DNS 1 Endpoints 8 Key Features

DNS Security Analyzer

Is your domain properly secured? Our DNS Security API analyzes SPF, DKIM, DMARC, DNSSEC, and CAA records to give you a comprehensive security score with actionable recommendations.

Category DNS
Endpoints 1
Key Features 8
Frequently Asked Questions 4

Used by people at amazing companies

VercelLLM PulseOLXCasa ModernaPipeCal.comBeehiivSnykTogglRemoteSprigDeel

Trust signals before you integrate

Transparent docs, authenticated requests, and visible reliability details make it easier to evaluate DomScan before you ship.

99.99% Uptime

Production-ready endpoints are designed for 99.99% uptime and documented status handling.

OpenAPI API artifacts

OpenAPI, Swagger, Postman, CLI, SDK, and MCP links are one click away.

API keys Protected access

Authenticated endpoints use API keys with clear credit costs before you call them.

10,000 Free allowance

Start with 10,000 monthly credits and upgrade only when usage grows.

What this API helps you ship

Use this page as a production brief: endpoints, examples, response shape, and the workflow pieces needed to plug DomScan into your own product.

Product workflows

Embed domain checks, DNS intelligence, risk signals, or enrichment into onboarding, search, and internal tools.

Analyst automation

Replace repeated manual lookups with scheduled jobs, alerting, and reproducible investigation steps.

Clean JSON data

Use predictable fields, documented status codes, and credit costs instead of scraping provider pages.

AI and ops tooling

Feed agents, dashboards, SOAR playbooks, and CRMs through OpenAPI, SDK, Postman, or MCP.

Integration workflow

A simple path from first request to repeatable production usage.

1
Authenticate once

Send your API key with the documented header and keep requests consistent across services.

2
Query with examples

Start from the curl and HTTP samples, then map the parameters into your application code.

3
Operate and monitor

Use status codes, credit costs, and response fields to build retries, logs, and alerts.

Developer kit

Jump from this page into machine-readable docs, request collections, SDKs, or agent tooling.

Parameters and response map

Scan the inputs, output fields, and status codes before wiring the endpoint into your client.

Request parameters

Parameter

domain
Response fields

Example Response

domainsecurity_scoresecurity_gradespfspf.existsspf.recordspf.validspf.policyspf.includesspf.dns_lookup_countspf.dns_lookup_limit_exceededspf.include_tree
Status coverage

HTTP Status Codes

200400402429500502503504

Endpoints

GET /v1/dns/security
Credits: 2Authentication: optional
domain

Trust signals before you integrate

Transparent docs, authenticated requests, and visible reliability details make it easier to evaluate DomScan before you ship.

Uptime API artifacts

OpenAPI, Swagger, Postman, CLI, SDK, and MCP links are one click away.

API keys Protected access

Authenticated endpoints use API keys with clear credit costs before you call them.

Free allowance Sign Up for Free

Start with 10,000 monthly credits and upgrade only when usage grows.

Active Example Request

Start from the curl and HTTP samples, then map the parameters into your application code.

Key Features

SPF Analysis

Validate SPF records and check for common misconfigurations.

DKIM Detection

Check for DKIM records across common selectors.

DMARC Validation

Analyze DMARC policy, percentage, and reporting addresses.

DNSSEC Check

Verify DNSSEC is enabled and properly configured.

CAA Records

Check Certificate Authority Authorization configuration.

Security Score

Get a 0-100 score with letter grade (A+ to F).

Actionable Recommendations

Clear guidance on how to improve your security posture.

MTA-STS Detection

Check for Mail Transfer Agent Strict Transport Security.

