wiredepth
Run a check

Free tool · Vendor & risk

Vendor consolidation report

Every third party authorized to send mail as your domain, with a per-vendor blast-radius rating. Spot the duplicates, scope your renewal review, and shrink the spoof surface. No signup.

What this tool checks

Most teams accumulate mail vendors the way they accumulate JavaScript dependencies: a transactional sender for the help desk, another for invoicing, a marketing platform for newsletters, a CRM that also sends, a second CRM after a re-platform, and a workspace migration that left old include: entries in SPF behind. Each one is still authorized. Each one is a separate compromise path.

We read your public DNS - SPF includes, DKIM well-known selectors, MX records, DMARC report receivers, and NS records - identify each third party we recognize, and rate the blast radius if that vendor is breached tomorrow. The output is a single page an MSP can hand to a customer or an IT team can drop into a vendor review.

Detection is signal-based: we don't need access to your billing, we don't need agents on your mail servers, and we don't need read-credentials. Everything we surface is already public to anyone who can resolve your domain - so an attacker can see the same picture. The difference is they're using it to plan a phishing run.

How to read the results

The four blast-radius tiers, worst to least bad:

  • Route: Your DNS provider. Compromise = total redirection of mail + web. Whoever owns your nameservers can change anything.
  • Send: SPF-authorized senders and DKIM signers. Compromise = phishing as your domain to anyone while passing SPF (and sometimes DKIM).
  • Read: MX provider and mail gateways. Compromise = reading inbound mail, including password-reset codes.
  • Observe: DMARC aggregate-report receivers. They see your sending volumes, IP space, and failure samples. No message content, but enough to fingerprint behavior.

What we flag automatically: two or more transactional senders, two or more marketing platforms, multiple workspace mail providers (usually a migration you forgot to finish), 5+ vendors with send rights, external DMARC report receivers, and SPF records over the 450-byte safe-single-TXT limit.

Frequently asked questions

Why does it matter that I have 8 vendors with send rights?

Each one is an independent compromise path. Your weakest vendor sets the floor on how easily an attacker can send phishing as your domain. Cutting from 8 to 3 cuts your spoof-surface by 5/8ths without any new tooling, and usually cuts a bill or two.

Can you see vendors that send via DKIM only, not SPF?

Partially. We probe a list of well-known DKIM selectors (selector1, google, k1, klaviyo, etc.). Vendors that mint custom per-customer selectors won't appear - that's a known limitation of any public-DNS scan. We surface what we can identify and tell you when the picture's incomplete.

Why does the report mention DMARC report receivers as a vendor?

They see your telemetry: sending volumes, IP space, failure samples. That's not message content, but it's enough to fingerprint your sending behavior. If you use an external DMARC aggregator, the contract should cover data handling. The Observe tier reflects this lower-but-real exposure.

Does this tool change anything in my DNS?

No. The tool is read-only. We resolve public DNS records and classify them. Removing a vendor is a manual step in your DNS panel, and we link to per-vendor de-authorization guides in our docs.

How is this different from the SPF flattener?

Different framing. The flattener answers 'how do I stay under the 10-lookup limit?'. The vendor-consolidation report answers 'who's authorized to phish as me, and which ones do I no longer need?' Both read the same SPF tree; the latter overlays vendor classification + blast-radius scoring.

Will the report flag a vendor I'm sure is legitimate?

Yes - 'flag' here means 'review item', not 'remove'. If your team genuinely uses both SendGrid and Mailgun, that's a conscious choice. The report just makes sure that choice was conscious rather than inherited.

Related free tools

Blog: who can phish as your domain?

The methodology + the four blast-radius tiers, explained.

SPF flattener

Compress nested includes into a 0-lookup record.

DMARC analyzer

Inspect DMARC, SPF, and policy strength.

Spoofability index

How easy is your domain to spoof? Live score.

Infrastructure map

Visualize NS / MX / SPF / DKIM / DMARC providers.