email-security-mcp

marlinkcyber/email-security-mcp

3.2

If you are the rightful owner of email-security-mcp and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to henry@mcphub.com.

The Email Security Scanner MCP Server is a comprehensive solution for email security scanning, leveraging FastMCP 2.10+ to provide both passive and active security assessments.

Tools
4
Resources
0
Prompts
0

Email Security Scanner MCP Server

A fully functional MCP (Model Context Protocol) server that provides comprehensive email security scanning capabilities using FastMCP 2.10+. This implementation includes SPF, DMARC, DNSSEC validation, and SMTP connectivity testing for defensive security assessment.

Features

  • Passive Scanning: DNS-only checks for SPF, DMARC, MX records, and DNSSEC status
  • Active Scanning: Full email security assessment including SMTP connectivity, STARTTLS testing, and DNSSEC chain validation
  • DNSSEC Validation: Comprehensive DNSSEC checking similar to dnssec-debugger.verisignlabs.com
  • Multiple Domain Scanning: Batch scanning of multiple domains with configurable scan types
  • FastMCP Integration: Modern MCP server implementation with proper tool definitions
  • Algorithm Analysis: DNSSEC algorithm assessment with security recommendations

Installation

Option 1: Using uv (Recommended)

  1. Install uv if you haven't already:
curl -LsSf https://astral.sh/uv/install.sh | sh
  1. Install dependencies:
uv sync
  1. Run the MCP server:
uv run python server.py

Option 2: Using pip

  1. Install dependencies:
pip install -r requirements.txt
  1. Run the MCP server:
python server.py

Option 3: Using MCP development tools (for testing)

mcp dev server.py

This will start the MCP Inspector web interface for interactive testing of tools.

MCP Client Integration

Claude Desktop Integration

To use this MCP server with Claude Desktop, add the following configuration to your claude_desktop_config.json file:

Basic Configuration (using uv)

{
  "mcpServers": {
    "email-security-scanner": {
      "command": "uv",
      "args": [
        "--directory",
        "/path/to/your/email-security-scanner-mcp",
        "run",
        "python",
        "server.py"
      ],
      "env": {
        "UV_SYSTEM_PYTHON": "1"
      }
    }
  }
}

Alternative Configuration (using direct Python)

{
  "mcpServers": {
    "email-security-scanner": {
      "command": "python",
      "args": [
        "/path/to/your/email-security-scanner-mcp/server.py"
      ],
      "cwd": "/path/to/your/email-security-scanner-mcp"
    }
  }
}

Note: Replace /path/to/your/email-security-scanner-mcp with the actual path to your project directory.

oterm Integration

oterm is a text-based terminal client for interacting with Large Language Models. To use this MCP server with oterm:

  1. Create or update your oterm configuration file (usually ~/.config/oterm/config.json):
{
  "mcpServers": {
    "email-security-scanner": {
      "command": "uv",
      "args": [
        "--directory",
        "/path/to/your/email-security-scanner-mcp",
        "run",
        "python",
        "server.py"
      ],
      "env": {
        "UV_SYSTEM_PYTHON": "1"
      }
    }
  }
}
  1. Start oterm and the MCP server will be automatically loaded.

See oterm_config.json for a working example configuration.

Quick Setup

For a complete step-by-step setup guide with Claude Desktop, see .

See claude_desktop_config_examples.json for more configuration options.

MCP Tools

passive_scan

Performs passive email security scanning by checking DNS records only.

Parameters:

  • domain (str): Domain name to scan
  • dns_timeout (float, optional): DNS lookup timeout in seconds (default: 5.0)
  • dns_hostnames (List[str], optional): Custom DNS hostnames to use

Returns:

  • Domain existence status
  • MX records with priorities
  • SPF record and validation results
  • DMARC record and validation results
  • DNSSEC status (DS records, DNSKEY records, RRSIG presence)
  • DNSSEC key information and warnings

active_scan

Performs comprehensive email security scanning including SMTP connectivity tests.

