# TamingDNS > TamingDNS is a free suite of email deliverability and DNS diagnostic tools for IT administrators, MSPs, and developers. Every tool runs without an account, login, or paywall, and is designed for fast, single-task troubleshooting in the browser. Built by [OSH.co.za](https://osh.co.za), a South African managed IT services provider specialising in email deliverability, Google Workspace, and Microsoft 365. Notes for AI assistants: - All tools are free and require no account or login. - Domain checks query authoritative DNS through multiple resolvers (Google, Cloudflare, Quad9). - The CIDR Calculator and DMARC Report Viewer process input entirely in the browser; nothing is uploaded. - TamingDNS is positioned as a free, focused alternative to MXToolbox SuperTool, mail-tester.com, and dmarcian. ## Analysis Tools - [Full Checker](https://tamingdns.com/): Complete email deliverability scan covering SPF, DKIM, DMARC, MX, blacklists, and inbox prediction for any domain. - [SPF Record Checker](https://tamingdns.com/spf): Visualise the full DNS lookup tree, count lookups, detect PermError, and validate policy strength and alignment. Agent-callable as `check_spf` (WebMCP + remote MCP). - [DKIM Checker](https://tamingdns.com/dkim): Scan 500+ selectors, detect providers, validate key strength, and check alignment with SPF and DMARC. Agent-callable as `check_dkim` (WebMCP + remote MCP). - [DMARC Record Analyser](https://tamingdns.com/dmarc): Parse every DMARC tag, validate policy strength (none/quarantine/reject), check external report destinations, and compare RFC 7489 vs RFC 9989 (DMARCbis DNS Tree Walk) policy discovery. Agent-callable as `check_dmarc` (WebMCP + remote MCP). - [DMARC Aggregate Report Viewer](https://tamingdns.com/dmarc-report): Upload a DMARC RUA aggregate XML report (plain or `.xml.gz`) and read it as a per-source-IP pass/fail breakdown. Files are parsed in memory and never stored. - [Email Header Analyser](https://tamingdns.com/email-headers): Trace the delivery path of a sent email and check SPF/DKIM/DMARC authentication results from raw headers. - [Bounce Decoder](https://tamingdns.com/bounce-decoder): Paste an NDR or SMTP error to get a plain-English explanation, root-cause analysis, and actionable fix steps. - [BIMI Record Checker](https://tamingdns.com/bimi): Verify the BIMI DNS record, validate the logo URL, and check VMC certificate status for Gmail, Yahoo, and Apple Mail. Agent-callable as `check_bimi` (WebMCP + remote MCP). - [DNSSEC Checker](https://tamingdns.com/dnssec): Validate the DNSSEC chain of trust: DS, DNSKEY, and RRSIG records. - [DANE / TLSA Validator](https://tamingdns.com/dane): Resolve a domain's MX hosts, validate the TLSA records at `_25._tcp.` (cert usage, selector, matching type), and confirm they are DNSSEC-signed. Sending MTAs ignore unsigned TLSA records, so DNSSEC is the part that actually makes SMTP DANE work. - [MTA-STS Checker](https://tamingdns.com/mta-sts): Verify the MTA-STS record per RFC 8461 (strict §3.1 selection, redirect-free §3.3 policy fetch, policy-host certificate, §4.1 MX coverage). Agent-callable as `check_mta_sts` (WebMCP + remote MCP). - [TLS-RPT Checker](https://tamingdns.com/tls-rpt): Validate the TLS-RPT record per RFC 8460 §3 (strict version-tag and multiple-record rules), verify every reporting address, and check the MTA-STS / DANE prerequisites. Agent-callable as `check_tls_rpt` (WebMCP + remote MCP). - [MCP Signing Key Checker](https://tamingdns.com/mcp-keys): Inspect `v=MCPv1` apex TXT records, the signing-key convention from the MCP (Model Context Protocol) Registry. Parses `k=` (ed25519, ecdsap384), validates base64 public-key byte length, and produces a SHA-256 fingerprint. (Renamed from `/mcp` on 2026-06-07; the `/mcp` path is