Tech Stack Recon
Reverse-engineer a company's sales, marketing, and outbound infrastructure from public signals. No login, no API access to their tools needed — everything is derived from DNS records, website source code, technology profiling, blacklist databases, and public complaints.
What It Detects
| Category | Tools Detected |
|---|---|
| CRM | HubSpot, Salesforce (via SPF, website pixels, DNS) |
| Cold Email Tools | Smartlead, Instantly, Outreach, Salesloft, Lemlist (via SPF, DKIM, TXT records, website source) |
| People Databases | Apollo, ZoomInfo, Clearbit, 6sense (via website tracker scripts) |
| Email Delivery | SendGrid, Amazon SES, Postmark, Mailgun, Mandrill (via SPF includes, DKIM selectors) |
| Email Marketing | Mailchimp, Brevo, ActiveCampaign, Klaviyo (via DKIM selectors) |
| Ad Retargeting | LinkedIn Insight Tag, Facebook Pixel, AdRoll, Reddit Ads, Twitter Ads (via Apify profiler + source) |
| Website Builder | Webflow, Framer, Next.js, WordPress (via Apify profiler + source) |
| Chat / Support | Intercom, Drift, Crisp, Zendesk (via website source) |
| Analytics | Google Analytics, Segment, Mixpanel, Amplitude, PostHog, Heap (via website source) |
| Outbound Domains | Separate cold sending domains (via SPF-only Google Workspace + redirect to primary) |
How It Works
The skill runs 5 layers of detection, each revealing different signals:
Layer 1: DNS Records (Free, instant)
MX → Primary email provider (Google Workspace, Microsoft 365, etc.)
SPF → Every service authorized to send email on their behalf
DKIM → Cryptographic proof of which tools actually send email
DMARC → Email authentication policy (how strict they are)
TXT → Misc verifications (Smartlead tracking domains, tool verifications)
CNAME → Subdomains pointing to third-party services
This is the highest-signal layer. SPF and DKIM don't lie — if SendGrid is in their SPF, they use SendGrid.
Layer 2: Website Source Inspection (Free, instant)
Fetches the target website and searches HTML for:
- Tracking pixels (Apollo, REB2B, HubSpot, Facebook, LinkedIn)
- Script tags loading third-party tools
- Meta tags and framework signatures
- Hidden form handlers and API endpoints
Layer 3: Apify Technology Profiler (Pay-per-use, ~$0.005/domain)
Runs justa/technology-profiling-engine actor for deep detection of 7,000+ technologies using 8-tier inspection with confidence scores. Catches tools that don't appear in source code (loaded dynamically, via GTM, etc.).
Layer 4: Blacklist Checks (Free, instant)
Queries 6 major DNS-based blacklists:
- Spamhaus (zen.spamhaus.org)
- Barracuda (b.barracudacentral.org)
- SpamCop (bl.spamcop.net)
- SORBS (dnsbl.sorbs.net)
- SURBL (multi.surbl.org)
- URIBL (black.uribl.com)
Layer 5: Public Complaint Search (Free)
Web searches for spam complaints on Trustpilot, Reddit, SpamCop forums, and general web. Also searches for the company + tool names to find public mentions of their stack.
Cost
| Component | Cost |
|---|---|
| DNS queries | Free |
| Website source fetch | Free |
| Blacklist checks | Free |
| Web searches | Free |
| Apify Technology Profiler | ~$0.005 per domain |
Typical costs:
| Scenario | Domains | Est. Cost |
|---|---|---|
| Single company | 1 | ~$0.005 |
| Small batch | 5 | ~$0.025 |
| Large batch | 20 | ~$0.10 |
Skip the Apify profiler with --no-apify for free-only analysis (DNS + source + blacklists).