Parameters:

  • domain (str): Domain name to scan
  • dns_timeout (float, optional): DNS lookup timeout in seconds (default: 5.0)
  • smtp_timeout (float, optional): SMTP connection timeout in seconds (default: 3.0)
  • smtp_ports (List[int], optional): SMTP ports to test (default: [25, 465, 587])
  • dns_hostnames (List[str], optional): Custom DNS hostnames to use

Returns:

  • All passive scan results plus:
  • SMTP connection test results
  • STARTTLS support and functionality testing
  • DNSSEC chain of trust validation
  • DNSSEC algorithm analysis and recommendations
  • Detailed error reporting for connection and validation issues

scan_multiple_domains

Batch scanning of multiple domains with specified scan type. Optimized for MCP timeout prevention - limits domains and uses faster scanning.

Parameters:

  • domains (List[str]): List of domain names to scan (max 10 domains, recommended: 5)
  • scan_type (str, optional): "passive" or "active" (default: "active")
  • dns_timeout (float, optional): DNS lookup timeout in seconds (default: 3.0, reduced for speed)
  • smtp_timeout (float, optional): SMTP connection timeout in seconds (default: 2.0, reduced for speed)
  • smtp_ports (List[int], optional): SMTP ports to test (default: [25] for speed)

Returns:

  • Results for each domain (optimized summary format)
  • Summary statistics (total, successful, failed scans)
  • Performance optimization notes

quick_domain_check

Ultra-fast domain checking for large batches to avoid MCP timeouts. Recommended for checking many domains quickly.

Parameters:

  • domains (List[str]): List of domain names to check (up to 20 domains)
  • check_types (List[str], optional): Types of checks: ["live", "mx", "spf", "dmarc", "dnssec"] (default: ["live", "mx", "spf", "dmarc"])

Returns:

  • Quick check results for each domain
  • Summary statistics and performance notes

Example Usage

Testing the Server

Run the included test scripts to verify functionality:

Basic functionality:

python test_server.py

DNSSEC functionality:

python test_dnssec.py

Complete integration test:

python test_with_dnssec.py

Interactive testing with MCP Inspector:

mcp dev server.py

Then open the provided URL in your browser to test MCP tools interactively.

Testing timeout fixes:

python test_timeout_fix.py

Sample Output

=== Complete Email Security Scan with DNSSEC ===
Scanning cloudflare.com...
Domain live: āœ“

--- Email Security ---
MX records: 4
SPF record: āœ“ (Policy: fail, Valid: āœ“)
DMARC record: āœ“ (Policy: reject, Valid: āœ“)

--- DNSSEC Security ---
DNSSEC enabled: āœ“
DS records: 1
DNSKEY records: 2
RRSIG records: āœ“
Chain validation: āœ“
Validation path: 2 steps
Modern algorithms: āœ“

--- SMTP Connectivity ---
Connection to mail server: āœ“
STARTTLS support: āœ—

--- Security Summary ---
Security score: 6/6
āœ“ Domain reachable
āœ“ Mail servers configured  
āœ“ Valid SPF record
āœ“ Valid DMARC record
āœ“ DNSSEC enabled
āœ“ DNSSEC chain valid

Email Security Checks

SPF (Sender Policy Framework)

  • Validates SPF record syntax
  • Extracts SPF mechanisms (include, a, mx, ip4, ip6, etc.)
  • Determines SPF policy (fail, softfail, pass, neutral)
  • Reports syntax errors and validation issues

DMARC (Domain-based Message Authentication, Reporting & Conformance)

  • Validates DMARC record syntax
  • Extracts DMARC policy (none, quarantine, reject)
  • Identifies subdomain policy settings
  • Reports policy percentage and validation errors

SMTP Testing (Active Scans Only)

