Email authentication, crafted right.

Authwright is the MCP server that sets up DMARC, SPF, DKIM, MTA-STS, and BIMI across any registrar — called directly from Claude, Cursor, or ChatGPT. Built for the MSPs and agencies who got handed email deliverability and a deadline.

Join the pilotCheck a domain for free →

GODADDY · NAMECHEAP · CLOUDFLARE · PORKBUN · ROUTE 53

One call, every registrar. No dashboard gymnastics. No TXT-record roulette.

November 2025

Gmail stopped asking nicely.

As of November 2025, Gmail and Yahoo reject non-compliant bulk email outright. Not spam-folder. Rejected at the SMTP edge. If your clients send outbound mail from a domain without valid DMARC, aligned SPF, and a proper DKIM signature, it doesn't land. It bounces.

Forty percent of IT leaders surveyed called DMARC deployment “too complex to own internally.” EasyDMARC alone reports 83,000 businesses and 175,000 domains on the meter. The market moved. The question is whether your agency is the one who fixes it for your book — or the one whose clients go elsewhere when their invoices stop arriving.

A missed DMARC record is now a missed invoice, a missed lead, and a missed appointment. Every day.

Email EasyPass

One call. The whole stack. Any domain.

Email EasyPassis Authwright's flagship product — TSA PreCheck for your mail. Under the hood it's the email_auth_wizard MCP tool. Your LLM calls it with a domain. It handles the rest:

  1. 01Reads

    The current state — existing SPF, DKIM selectors, DMARC policy, MX, MTA-STS status, BIMI record.

  2. 02Diagnoses

    The gaps against the current Gmail and Yahoo requirements — SPF ten-lookup limit, DKIM key length, alignment mode, policy enforcement.

  3. 03Writes

    Corrected records directly to the registrar — GoDaddy, Namecheap, Cloudflare, Porkbun, Route 53.

  4. 04Hosts

    The MTA-STS policy file at mta-sts.{your-client-domain}. We run the infrastructure, you get the credit.

  5. 05Waits

    For global DNS propagation and verifies end-to-end.

  6. 06Ingests

    DMARC aggregate reports on an ongoing basis and summarizes them in plain language.

You don't leave your editor. Your tech doesn't leave their terminal. The client doesn't have to learn what a TXT record is.

MCP, not SaaS

If your team lives in Claude, Cursor, or ChatGPT, this is the tool your stack was missing.

Every other DMARC vendor shipped a web dashboard in 2019 and never looked up. Authwright is built as a Model Context Protocol server — which means it's callable directly from the AI environments your operators already use.

A tech in Cursor can resolve a deliverability ticket without opening a browser tab. A founder in Claude can onboard a new client domain in a single prompt.

This is not a wrapper around someone else's API. It's a first-class MCP server designed for the way technical teams actually work in 2026.

Claude Code
> Set up DMARC on acme.com with a reject policy.

Calling email_auth_wizard…
  ✓ diagnose — score 32/100
  ✓ propose — 4 changes (SPF, DKIM, DMARC, MTA-STS)
  ✓ apply   — GoDaddy adapter, snapshot saved
  ✓ host    — mta-sts.acme.com live
  ✓ propagation — 8/8 resolvers
  ✓ re-diagnose — score 94/100

Email EasyPass complete in 47s.

What makes it different

Four things nobody else bundles.

  • LLM-callable, not click-callable.

    Native MCP server. Works in Claude Desktop, Claude Code, Cursor, Windsurf, and any MCP-compatible client. No dashboard tax.

  • We host your MTA-STS policy.

    MTA-STS requires a policy file served over HTTPS at a specific subdomain. Every other vendor tells you to set it up yourself. We host it, we rotate the certificate, we version the policy. Bundled.

  • SPF flattening for the 10-lookup limit.

    SPF caps at ten DNS lookups. Most growing domains blow through that silently. Authwright flattens, monitors, and re-flattens as upstream providers change their records. You don't get paged at 2 a.m.

  • Every registrar, one EasyPass.

    GoDaddy, Namecheap, Cloudflare, Porkbun, Route 53 — same call signature, same result. If you manage a portfolio of domains across vendors, you already know why this matters.

Beyond email auth

DMARC is where it starts. The MCP is your entire domain management solution.

Once Authwright is in your MCP session, the LLM has 42 tools across DNS, SSL, domain registration, bulk operations, and health diagnostics — every major registrar, one call signature.

  • Bulk DNS at portfolio scale

    Push records across fifty client domains in one call. Diff before write. Rollback snapshot every time.

    bulk_update_dns · dns_changeset_preview · replace_dns_records

  • SSL certificate lifecycle

    List, request, reissue, renew, revoke. Expiry sweeps flag anything due in 45 days — before it pages somebody.

    check_certificate_expiry · renew_certificate · reissue_certificate

  • Defensive registration at scale

    Suggestions, bulk availability, purchase with privacy — lock down the lookalike neighborhood in one conversation.

    get_domain_suggestions · bulk_check_availability · purchase_domain

  • DNSSEC without the dashboard slog

    Enable, verify, disable DNSSEC across any supported registrar — same call signature, different backend.

    enable_dnssec · get_dnssec · disable_dnssec

See the full 42-tool surface

Pilot program

Three steps. Two weeks. No procurement call.