Example Request

GET /v1/dns/security bash
Open
curl -H "X-API-Key: $DOMSCAN_API_KEY" "https://domscan.net/v1/dns/security?domain=google.com"

Example Response

200 OK json
{
  "domain": "google.com",
  "security_score": 97,
  "security_grade": "A+",
  "spf": {
    "exists": true,
    "record": "v=spf1 include:_spf.google.com ~all",
    "valid": true,
    "policy": "softfail",
    "includes": [
      "_spf.google.com"
    ],
    "dns_lookup_count": 1,
    "dns_lookup_limit_exceeded": false,
    "include_tree": [
      {
        "domain": "_spf.google.com",
        "lookups": 1
      }
    ],
    "lookup_walk_count": 1,
    "macros_present": false,
    "macro_references": [],
    "walk": [
      {
        "domain": "google.com",
        "depth": 0,
        "record": "v=spf1 include:_spf.google.com ~all",
        "mechanisms": [
          "include:_spf.google.com",
          "~all"
        ],
        "includes": [
          "_spf.google.com"
        ],
        "redirect": null,
        "direct_lookup_count": 1,
        "total_lookup_count": 1,
        "macros_present": false,
        "macro_references": [],
        "multiple_records": 1
      }
    ],
    "walk_errors": [],
    "issues": []
  },
  "dkim": {
    "exists": true,
    "selectors_checked": [
      "google",
      "selector1",
      "selector2"
    ],
    "selectors_found": [
      "google"
    ],
    "valid": true
  },
  "dmarc": {
    "exists": true,
    "record": "v=DMARC1; p=reject; rua=mailto:mailauth-reports@google.com",
    "valid": true,
    "policy": "reject",
    "subdomain_policy": "reject",
    "percentage": 100,
    "rua": [
      "mailto:mailauth-reports@google.com"
    ],
    "ruf": [],
    "issues": []
  },
  "bimi": {
    "exists": true,
    "record": "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem",
    "logo_url": "https://example.com/logo.svg",
    "authority_url": "https://example.com/vmc.pem",
    "valid": true,
    "logo_fetch_ok": true,
    "logo_http_status": 200,
    "logo_content_type": "image/svg+xml",
    "logo_bytes": 2048,
    "logo_svg_detected": true,
    "vmc_present": true,
    "vmc_fetched": true,
    "vmc_http_status": 200,
    "vmc_content_type": "application/x-pem-file",
    "vmc_certificate_valid": true,
    "vmc_subject": "/CN=Example Inc VMC",
    "vmc_issuer": "/CN=Example Issuer",
    "vmc_not_before": "2026-01-01T00:00:00Z",
    "vmc_not_after": "2027-01-01T00:00:00Z",
    "vmc_days_to_expiry": 258,
    "vmc_fingerprint_sha256": "AA:BB:CC:DD",
    "vmc_san_domains": [
      "google.com"
    ],
    "errors": []
  },
  "dnssec": {
    "enabled": true,
    "valid": true,
    "algorithm": "ECDSAP256SHA256",
    "key_tag": 12345,
    "validation_status": "secure",
    "validated_by_proxy": true,
    "validation_reason": "chain validated via delv",
    "ds_records": [
      "12345 13 2 1a2b3c4d5e6f"
    ],
    "dnskey_records": [
      "256 3 13 AbCdEfGhIjKlMnOp"
    ],
    "rrsig_present": true,
    "resolver": "127.0.0.1",
    "mismatch_detail": {
      "checked": true,
      "mismatch_detected": false,
      "reason": "chain validated via delv",
      "ds_record_count": 1,
      "dnskey_record_count": 1,
      "rrsig_present": true,
      "validation_status": "secure",
      "resolver": "127.0.0.1"
    }
  },
  "caa": {
    "exists": true,
    "records": [
      {
        "flags": 0,
        "tag": "issue",
        "value": "pki.goog"
      }
    ],
    "issuers": [
      "pki.goog"
    ],
    "issue_wild": [],
    "iodef": "mailto:security@google.com"
  },
  "issuance_readiness": {
    "caa": {
      "exists": true,
      "records": [
        {
          "flags": 0,
          "tag": "issue",
          "value": "pki.goog"
        },
        {
          "flags": 0,
          "tag": "iodef",
          "value": "mailto:security@google.com"
        }
      ],
      "issue_issuers": [
        "pki.goog"
      ],
      "issuewild_issuers": [],
      "iodef": "mailto:security@google.com",
      "letsencrypt_allowed": false,
      "google_trust_services_allowed": true
    },
    "http01": {
      "challenge_path": "/.well-known/acme-challenge/domscan-probe-1713474000",
      "reachable": true,
      "ready": true,
      "status_code": 404,
      "final_url": "http://google.com/.well-known/acme-challenge/domscan-probe-1713474000",
      "redirects": 0,
      "error": null
    },
    "checked_at": "2026-04-18T21:00:00Z"
  },
  "authoritative_consistency": {
    "record_type": "SOA",
    "all_authoritative": true,
    "answer_sets_match": true,
    "inconsistent_nameservers": [],
    "consistent_serial": true,
    "serials": [
      {
        "host": "ns1.google.com",
        "udp_soa_serial": "2026041801",
        "tcp_soa_serial": "2026041801"
