veridomo
Security engineering.
Audit email authentication, monitor SSL certificates, track WHOIS changes, and verify domain ownership across your organization. Structured JSON. No shell scripts.
Get your API key
API docs
Email authentication audit
Check SPF, DKIM, and DMARC across your organization's domains. Catch misconfigurations before they become incidents.
# Audit a single domain via MCP
curl -s -X POST https://veridomo.xyz/mcp \
-H "Authorization: Bearer $VERIDOMO_KEY" \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"email_auth_audit","arguments":{"domain":"mycompany.com"}}}'
Example output
PASS SPF: record present, ~all enforcement
FAIL DKIM: no selectors found (google._domainkey, dkim._domainkey, default._domainkey)
PASS DMARC: policy=reject, rua=dmarc@mycompany.com
Bulk audit across your org
#!/bin/bash — audit every domain in your inventory
DOMAINS="mycompany.com app.mysaas.com internal.corp partner-site.io"
for d in $DOMAINS; do
echo "=== $d ==="
curl -s -X POST https://veridomo.xyz/mcp \
-H "Authorization: Bearer $VERIDOMO_KEY" \
-d "{\"jsonrpc\":\"2.0\",\"id\":1,\"method\":\"tools/call\",\"params\":{\"name\":\"email_auth_audit\",\"arguments\":{\"domain\":\"$d\"}}}" \
| jq '.result.content[0].text | fromjson | {spf: .spf.present, dkim: (.dkim | length), dmarc: .dmarc.present}'
done
SSL certificate monitoring
Monitor expiry dates across your certificate inventory. Alert before they expire. No openssl required.
# Check a single cert — returns full chain with expiry warnings
curl -s -X POST https://veridomo.xyz/mcp \
-H "Authorization: Bearer $VERIDOMO_KEY" \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"ssl_check","arguments":{"host":"mycompany.com"}}}'
Example output
Subject: mycompany.com
Issuer: Let's Encrypt R3
WARN Expires in 14 days (within 30-day warning)
SANs: mycompany.com, www.mycompany.com, api.mycompany.com
Fingerprint: a1:b2:c3:...
Weekly cert inventory
# cron: 0 6 * * 1 — run every Monday morning
for host in $(cat /etc/ssl-inventory.txt); do
curl -s -X POST https://veridomo.xyz/mcp \
-H "Authorization: Bearer $VERIDOMO_KEY" \
-d "{\"jsonrpc\":\"2.0\",\"id\":1,\"method\":\"tools/call\",\"params\":{\"name\":\"ssl_check\",\"arguments\":{\"host\":\"$host\"}}}" \
| jq '{(.result.certificates[0].subject_cn): .result.certificates[0].days_remaining}'
done
WHOIS change tracking
Monitor domain registration changes. Detect transfers, expirations, or unauthorized modifications.
# Check WHOIS — structured JSON, no raw text parsing
curl -s -X POST https://veridomo.xyz/mcp \
-H "Authorization: Bearer $VERIDOMO_KEY" \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"whois_lookup","arguments":{"domain":"mycompany.com"}}}'
WHOIS change detection script
#!/bin/bash — detect registrar or nameserver changes
WHOIS_CACHE=/var/cache/whois
mkdir -p $WHOIS_CACHE
for domain in mycompany.com app.mysaas.com; do
RESULT=$(curl -s -X POST https://veridomo.xyz/mcp \
-H "Authorization: Bearer $VERIDOMO_KEY" \
-d "{\"jsonrpc\":\"2.0\",\"id\":1,\"method\":\"tools/call\",\"params\":{\"name\":\"whois_lookup\",\"arguments\":{\"domain\":\"$domain\"}}}")
echo "$RESULT" > "$WHOIS_CACHE/$domain.new"
if [ -f "$WHOIS_CACHE/$domain" ]; then
diff "$WHOIS_CACHE/$domain" "$WHOIS_CACHE/$domain.new" || \
echo "ALERT: WHOIS change detected for $domain"
fi
mv "$WHOIS_CACHE/$domain.new" "$WHOIS_CACHE/$domain"
done
Incident response
When a security incident involves a domain, verify ownership before taking remediation actions.
Verify before you remediate
Suspicious domain registered? Verify ownership via DNS TXT challenge before submitting a takedown. Prove the domain is yours before the registrar asks.
Audit trail
Every verification returns a timestamped result. Log it to your SIEM. Use it as evidence that you confirmed ownership before acting.
Bulk investigation
Got a list of suspect domains? Run WHOIS lookups and SSL checks against all of them in one script. Structured output feeds directly into your investigation pipeline.
No external dependencies
Veridomo runs in your VPC. No third-party DNS services. No data leaves your network. The resolver queries authoritative nameservers directly.