Setup
1. Required
# dig (DNS lookups) — included on macOS/Linux
which dig
# curl (website source fetch) — included on macOS/Linux
which curl
# Python 3 with requests + dotenv
pip3 install requests python-dotenv
2. Optional (for Apify Technology Profiler)
# Get your token at https://console.apify.com/account/integrations
# Add to .env:
APIFY_API_TOKEN=apify_api_YOUR_TOKEN_HERE
Usage
Single Company
python3 scripts/recon.py --domains pump.co
Batch of Companies
python3 scripts/recon.py --domains "dili.ai,pump.co,runautomat.com"
Free-Only Mode (No Apify)
python3 scripts/recon.py --domains pump.co --no-apify
Output to File
python3 scripts/recon.py --domains "dili.ai,pump.co" --output /path/to/report.md
JSON Output
python3 scripts/recon.py --domains pump.co --json
What the Script Does
For each domain:
- DNS Scan — Queries MX, SPF, DKIM (18 common selectors), DMARC, TXT records, and 30+ common subdomains (email, tracking, click, bounce, send, smtp, mail, etc.)
- Website Source Scan — Fetches the homepage HTML and greps for 40+ known tool signatures (script URLs, pixel IDs, tracking domains)
- Apify Technology Profile (optional) — Runs deep 8-tier technology detection for 7,000+ technologies with confidence scores
- Blacklist Check — Queries 6 DNS-based blacklists for the domain
- Outbound Domain Detection — Checks if common variations of the domain exist (get[name].com, try[name].com, [name]reach.com, etc.) and analyzes their DNS for cold outbound patterns
- Report Generation — Produces a structured markdown report with confirmed tools, evidence, email auth assessment, blacklist status, and an overall assessment
Agent Integration
When using this skill as an agent, follow this flow:
- User provides one or more company domains
- Run
recon.pyfor all domains (confirm Apify cost if > 5 domains) - Present the report — group findings by:
- Confirmed tools (with evidence)
- Email authentication (SPF/DKIM/DMARC assessment)
- Deliverability (blacklist status + spam complaints)
- Notable signals (outbound domains, missing DMARC, SPF gaps)
- If batch, include a comparative summary table at the end
Agent Without the Script
The agent can perform all checks manually using built-in tools:
DNS checks — Use Bash tool:
dig +short MX example.com
dig +short TXT example.com
dig +short TXT _dmarc.example.com
dig +short TXT selector._domainkey.example.com
dig +short CNAME subdomain.example.com
Website source scan — Use Bash tool:
curl -sL https://www.example.com | grep -oi 'pattern1\|pattern2\|pattern3' | sort -u
Blacklist checks — Use Bash tool:
dig +short example.com.zen.spamhaus.org A
Apify profiler — Use Bash tool with Python:
# See scripts/recon.py for the full implementation
Spam complaints — Use WebSearch tool:
"example.com" spam OR unsolicited OR "cold email" OR blacklist
DNS Record Cheat Sheet
SPF Includes → Tool Identification
| SPF Include | Tool |
|---|---|
_spf.google.com | Google Workspace |
spf.protection.outlook.com | Microsoft 365 |
sendgrid.net | SendGrid |
amazonses.com | Amazon SES |
*.hubspotemail.net | HubSpot |
*.rsgsv.net or servers.mcsv.net | Mailchimp/Mandrill |
spf.mandrillapp.com | Mandrill (Mailchimp transactional) |
mail.zendesk.com | Zendesk |
*.freshdesk.com | Freshdesk |
spf.mailjet.com | Mailjet |
spf.brevo.com | Brevo (Sendinblue) |
_spf.salesforce.com | Salesforce |
mktomail.com | Marketo |
postmarkapp.com | Postmark |
mailgun.org | Mailgun |
DKIM Selectors → Tool Identification
| Selector Pattern | Tool |
|---|---|
google._domainkey | Google Workspace |
selector1._domainkey / selector2._domainkey | Microsoft 365 |
s1._domainkey / s2._domainkey → *.sendgrid.net | SendGrid |
k1._domainkey → *.mcsv.net or dkim.mcsv.net | Mailchimp |
k2._domainkey / k3._domainkey → dkim2.mcsv.net / dkim3.mcsv.net | Mailchimp |
mandrill._domainkey | Mandrill |
pm._domainkey | Postmark |
smtp._domainkey | Generic SMTP |
em._domainkey | Various (check CNAME target) |
TXT Records → Tool Identification
| TXT Pattern | Tool | |--