  1. 1Day 0

    You apply.

    Tell us your agency, your registrar mix, and how many client domains you want to cover in the pilot. We reply within one business day.

  2. 2Day 1–3

    We install.

    We send the MCP server config, a scoped API key, and a 30-minute onboarding walkthrough. Your team is running Email EasyPass on a live domain before the call ends.

  3. 3Day 4–14

    You run the book.

    Authorize Email EasyPass on as many client domains as your tier covers. We sit on Slack with you. At day 14, you either convert to a paid tier or walk. No contract, no hooks.

Pricing

Priced for the way agencies actually work.

Per-agency pricing, not per-seat. Every tier includes MTA-STS hosting, SPF flattening, DMARC report ingestion, and multi-registrar support.

TierPriceDomainsWho it's for
Free$01 domainSolo operators, personal projects, kicking the tires
Pro$29 / month5 domainsIndependent consultants and small shops
Team$99 / month25 domainsGrowing MSPs and boutique agencies
AgencyMost popular$299 / month100 domainsMid-size MSPs managing a real book
Agency Plus$799 / month500 domainsEstablished agencies with a portfolio
EnterpriseCustom500+ domains, SSO, audit log export, dedicated SlackLarge MSPs, holding companies, security-first buyers

All tiers include: DMARC / SPF / DKIM / MTA-STS / BIMI automation, hosted MTA-STS policy, SPF flattening, DMARC aggregate report ingestion, multi-registrar support, Claude/Cursor/ChatGPT MCP compatibility. No setup fees. Cancel anytime during the pilot.

Talk to the founder →

Not ready for a pilot? Audit a domain in 30 seconds.

Drop any domain into our free checker. We'll show you the current DMARC posture, SPF lookup count, DKIM selector status, MTA-STS presence, and a grade against the current Gmail and Yahoo requirements. No login. No email gate. No upsell pop-up.

Run a free check →

FAQ

Questions MSPs actually ask.

Q1.We already use EasyDMARC / Dmarcian / Valimail. Why switch?
You probably don't need to switch wholesale on day one. Authwright's starting point is the MCP interface and the bundled MTA-STS hosting. If your team works in Claude or Cursor and you're tired of paying extra for MTA-STS hosting or configuring it by hand, Authwright replaces the painful parts without forcing a full migration. Several pilot customers run us alongside their existing reporting tool for 60 days and then consolidate.
Q2.Is this just a wrapper around an existing DMARC vendor?
No. Authwright talks directly to registrar APIs and operates its own MTA-STS hosting infrastructure. Report ingestion is our own parsing pipeline. There is no upstream SaaS we're reselling.
Q3.What does “MCP server” actually mean for my workflow?
It means your engineers call Authwright from inside Claude Desktop, Claude Code, Cursor, Windsurf, or any other MCP-compatible client. Instead of logging into a dashboard and clicking through a wizard, they type “set up DMARC on acme.com with a reject policy” and the model calls our email_auth_wizard tool. You can also script it headlessly.
Q4.What if my client is on a registrar you don’t support yet?
At launch we cover GoDaddy, Namecheap, Cloudflare, Porkbun, and Route 53, which map to the overwhelming majority of agency books. If your registrar isn't covered, tell us in the pilot application — we ship new registrar adapters in weeks, not quarters, and pilot customers get priority input on the roadmap.
Q5.How does the MTA-STS hosting work? Is it secure?
We serve the policy file over HTTPS at mta-sts.{your-client-domain} via a CNAME we set up during an Email EasyPass run. Certificates are issued via Let's Encrypt and rotated automatically. Policies are versioned and you can roll back in a single call. The hosted file contains no secrets — it's a public policy document by design.
Q6.Can I white-label this for my clients?
White-label is on the roadmap for the Agency Plus and Enterprise tiers. Pilot customers help shape what that looks like. If you need it now, say so in your application.
Q7.What about BIMI and VMCs?
Authwright will generate and publish your BIMI record and help you stage the logo file. We don't issue the Verified Mark Certificate — that's a separate purchase from a certificate authority like DigiCert or Entrust — but we handle every piece on either side of it.
Q8.How do you handle registrar API credentials?
Credentials are encrypted at rest in Azure Key Vault, scoped per-domain where the registrar API supports it, and never logged. We recommend creating a dedicated API user on each registrar for Authwright. Full detail lives in the security doc we send during onboarding.
Q9.What happens to DMARC aggregate reports?
Your DMARC record gets a rua= pointing to an Authwright-hosted address. We parse incoming XML, deduplicate, aggregate by source, and surface the results to your LLM as structured data. You can ask Claude “show me the top five failing sources for acme.com this week” and get a real answer.
Q10.Who’s behind this?
Authwright is built by Milton Hubbard. Background: infrastructure, MCP ecosystem, domain/DNS tooling. The product grew out of a production GoDaddy MCP server already in use. Founder email is founder@authwright.com and it reaches a human.

Apply to the pilot

Tell us about your book.

We're onboarding a limited cohort of MSPs and agencies this quarter. We'll reply within one business day.