  • Tests connectivity to mail servers on multiple ports
  • Verifies STARTTLS support and functionality
  • Provides detailed error reporting for connection failures
  • Tests all MX records with priority ordering

DNSSEC (Domain Name System Security Extensions)

Passive Checks
  • DS Records: Checks for Delegation Signer records in parent zone
  • DNSKEY Records: Validates DNS Key records in the domain
  • RRSIG Records: Detects presence of Resource Record Signatures
  • Key Analysis: Identifies Key Signing Keys (KSK) and Zone Signing Keys (ZSK)
Active Validation
  • Chain of Trust: Validates DNSSEC chain from domain to root
  • Signature Verification: Attempts to verify DNSSEC signatures
  • Algorithm Analysis: Identifies cryptographic algorithms in use
  • Security Assessment: Detects deprecated algorithms and provides recommendations
Supported Algorithms
  • RSA/SHA-256 (Algorithm 8) - Recommended
  • ECDSA P-256 (Algorithm 13) - Recommended
  • ECDSA P-384 (Algorithm 14) - Recommended
  • Ed25519 (Algorithm 15) - Modern, recommended
  • Legacy algorithms (RSA/MD5, DSA/SHA1) - Flagged as deprecated
DNSSEC Validation Process
  1. Check for DS records in parent zone
  2. Retrieve DNSKEY records from target domain
  3. Validate DS-to-DNSKEY relationship
  4. Walk the chain of trust to root zone
  5. Verify signatures on critical records
  6. Analyze cryptographic algorithms used
  7. Generate security recommendations

Architecture

The server is built using:

  • FastMCP 2.10+: Modern MCP server framework
  • dnspython: Reliable DNS resolution
  • smtplib: SMTP connectivity testing
  • email-validator: Email format validation

Security Note

This implementation is designed for defensive security purposes only. It helps organizations:

  • Assess their email infrastructure security
  • Identify SPF and DMARC configuration issues
  • Verify SMTP server connectivity and encryption support
  • Monitor email security compliance

Dependencies

  • fastmcp>=2.10.0
  • dnspython>=2.4.0
  • requests>=2.28.0
  • typing-extensions>=4.0.0
  • email-validator>=2.0.0
  • cryptography>=3.4.0

Troubleshooting

DNS Resolution Issues

If you encounter DNS resolution problems, try:

  1. Checking your network connectivity
  2. Using alternative DNS servers
  3. Increasing DNS timeout values

SMTP Connection Issues

SMTP tests may fail due to:

  • Firewall restrictions on outbound ports 25, 465, 587
  • Mail servers blocking connections from your IP
  • Network timeouts (adjust smtp_timeout parameter)

DNSSEC Validation Issues

DNSSEC validation may encounter problems due to:

  • Incomplete DNSSEC chain (missing DS records in parent zone)
  • Clock skew causing signature validation failures
  • Firewall blocking large DNS responses (increase UDP buffer size)
  • Using DNS servers that don't support DNSSEC validation
  • Network issues preventing access to authoritative name servers

Common DNSSEC Error Solutions:

  • Ensure your DNS resolver supports EDNS0 and larger UDP packets
  • Check that DS records exist in the parent zone
  • Verify DNSKEY records are present and properly signed
  • Use dig +dnssec command-line tool to debug DNSSEC issues manually

MCP Timeout Issues

The server includes optimizations to prevent MCP request timeouts:

For Multiple Domain Scanning:

  • Use quick_domain_check for fast batch checking (up to 20 domains)
  • Use scan_multiple_domains for detailed scanning (max 10 domains recommended)
  • Both tools automatically limit domain counts and reduce timeouts

If Still Experiencing Timeouts:

  • Reduce the number of domains per request (try 3-5 domains)
  • Use passive scans instead of active scans for faster execution
  • Check network connectivity and DNS server performance
  • Consider scanning domains individually for detailed analysis

License

This project implements email security scanning functionality for defensive security purposes.