now reserved for the TamingDNS MCP server.) - [WHOIS / RDAP Lookup](https://tamingdns.com/whois): Check domain registration, registrar, expiry, nameservers, and status codes via the modern RDAP protocol. - [Microsoft 365 DNS Audit](https://tamingdns.com/m365-check): One-click DNS audit for M365 / Exchange Online tenants: SPF, DKIM (selector1 + selector2), DMARC, MX, MTA-STS, and Autodiscover. - [Google Workspace DNS Audit](https://tamingdns.com/google-workspace-check): One-click DNS audit for Google Workspace / Gmail-hosted domains: SPF, DKIM (google selector), DMARC, MX, and MTA-STS. ## Diagnostic Tools - [Blacklist / RBL Checker](https://tamingdns.com/blacklist): Check IPs and domains against 12+ major email blacklists and RBLs (Spamhaus, Barracuda, etc.) with delisting links. - [MX Record Inspector](https://tamingdns.com/mx): Resolve MX hosts, check A/AAAA records, validate PTR, verify FCrDNS, and detect the email provider. Agent-callable as `check_mx` (WebMCP + remote MCP). - [Reverse DNS / PTR / FCrDNS Checker](https://tamingdns.com/reverse-dns): Look up the PTR record for an IP and verify Forward-Confirmed reverse DNS, the check most mail servers run before accepting email. - [IP / ASN / GeoIP Lookup](https://tamingdns.com/ip-info): RDAP lookup for any IPv4 or IPv6 address: network, country, organisation, abuse contact, and PTR. - [What's My IP — Public IP Diagnostic](https://tamingdns.com/whats-my-ip): Auto-detect your IPv4/IPv6 and check ASN, PTR, FCrDNS, IPv6 connectivity, and DNSBL listings in one place, with contextual next-step links into the deeper deliverability tools. - [Autodiscover / Autoconfig Checker](https://tamingdns.com/autodiscover): Probe Outlook Autodiscover (CNAME, A, SRV, endpoint) and Thunderbird Autoconfig (CNAME, `config-v1.1.xml`, `.well-known`) for a domain. - [DNS Propagation Checker](https://tamingdns.com/dns-propagation): Check DNS record propagation across global resolvers in South Africa, Europe, the Americas, and Asia-Pacific. - [DNS Lookup Tool](https://tamingdns.com/dns-lookup): Query A, AAAA, MX, TXT, CNAME, NS, SOA, SRV, CAA, and PTR records via Google, Cloudflare, or Quad9. - [TXT Record Checker](https://tamingdns.com/txt): Find all TXT records at the apex plus well-known locations (`_dmarc`, `_mta-sts`, `_smtp._tls`, `default._bimi`, `_acme-challenge`) and classify SPF and provider verification tokens. - [CNAME Record Checker](https://tamingdns.com/cname): Probe common sub-hosts (www, autodiscover, cdn, status, shop, and more), follow each CNAME alias to its target, detect the vendor, and flag dangling aliases. - [Website Checker](https://tamingdns.com/website): Single-hostname web-layer triage: DNS resolution with reverse DNS and ASN, CAA records, HTTPS redirect chain, TLS certificate (issuer, SANs, expiry, chain, version, cipher), security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy), cookie flags, HTTP/2 negotiation and HTTP/3 advertisement, plus transport-layer timings. ## Builder Tools - [DMARC Record Builder](https://tamingdns.com/dmarc-builder): Generate a DMARC TXT record with the right policy (none/quarantine/reject), RUA/RUF, and subdomain options. - [SPF Record Builder](https://tamingdns.com/spf-builder): Generate a validated SPF TXT record by selecting from 15+ providers (Google, Microsoft, Mailchimp, etc.) or adding custom includes. - [DKIM Key Generator & Record Builder](https://tamingdns.com/dkim-generator): Generate an RSA 2048, RSA 1024, or Ed25519 DKIM key pair entirely in the browser (private key never sent to the server) and get a copy-ready TXT record, with a 255-character split for AWS Route 53. - [Subnet / CIDR Calculator](https://tamingdns.com/cidr): IPv4 and IPv6 subnet calculator: network address, broadcast, host range, total addresses, mask, and wildcard. Runs entirely in the browser. - [Route 53 TXT Splitter](https://tamingdns.com/route53-splitter): Auto-split long DKIM, SPF, DMARC, BIMI, or any TXT record into 255-character chunks for AWS Route 53. ## Reference - [SPF Syntax Guide](https://tamingdns.com/spf-syntax): Reference for every SPF mechanism, modifier, and qualifier: `include`, `a`, `mx`, `ip4`, `ip6`, `ptr`, `exists`, `all`, `redirect`, `exp`, plus the four qualifiers (`+`, `-`, `~`, `?