Grade a domain's email-authentication and DNS-security posture from live DNS in one call: SPF, DMARC (policy + alignment), DKIM (for the supplied or common selectors), MTA-STS, TLS-RPT, DNSSEC, CAA, and BIMI. Pass domain (and optional dkimSelector). Returns an overall letter grade, a summary (spf/dmarcPolicy/dkim/mtaSts/dnssec/caa/bimi + spoofingProtected), and a per-mechanism block with the raw record, parsed tags, and specific issues (e.g. 'DMARC p=none — monitor only', 'SPF ~all soft-fail', 'no MTA-STS'). Sourced from live public DNS via DNS-over-HTTPS — an LLM cannot know a domain's current records. For deliverability/anti-spoofing audits, vendor security review, and phishing-resistance checks. DKIM is selector-based (selectors aren't enumerable), so 'not found' only means none of the checked selectors resolved.