      }
    ],
    "reference_answers": [
      "google.com. 60 IN SOA ns1.google.com. dns-admin.google.com. 2026041801 900 900 1800 60"
    ]
  },
  "delegation_health": {
    "nameservers": [
      {
        "host": "ns1.google.com",
        "addresses": [
          "216.239.32.10"
        ],
        "in_bailiwick": false,
        "glue_required": false,
        "udp": {
          "authoritative": true,
          "status": "NOERROR",
          "query_ms": 14,
          "answer_count": 1,
          "answers": [
            "google.com. 60 IN SOA ns1.google.com. dns-admin.google.com. 2026041801 900 900 1800 60"
          ],
          "soa_serial": "2026041801",
          "truncated": false,
          "error": null
        },
        "tcp": {
          "authoritative": true,
          "status": "NOERROR",
          "query_ms": 18,
          "answer_count": 1,
          "answers": [
            "google.com. 60 IN SOA ns1.google.com. dns-admin.google.com. 2026041801 900 900 1800 60"
          ],
          "soa_serial": "2026041801",
          "truncated": false,
          "error": null
        },
        "lame": false,
        "issues": []
      }
    ],
    "in_bailiwick_nameservers": [],
    "glue_required_count": 0,
    "all_in_bailiwick_resolve": true,
    "missing_addresses": [],
    "lame_nameservers": []
  },
  "dns_transport": {
    "udp_working": true,
    "tcp_working": true,
    "tcp_supported_nameservers": [
      "ns1.google.com"
    ],
    "tcp_failed_nameservers": [],
    "truncation_tested": true,
    "truncation_nameserver": "ns1.google.com",
    "truncation_record_type": "DNSKEY",
    "truncation_observed": false,
    "tcp_fallback_ready": null
  },
  "nameserver_drift": {
    "checked": true,
    "drift_detected": false,
    "public_nameservers": [
      "ns1.google.com"
    ],
    "authoritative_nameservers": [
      "ns1.google.com"
    ],
    "missing_from_authority": [],
    "extra_at_authority": [],
    "inconsistent_nameservers": [],
    "serial_mismatch_detected": false
  },
  "mta_sts": {
    "exists": true,
    "record": "v=STSv1; id=2024010101Z",
    "valid": true,
    "policy_id": "2024010101Z",
    "policy_fetch_ok": true,
    "policy_http_status": 200,
    "mode": "enforce",
    "max_age": 86400,
    "mx_hosts": [
      "*.google.com"
    ],
    "mx_records": [
      "aspmx.l.google.com",
      "alt1.aspmx.l.google.com"
    ],
    "policy_matches_mx": true,
    "uncovered_mx": [],
    "errors": []
  },
  "tls_rpt": {
    "exists": true,
    "record": "v=TLSRPTv1; rua=mailto:sts-reports@google.com",
    "valid": true,
    "rua": [
      "mailto:sts-reports@google.com"
    ],
    "errors": []
  },
  "resolver_latency": {
    "record_type": "MX",
    "resolvers": [
      {
        "resolver": "1.1.1.1",
        "label": "Cloudflare",
        "query_ms": 22,
        "status": "NOERROR",
        "answer_count": 5,
        "answers": [
          "aspmx.l.google.com"
        ],
        "server": "1.1.1.1#53",
        "error": null
      },
      {
        "resolver": "8.8.8.8",
        "label": "Google Public DNS",
        "query_ms": 3,
        "status": "NOERROR",
        "answer_count": 5,
        "answers": [
          "aspmx.l.google.com"
        ],
        "server": "8.8.8.8#53",
        "error": null
      }
    ],
    "min_ms": 3,
    "max_ms": 22,
    "avg_ms": 12.5
  },
  "zone_transfer": {
    "exposed": false,
    "nameservers": [
      {
        "host": "ns1.google.com",
        "exposed": false,
        "query_ms": 18,
        "records_returned": 0,
        "soa_seen": false,
        "reason": "transfer failed",
        "sample_records": []
      }
    ]
  },
  "blacklist": {
    "domain": "google.com",
    "listed": false,
    "threat_level": "none",
    "check_type": "domain",
    "checked_at": "2026-04-18T21:00:00Z"
  },
  "edge_summary": {
    "relay_configured": true,
    "evidence_sources": [
      "dnssec_validate",
      "axfr_check",
      "dns_authority_health",
      "dns_latency",
      "issuance_readiness",
      "mail_policies",
      "bimi_audit",
      "spf_walk"
    ],
    "secure_dns_chain": true,
    "zone_transfer_exposed": false,
    "authoritative_consistency_ok": true,
    "nameserver_drift_detected": false,
    "lame_nameserver_count": 0,
    "tcp_fallback_ready": null,
    "avg_resolver_latency_ms": 12.5,
    "fastest_resolver": "Google Public DNS",
    "slowest_resolver": "Cloudflare",
    "issuance_http01_ready": true,
    "caa_restricts_issuers": true,
    "bimi_vmc_valid": true,
    "mta_sts_enforced": true,
    "tls_rpt_configured": true,
    "spf_lookup_limit_exceeded": false
  },
  "recommendations": [],
  "checked_at": "2026-04-18T21:00:00Z",
  "check_duration_ms": 312
}