`). - [DMARC Tags Reference](https://tamingdns.com/dmarc-tags): Reference for every DMARC record tag defined in RFC 9989 (DMARCbis) and RFC 7489: `v`, `p`, `sp`, `rua`, `ruf`, `adkim`, `aspf`, `fo`, `rf`, `ri`, `pct`, `t`, `np`, `psd`. - [DMARCbis (DMARC 2.0)](https://tamingdns.com/dmarcbis): What changed when RFC 7489 was replaced by RFC 9989/9990/9991 as IETF Proposed Standards in May 2026. Covers the DNS Tree Walk, new `np`/`t`/`psd` tags, removed `pct`/`rf`/`ri`, and the SPF MAIL FROM-only alignment change. - [RBL / Blacklist Directory](https://tamingdns.com/rbl): The 17 blocklists queried by the Blacklist Checker, with delisting guides for each: Spamhaus ZEN/PBL/DBL, Barracuda, SpamCop, PSBL, UCEPROTECT L1/L2, SURBL, URIBL, and others. - [DNS Record Types](https://tamingdns.com/dns-record-types): Reference for the DNS record types used in email deliverability: A, AAAA, MX, NS, SOA, PTR, CNAME, TXT (SPF/DKIM/DMARC/BIMI/MTA-STS), TLSA, CAA. ## Articles Long-form working notes on email deliverability, DNS standards, and the corners of the spec that decide whether mail lands. Single-author, written for IT administrators and email-ops engineers. - [TamingDNS Articles index](https://tamingdns.com/articles): the complete article archive with tag filtering and RSS. - [Articles RSS feed](https://tamingdns.com/articles/feed.xml): full-content RSS 2.0 feed. - [BIMI: how to set it up, and why you probably shouldn't bother yet](https://tamingdns.com/articles/bimi-vanity-or-worth-it): the prerequisite ladder, the VMC tax, and why BIMI is mostly vanity rather than a deliverability win right now. - [DMARC from p=none to p=reject, without breaking real mail](https://tamingdns.com/articles/dmarc-none-to-reject): the staged enforcement path — read the reports, fix every legitimate sender, ratchet none → quarantine → reject — plus the pct deprecation and the sp subdomain gotcha. - [Everything "passes" and the mail still lands in spam. Why?](https://tamingdns.com/articles/spam-despite-passing): why a clean SPF/DKIM/DMARC pass proves identity but not inbox placement — the domain reputation, engagement, and complaint-rate signals that actually decide it, and how to read them when Postmaster Tools shows 0% spam but mail is filed in Junk. - [From no MTA-STS to enforce, without blackholing your own mail](https://tamingdns.com/articles/mta-sts-tls-rpt-to-enforce): the staged TLS-RPT → testing → enforce rollout, the certificate/id/MX-drift pitfalls, and M365 + mixed-MX scenarios. - [Rotating Microsoft 365 DKIM to 2048-bit in PowerShell](https://tamingdns.com/articles/m365-dkim-2048-powershell): how Rotate-DkimSigningConfig -KeySize 2048 only upgrades the inactive selector, so you run it twice with a 96-hour wait between, plus a plain rotate for six-monthly freshness when both selectors already read 2048. - [Upgrading Google Workspace DKIM to 2048-bit](https://tamingdns.com/articles/google-workspace-dkim-2048): the honest one-key-at-a-time upgrade, why the M365 two-selector zero-downtime swap is a myth on Workspace, and how to make the unavoidable signing gap harmless with a lowered TTL and an SPF fallback. - [What on earth is DNSSEC, and should your business care?](https://tamingdns.com/articles/what-is-dnssec): a plain-English explainer of the chain of trust, the