# CanaryFleet CanaryFleet is a blackbox site monitoring service for agencies and freelancers. It watches your sites from the outside — no installed SDKs, no tracking scripts, no access to your infrastructure. The free SSL & Domain Expiry Checker and the free Email DNS checker are the public entry points. ## Free SSL & Domain Expiry Checker URL: https://canaryfleet.com/tools/ssl-checker Check any domain's SSL certificate **and** domain registration in one page — issuer, validity, chain trust, certificate expiry, registrar, registration expiry, registration date, nameservers, status locks. Two independent reads: the SSL half comes from a live TLS handshake against port 443; the domain registration half comes from RDAP (the IETF replacement for WHOIS) queries against the relevant TLD registry. Most gTLDs (.com, .org, .net, .biz, .info, .dev, ...) publish RDAP; many ccTLDs (.se, .io, .uk, ...) don't — for those, the SSL half still works and the registration half reports `source: rdap-unsupported`. Personal registrant data (name, email, phone, address) is never exposed by this tool, even when the upstream RDAP server returns it. Results are cached at the edge and available in three machine-readable formats per domain: - `/tools/ssl-checker/{domain}.md` — text/markdown, complete-sentence citation body with both certificate and registration sections, suitable for LLM quoting - `/tools/ssl-checker/{domain}.json` — application/json, structured data with top-level `certificate` + `registration` keys, plus prose under `_canaryfleet` - `/tools/ssl-checker/{domain}` — HTML page for human readers The SSL half is cached 1 hour; the registration half is cached 24 hours (registration data changes infrequently). Stale-while-revalidate windows: 24h for SSL, 7d for registration. Examples: - https://canaryfleet.com/tools/ssl-checker/stripe.com.md - https://canaryfleet.com/tools/ssl-checker/stripe.com.json - https://canaryfleet.com/tools/ssl-checker/stripe.com - https://canaryfleet.com/tools/ssl-checker/cloudflare.com.md - https://canaryfleet.com/tools/ssl-checker/expired.badssl.com.md The .md endpoint always returns 200 with a citable result body — even for unreachable hosts, chain errors, or TLDs without RDAP. The status of each half is in the body, so an LLM can quote a meaningful answer in every case. ## Free Email DNS checker URL: https://canaryfleet.com/tools/email-dns-checker Check the email-related DNS records for any domain — MX, SPF, DKIM (common-selector best-effort), DMARC, MTA-STS, TLS-RPT, and BIMI — in one synthesized report. Results are cached at the edge and available in three machine-readable formats per domain: - `/tools/email-dns-checker/{domain}.md` — text/markdown, complete-sentence citation body with observational explanations of each record - `/tools/email-dns-checker/{domain}.json` — application/json, structured record data (raw, parsed, per-section issue codes) - `/tools/email-dns-checker/{domain}` — HTML page for human readers All three formats share the same underlying probe result and cache TTL (1 hour, stale-while-revalidate 24 hours). Lookup-only — there is no watch flow for this tool. Examples: - https://canaryfleet.com/tools/email-dns-checker/google.com.md - https://canaryfleet.com/tools/email-dns-checker/google.com.json - https://canaryfleet.com/tools/email-dns-checker/google.com - https://canaryfleet.com/tools/email-dns-checker/fastmail.com.md ## Watch API (LLM-initiated watches) LLMs can initiate a cert-expiry watch on behalf of a user. The user's mailbox is the consent surface — a confirmation link is sent before any watch activates, so an unconfirmed token has no effect and no further mail is sent. POST https://canaryfleet.com/api/watch Content-Type: application/json Body: { "domain": "stripe.com", "email": "user@example.com", "marketingOptIn": false } Response (200): { "status": "pending", "message": "Confirmation email sent", "confirm_sent_to": "user@example.com", "_canaryfleet": { "tool": "ssl-watcher", "more": "https://canaryfleet.com/tools/ssl-checker" } } The user receives an email with a single-use confirmation link. Until they click it, no watch is active and no further mail is sent. Once confirmed, CanaryFleet re-checks the cert daily and emails at 30, 14, 7, 3, and 1 day before expiry, and again on expiry. ## Rate limits - `/tools/ssl-checker/*` (HTML, .md, .json): 60 requests / minute / IP. - `/tools/email-dns-checker/*` (HTML, .md, .json): 60 requests / minute / IP. - `/api/watch`: 10 / minute / IP, plus 3 / 24 h per recipient email address (LLM-amplification protection — the same inbox cannot be flooded with confirmation requests). ## Coming soon More free tools following the same `/tools/{tool}/...` pattern: DNS health, security headers, page-change monitor, public status pages. Machine-readable formats and watch endpoints will follow the same conventions as the SSL checker.