Frequently Asked Questions

What is SPF, DKIM, and DMARC?

SPF specifies which servers can send email for your domain. DKIM adds a digital signature to emails. DMARC tells receiving servers what to do with emails that fail SPF/DKIM checks. Together they prevent email spoofing.

Why is DNS security important?

Proper DNS security prevents email spoofing (phishing attacks pretending to be you), improves email deliverability, and protects your brand reputation.

What is a good security score?

A score of 85+ (grade A or A+) indicates excellent security. 70-84 (B) is good. Below 70 indicates significant room for improvement.

How do I improve my DNS security score?

Common improvements include: adding SPF records with -all, setting up DKIM signing, implementing DMARC with quarantine/reject policy, enabling DNSSEC, and adding CAA records.

Related Tools & Resources

HTTP Status Codes

We document the HTTP status codes you should handle so you can distinguish successful responses, auth issues, credits, rate limits, missing data, and upstream failures.

OK 200

Request successful

Bad Request 400

Invalid parameters

Payment Required 402

Not enough credits to run this request.

Too Many Requests 429

Rate limit exceeded

Server Error 500

Internal error

Bad Gateway 502

Upstream RDAP error

Service Unavailable 503

Upstream service unavailable or temporarily rate limited.

Gateway Timeout 504

Upstream lookup timed out.

Analyze DNS Security for Free