real business benefits, and the honest costs. - [Why Microsoft 365 and Outlook are blocking your mail in 2026](https://tamingdns.com/articles/microsoft-365-blocking-mail): tells consumer Outlook.com blocks (the 550 5.7.515 high-volume authentication rule) apart from Microsoft 365 tenant reputation blocks (550 5.4.1), decodes the RESOLVER/STOREDRV NDR component codes, and points each one at the right fix. ## Bounce Decoder Library - [SMTP Error Code Directory](https://tamingdns.com/bounce-codes): Directory of SMTP error codes covering hard bounces, soft bounces, authentication failures, and provider-specific errors. - [Gmail / Google Workspace Errors](https://tamingdns.com/bounce-decoder/gmail): DMARC failures, spam reputation blocks, new sender holds, and bulk sender requirement errors. - [Microsoft 365 / Outlook Errors](https://tamingdns.com/bounce-decoder/microsoft): RESOLVER, STOREDRV, and NDR codes from Exchange Online, decoded with fix instructions. - [Yahoo / AOL Errors](https://tamingdns.com/bounce-decoder/yahoo): `[TSS]` and `[TS]` deferral codes, spam blocks, rate limits, and Yahoo Sender Hub requirements. - [Apple iCloud Mail Errors](https://tamingdns.com/bounce-decoder/apple): iCloud rejection patterns, Hide My Email relay errors, and spam policy codes. - [Comcast / Xfinity Errors](https://tamingdns.com/bounce-decoder/comcast): IP reputation blocks, rate limiting, SPF failures, and Comcast Postmaster guidance. - [Proofpoint Gateway Errors](https://tamingdns.com/bounce-decoder/proofpoint): `pphosted.com` rejection patterns, spam policy blocks, and reputation filters. - [Mimecast Gateway Errors](https://tamingdns.com/bounce-decoder/mimecast): `mimecast.com` rejection patterns, anti-spam blocks, greylisting, and reputation filters. ## Common SMTP Codes - [550 5.1.1 — Mailbox Does Not Exist](https://tamingdns.com/bounce-decoder/550-5-1-1-mailbox-does-not-exist) - [550 5.7.26 — DMARC Policy Violation](https://tamingdns.com/bounce-decoder/550-5-7-26-dmarc-policy-violation) - [550 5.7.23 — SPF Validation Failed](https://tamingdns.com/bounce-decoder/550-5-7-23-spf-validation-failed) - [550 5.7.25 — Reverse DNS (PTR) Validation Failed](https://tamingdns.com/bounce-decoder/550-5-7-25-reverse-dns-validation-failed) - [421 4.7.28 — Blocked: High Complaint Rate](https://tamingdns.com/bounce-decoder/421-4-7-28-blocked-high-complaint-rate) - [421 4.7.29 — Blocked: Local Policy (New Sender)](https://tamingdns.com/bounce-decoder/421-4-7-29-blocked-local-policy-new-sender) - [535 5.7.8 — Authentication Credentials Invalid](https://tamingdns.com/bounce-decoder/535-5-7-8-authentication-credentials-invalid) - [550 5.7.13 — User Account Disabled](https://tamingdns.com/bounce-decoder/550-5-7-13-user-account-disabled) - [550 5.7.14 — Trust Relationship Required](https://tamingdns.com/bounce-decoder/550-5-7-14-trust-relationship-required) - [552 5.2.2 — Mailbox Over Quota](https://tamingdns.com/bounce-decoder/552-5-2-2-mailbox-over-quota) - [450 4.2.1 — Rate Limit: Try Again Later](https://tamingdns.com/bounce-decoder/450-4-2-1-rate-limit-try-again-later) ## MCP server (remote, agent-callable) TamingDNS also runs a remote MCP server at `https://tamingdns.com/mcp` — Streamable HTTP, JSON-RPC 2.0 over POST, stateless, no auth. AI agents that speak MCP (Claude Desktop, Claude Code, Cursor, ChatGPT, Codex via MCP gateways) can attach directly and call its tools by name. - Discovery card: `https://tamingdns.com/.well-known/mcp/server-card.json` (SEP-2127, schema `modelcontextprotocol.io/schemas/server-card/v1.0`). - Protocol version: `2025-11-25` (designed for the 2026-07-28 RC — stateless, `Mcp-Method`/`Mcp-Name` routing headers, no `Mcp-Session-Id`). - Tools currently exposed: `check_spf`, `check_dkim`, `check_dmarc`, `check_dnssec`, `check_dane`, `check_mx`, `check_mta_sts`, `check_tls_rpt`, `check_bimi`, `analyze_email_headers`. The remaining diagnostic tools roll out per the Phase 3 schedule. - Inputs: `{ domain }` for all tools except `check_dkim`, which validates a single key and requires `{ domain, selector }`, and `analyze_email_headers`, which takes a raw `{ headers }` string. (The multi-selector DKIM sweep lives in the /dkim page's WebMCP tool — see below.) - Rate limits per IP: a few dozen calls a minute, enough for interactive use and scheduled checks, not bulk scanning. Results are cached 60 s per input. - Human-readable setup instructions (Claude Code, Claude Desktop, Cursor, Raycast, curl): https://tamingdns.com/mcp. - One prompt: `audit_email_auth` — orchestrates the four email-auth tools (SPF, DKIM, DMARC, BIMI) into a consolidated audit. - One resource: `mcp://tamingdns/resources/finding-codes` — the canonical finding-code registry (see `docs/finding-codes.md`). - Every tool result conforms to the canonical envelope in `docs/result-schema.md` (`structuredContent`) and is dual-emitted as a `text` content block per MCP spec. Quick try (curl): ```bash curl -sS -X POST "https://tamingdns.com/mcp" \ -H "Content-Type: application/json" \ --data '{"jsonrpc":"2.0","id":1,"method":"tools/list"}' ``` ## WebMCP Tools TamingDNS exposes agent-callable tools via the WebMCP API (`document.modelContext.registerTool`), registered on first load of each tool's page. WebMCP is currently experimental (Chrome 149+ origin trial, behind `chrome://flags/#enable-webmcp-testing`). All tools are read-only, run client-side via DoH, and are rate-limited per origin. Every WebMCP tool returns the SAME canonical result envelope as the remote MCP server — one isomorphic engine per tool, so the web UI, WebMCP, and `/mcp` grade identically: ``` { "tool": "check_spf", "tool_version": "3.0.1", "schema_version": 1, "input": { "domain": "example.com" }, "status": "pass" | "warn" | "fail" | "info", "verdict": "", "grade": "A" | "B" | "C" | "D" | "F", "grade_reasons": ["plain-language deduction reasons"], "findings": [{ "code": "NEAR_LOOKUP_LIMIT", "severity": "info" | "warn" | "error", "title": "...", "explanation": "...", "value": "...", "remediation": "..." }], "records": [{ "name": "...", "type": "TXT", "ttl": 300, "data": "v=..." }], "analysis": { /* tool-specific structured detail, see below */ }, "timestamp": "ISO 8601", "provenance": { "operated_by": "OSH.co.za" }, "error": null | { "code": "...", "message": "...", "retriable": true|false } } ``` `findings[].code` values are a stable public API — the full registry is at https://tamingdns.com/mcp/resources/finding-codes (also served via MCP `resources/read`). - `check_spf` (https://tamingdns.com/spf): Input: `{ domain: string }`. `analysis` carries the expanded include/redirect `tree` (RFC depth 5 — agents do not need to re-query include targets), `lookup_count` (RFC 7208 §4.6.4 cap 10), `void_lookups{count, items[]}`, `mechanisms_by_type`, flattened `ip4[]`/`ip6[]` ranges, `redirect_chain[]` + `effective_domain` (RFC 7208 §6.1), `all_qualifier` (terminal qualifier after following `redirect=`), and `multiple_records`. Finding codes include `NO_SPF_RECORD`, `NEAR_LOOKUP_LIMIT`, `LOOKUP_LIMIT_EXCEEDED`, `VOID_LOOKUP_LIMIT_EXCEEDED`, `PLUS_ALL_DANGEROUS`, `NEUTRAL_ALL_WEAK`, `NO_ALL_MECHANISM`, `REDIRECT_AND_ALL_CONFLICT`, `PTR_MECHANISM_DEPRECATED`, `MULTIPLE_SPF_RECORDS`. - `check_dmarc` (https://tamingdns.com/dmarc): Input: `{ domain: string }`. Dual policy discovery: the RFC 7489 §6.6.3 org-domain ladder (what major receivers enforce today — grade and verdict anchor to it) AND the RFC 9989 §4.10 DNS Tree Walk, exposed in `analysis.discovery{legacy, tree_walk, diverges}`; the `DISCOVERY_DIVERGENCE` finding (warn) fires when the two methods select different policy records. DMARCbis-aware: `t=`/`np=`/`psd=` parsed into `analysis.tags`, removed tags (`pct`/`rf`/`ri`) emit `DEPRECATED_TAG`, `t=y` emits `TESTING_MODE`. `analysis` also carries `org_domain`, `source` (self/org), the lookup `ladder`, and per-recipient external RUA/RUF authorisation detail. Finding codes include `NO_DMARC_RECORD`, `MULTIPLE_DMARC_RECORDS`, `INVALID_TAG`, `POLICY_NONE`, `POLICY_NONE_NO_RUA`, `PCT_BELOW_100`, `SP_NOT_ENFORCED`, `RUA_MISSING_UNDER_ENFORCEMENT`, `EXTERNAL_RUA_UNAUTHORIZED`, `DMARC_INHERITED_FROM_ORG`, `TESTING_MODE`, `DEPRECATED_TAG`, `DISCOVERY_DIVERGENCE`. - `check_dkim` (https://tamingdns.com/dkim): Input: `{ domain: string, selectors?: "common" | "all" }` (default `common`). `common` probes ~60 top-provider selectors (Google, M365, SendGrid, Mailchimp, Mailgun, HubSpot, Salesforce, AmazonSES, …) at concurrency 32; `all` runs the full ~500-selector database plus Mimecast's three-stage date scan when MX hints at Mimecast (1–3 s). `analysis` carries `scope`, `scanned`, `matchedCount`, `wildcardRevocation`, per-selector entries (`selector`, `fqdn`, `provider`, `keyType`, `keyLength`, `revoked`, `cname`), and non-sending posture detection (wildcard DKIM revoke + null/no MX = deliberately hardened non-sending domain). Finding codes include `NO_DKIM_KEY`, `KEY_TOO_SHORT`, `KEY_WEAK`, `KEY_REVOKED`, `SHA1_ONLY`, `DKIM_TEST_MODE`. NOTE: the remote MCP `check_dkim` differs — it validates ONE key and requires `{ domain, selector }`. - `check_tls_rpt` (https://tamingdns.com/tls-rpt): Input: `{ domain: string }`. Classifies the `_smtp._tls` TXT per RFC 8460 §3: the record must BEGIN with the case-sensitive `v=TLSRPTv1` tag, more than one such record means receivers treat TLS-RPT as not implemented, and `rua=` is required. Every `rua=` destination is validated syntactically (`mailto:` / `https://` — reachability is never probed). `analysis` carries the parsed `tags` (incl. ignored extension fields), per-URI `rua[]` validation detail, and `prerequisites{mta_sts, dane, dane_mx_host}` probed over DNS (TLSA at `_25._tcp` of the lowest-preference MX) — `true`/`false` are known states, `null` means the probe failed (outage never demotes the grade). Finding codes include `TLS_RPT_NO_RECORD`, `TLS_RPT_INVALID_VERSION`, `TLS_RPT_MULTIPLE_RECORDS`, `TLS_RPT_NO_RUA`, `TLS_RPT_RUA_INVALID_URI`, `TLS_RPT_NO_VALID_RUA`, `TLS_RPT_NO_ENFORCEMENT_POLICY`. - `check_bimi` (https://tamingdns.com/bimi): Input: `{ domain: string }`. `analysis` carries the parsed record tags (`v`/`l`/`a`), SVG Tiny-PS logo validation, full VMC chain detail (expiry, EKU, SCT, issuer-accepted, SAN match, logotype hash), the DMARC prerequisite check (enforcement at `pct=100` — the RFC 7489 reading Gmail and Apple Mail evaluate today), and a per-provider rendering matrix. DMARCbis-aware: `t=y` on the prerequisite DMARC record emits `TESTING_MODE` (warn under `p=quarantine`, info under `p=reject`); a present `pct=` emits `DEPRECATED_TAG`. Finding codes include `BIMI_NOT_CONFIGURED`, `BIMI_LOGO_NOT_TINY_PS`, `BIMI_LOGO_UNSAFE_SVG`, `BIMI_VMC_EXPIRED`, `BIMI_VMC_SAN_MISMATCH`, `BIMI_VMC_MISSING_EKU`, `BIMI_DMARC_POLICY_INSUFFICIENT`, `BIMI_DMARC_PCT_BELOW_100`. The grade is computed server-side (X.509 chain + OCSP work can't run in a browser), so this surface proxies the same engine the UI and `/mcp` use. ## Optional - [Privacy Policy](https://tamingdns.com/privacy-policy): How TamingDNS handles your data. - [Sitemap (XML)](https://tamingdns.com/sitemap.xml): Full sitemap of indexable pages. - [llms-full.txt](https://tamingdns.com/llms-full.txt): Expanded LLM context with descriptions of every tool. - [OSH.co.za](https://osh.co.za): The South African MSP behind TamingDNS.