revoke — and proactively surface certs that are about to expire across the whole portfolio.

    check_certificate_expiryrenew_certificatereissue_certificate+4 more

    Example prompt

    List any cert expiring in the next 45 days across our domains and queue renewals.

  • 6 tools

    Bulk operations

    Portfolio-scale moves without N round-trips. Availability sweeps, DNS pushes, renewals, privacy flips, analysis, export.

    portfolio_analysisbulk_update_dnsexport_portfolio+3 more

    Example prompt

    Run portfolio analysis, then flip WHOIS privacy on for anything still public.

  • 2 tools

    Health + diagnostics

    A scored 0-100 report per domain — expiry, DNSSEC, SSL, MX, SPF, DKIM, DMARC, MTA-STS, BIMI, blacklist, nameserver drift — with async DNSBL checks.

    domain_health_checkdiagnose_email

    Example prompt

    Full health check on every domain in our portfolio — rank by risk score and flag anything under 70.

Example workflows

The high-leverage moves, in plain English.

These are the workflows pilot customers ask about first. Each is a real sequence the LLM composes from the 42-tool surface — no custom code, no dashboard hopping, no registrar-specific gotchas.

  1. 01

    Bulk DMARC rollout across 50 client domains

    You just inherited 50 domains from a new client. Gmail has been rejecting non-compliant mail since November 2025. Deliverability is already bleeding.

    50 domains at p=reject with MTA-STS hosted and SPF flattened. One afternoon.

    1. 01
      portfolio_analysis

      inventory current email-auth posture

    2. 02
      email_auth_diagnose

      score each domain 0-100

    3. 03
      email_auth_wizard

      batch upgrade everything under 80

    4. 04
      wait_for_propagation

      verify across 8 global resolvers

  2. 02

    SSL expiry sweep + renewal pipeline

    Somebody forgot to renew a cert last quarter. Downtime, angry client, post-mortem. You want that to never happen again.

    A single scheduled prompt that keeps the whole portfolio green. No more 2 a.m. pages.

    1. 01
      list_certificates

      across the portfolio

    2. 02
      check_certificate_expiry

      flag anything under 45 days

    3. 03
      renew_certificate

      auto-queue renewals

    4. 04
      domain_health_check

      verify post-renewal

  3. 03

    Defensive domain registration (brand protection)

    A client's brand is taking off. Typo-squatters and lookalikes are about to get expensive. You need to buy the neighborhood.

    A defensive registration sweep that used to take four hours now takes one conversation.

    1. 01
      get_domain_suggestions

      generate the defensive set

    2. 02
      bulk_check_availability

      filter for what's still open

    3. 03
      purchase_domain

      register with privacy + auto-renew

    4. 04
      setup_email_records

      park them with a no-mail SPF

  4. 04

    Post-acquisition DNS migration

    Your client just acquired another agency. Twelve domains need to move from Namecheap to Cloudflare without breaking production mail.

    Zero-downtime migration with a rollback point. Client didn't know it happened.

    1. 01
      list_dns_records

      snapshot the source zone

    2. 02
      dns_changeset_preview

      diff before write

    3. 03
      replace_dns_records

      apply with rollback snapshot

    4. 04
      email_auth_wizard

      re-verify DKIM after DNS switch

  5. 05

    Quarterly compliance audit export

    Board meeting Thursday. You need a one-page view of the entire domain portfolio — expiry, DNSSEC, SSL, email auth, health score.

    CSV in your hand, narrative in your deck, without logging into five different registrars.

    1. 01
      export_portfolio

      dump the full inventory

    2. 02
      domain_health_check

      score every domain

    3. 03
      list_dmarc_reports

      attach the last 30 days of aggregate reports

Works where you work

No new dashboard. No new tab. No new UI.

Authwright is a Model Context Protocol server, not a SaaS dashboard. Whatever MCP-compatible client your team already lives in, the 42 tools show up there. The LLM calls them. You never leave your editor.

  • Claude Desktop

    First-class

    Anthropic's native MCP client

  • Claude Code

    First-class

    The terminal-native coding agent

  • Cursor

    Supported

    AI-first editor with MCP support

  • Windsurf

    Supported

    Codeium's agentic IDE

  • Continue

    Supported

    Open-source coding assistant

  • Any MCP client

    Standards-based

    Roll your own — Authwright speaks streamable HTTP MCP

Transport

Streamable HTTP MCP behind OAuth 2.1 + PKCE via Microsoft Entra ID. Multi-tenant, audit-logged, per-tenant rate-limited. Registrar credentials live in Azure Key Vault, zeroed from memory on every tool exit — not in a .env file on somebody's laptop.

Apply to the pilot

Tell us about your book.

We're onboarding a limited cohort of MSPs and agencies this quarter. We'll reply within one business day.