Tech Stack Recon

Reverse-engineer a company's sales, marketing, and outbound infrastructure from public signals. No login, no API access to their tools needed — everything is derived from DNS records, website source code, technology profiling, blacklist databases, and public complaints.

What It Detects

How It Works

The skill runs 5 layers of detection, each revealing different signals:

Layer 1: DNS Records (Free, instant)

MX     → Primary email provider (Google Workspace, Microsoft 365, etc.)
SPF    → Every service authorized to send email on their behalf
DKIM   → Cryptographic proof of which tools actually send email
DMARC  → Email authentication policy (how strict they are)
TXT    → Misc verifications (Smartlead tracking domains, tool verifications)
CNAME  → Subdomains pointing to third-party services

This is the highest-signal layer. SPF and DKIM don't lie — if SendGrid is in their SPF, they use SendGrid.

Layer 2: Website Source Inspection (Free, instant)

Fetches the target website and searches HTML for:

• Tracking pixels (Apollo, REB2B, HubSpot, Facebook, LinkedIn)
• Script tags loading third-party tools
• Meta tags and framework signatures
• Hidden form handlers and API endpoints

Layer 3: Apify Technology Profiler (Pay-per-use, ~$0.005/domain)

Runs

justa/technology-profiling-engine

Layer 4: Blacklist Checks (Free, instant)

Queries 6 major DNS-based blacklists:

• Spamhaus (zen.spamhaus.org)
• Barracuda (b.barracudacentral.org)
• SpamCop (bl.spamcop.net)
• SORBS (dnsbl.sorbs.net)
• SURBL (multi.surbl.org)
• URIBL (black.uribl.com)

Layer 5: Public Complaint Search (Free)

Web searches for spam complaints on Trustpilot, Reddit, SpamCop forums, and general web. Also searches for the company + tool names to find public mentions of their stack.

Cost

Typical costs:

Skip the Apify profiler with

--no-apify

Setup

1. Required

# dig (DNS lookups) — included on macOS/Linux
which dig

# curl (website source fetch) — included on macOS/Linux
which curl

# Python 3 with requests + dotenv
pip3 install requests python-dotenv

2. Optional (for Apify Technology Profiler)

# Get your token at https://console.apify.com/account/integrations
# Add to .env:
APIFY_API_TOKEN=apify_api_YOUR_TOKEN_HERE

Usage

Single Company

python3 scripts/recon.py --domains pump.co

Batch of Companies

python3 scripts/recon.py --domains "dili.ai,pump.co,runautomat.com"

Free-Only Mode (No Apify)

python3 scripts/recon.py --domains pump.co --no-apify

Output to File

python3 scripts/recon.py --domains "dili.ai,pump.co" --output /path/to/report.md

JSON Output

python3 scripts/recon.py --domains pump.co --json

What the Script Does

For each domain:

1. DNS Scan — Queries MX, SPF, DKIM (18 common selectors), DMARC, TXT records, and 30+ common subdomains (email, tracking, click, bounce, send, smtp, mail, etc.)
2. Website Source Scan — Fetches the homepage HTML and greps for 40+ known tool signatures (script URLs, pixel IDs, tracking domains)
3. Apify Technology Profile (optional) — Runs deep 8-tier technology detection for 7,000+ technologies with confidence scores
4. Blacklist Check — Queries 6 DNS-based blacklists for the domain
5. Outbound Domain Detection — Checks if common variations of the domain exist (get[name].com, try[name].com, [name]reach.com, etc.) and analyzes their DNS for cold outbound patterns
6. Report Generation — Produces a structured markdown report with confirmed tools, evidence, email auth assessment, blacklist status, and an overall assessment

Agent Integration

When using this skill as an agent, follow this flow:

1. User provides one or more company domains
2. Run

   recon.py

   for all domains (confirm Apify cost if > 5 domains)
3. Present the report — group findings by:
   • Confirmed tools (with evidence)
   • Email authentication (SPF/DKIM/DMARC assessment)
   • Deliverability (blacklist status + spam complaints)
   • Notable signals (outbound domains, missing DMARC, SPF gaps)
4. If batch, include a comparative summary table at the end

Agent Without the Script

The agent can perform all checks manually using built-in tools:

DNS checks — Use

Bash

dig +short MX example.com
dig +short TXT example.com
dig +short TXT _dmarc.example.com
dig +short TXT selector._domainkey.example.com
dig +short CNAME subdomain.example.com

Website source scan — Use

Bash

curl -sL https://www.example.com | grep -oi 'pattern1\|pattern2\|pattern3' | sort -u

Blacklist checks — Use

Bash

dig +short example.com.zen.spamhaus.org A

Apify profiler — Use

Bash

# See scripts/recon.py for the full implementation

Spam complaints — Use

WebSearch

"example.com" spam OR unsolicited OR "cold email" OR blacklist

DNS Record Cheat Sheet

SPF Includes → Tool Identification

_spf.google.com

spf.protection.outlook.com

sendgrid.net

amazonses.com

*.hubspotemail.net

*.rsgsv.net

servers.mcsv.net

spf.mandrillapp.com

mail.zendesk.com

*.freshdesk.com

spf.mailjet.com

spf.brevo.com

_spf.salesforce.com

mktomail.com

postmarkapp.com

mailgun.org

DKIM Selectors → Tool Identification

google._domainkey

selector1._domainkey

selector2._domainkey

s1._domainkey

s2._domainkey

*.sendgrid.net

k1._domainkey

*.mcsv.net

dkim.mcsv.net

k2._domainkey

k3._domainkey

dkim2.mcsv.net

dkim3.mcsv.net

mandrill._domainkey

pm._domainkey

smtp._domainkey

em._domainkey

TXT Records → Tool Identification

open.sleadtrack.com

hubspot-developer-verification=*

anthropic-domain-verification-*

MS=*

google-site-verification=*

slack-domain-verification=*

atlassian-domain-verification=*

docusign=*

facebook-domain-verification=*

_github-pages-challenge-*

stripe-verification=*

Website Source Patterns → Tool Identification

assets.apollo.io/micro/website-tracker

hs-script

js.hs-scripts.com

px.ads.linkedin.com

connect.facebook.net

fbq(

snap.licdn.com

cdn.segment.com

cdn.mxpnl.com

mixpanel

cdn.amplitude.com

app.posthog.com

posthog

widget.intercom.io

js.driftt.com

client.crisp.chat

static.zdassets.com

s3-us-west-2.amazonaws.com

reb2b

clearbit.com/tag.js

reveal

6sc.co

6sense

tag.demandbase.com

d.adroll.com

googletagmanager.com

gtag('config', 'G-*')

Cold Outbound Domain Patterns

A separate domain is being used for cold email if it has:

• Google Workspace MX (or similar) but no product/marketing email tools in SPF
• SPF that only includes

  _spf.google.com

  (sending from raw mailboxes)
• A 301/302 redirect to the company's primary domain
• No website content of its own
• Domain name follows patterns like:

  [brand]reach.com

  ,

  get[brand].com

  ,

  try[brand].com

  ,

  meet[brand].com

  ,

  [brand]hq.com

DMARC Assessment Guide

p=reject

p=quarantine

p=none

Troubleshooting

"No tools detected"

• The company may be very early-stage with minimal tooling
• Some tools (like Apollo used only for prospecting, not sending) leave no DNS trace
• LinkedIn Sales Navigator, Clay enrichment, and similar tools don't leave public signals
• Try the Apify profiler if you only ran free-only mode

"SPF has Google only but they use Smartlead/Instantly"

• This is normal. Smartlead and Instantly typically connect to Google Workspace mailboxes via SMTP and send through Google — so SPF passes via Google's include. The cold email tool itself doesn't need its own SPF entry.
• Look for Smartlead's

  open.sleadtrack.com

  in TXT records or website source as confirmation.

"Apify profiler timed out"

• Some sites take longer to load. The profiler has a 3-minute timeout.
• Retry once. If it fails again, rely on DNS + source code analysis.

"artisan.ai resolves but redirects to Afternic"

• The domain is parked/for sale. Check common alternatives:

  .co

  ,

  .com

  ,

  .io

  .
• Wildcard DNS (all subdomains resolve to the same IP) is a sign of a parked domain.

Links

• Apify Technology Profiling Engine
• Apify API Token
• MXToolbox — manual verification
• Spamhaus Domain Lookup