Production-ready endpoints are designed for 99.99% uptime and documented status handling.
Used by people at amazing companies
Trust signals before you integrate
Transparent docs, authenticated requests, and visible reliability details make it easier to evaluate DomScan before you ship.
OpenAPI, Swagger, Postman, CLI, SDK, and MCP links are one click away.
Authenticated endpoints use API keys with clear credit costs before you call them.
Start with 10,000 monthly credits and upgrade only when usage grows.
What this API helps you ship
Use this page as a production brief: endpoints, examples, response shape, and the workflow pieces needed to plug DomScan into your own product.
Embed domain checks, DNS intelligence, risk signals, or enrichment into onboarding, search, and internal tools.
Replace repeated manual lookups with scheduled jobs, alerting, and reproducible investigation steps.
Use predictable fields, documented status codes, and credit costs instead of scraping provider pages.
Feed agents, dashboards, SOAR playbooks, and CRMs through OpenAPI, SDK, Postman, or MCP.
Integration workflow
A simple path from first request to repeatable production usage.
Send your API key with the documented header and keep requests consistent across services.
Start from the curl and HTTP samples, then map the parameters into your application code.
Use status codes, credit costs, and response fields to build retries, logs, and alerts.
Developer kit
Jump from this page into machine-readable docs, request collections, SDKs, or agent tooling.
Generate clients or inspect every request and response shape.
Postman collectionImport ready-made requests for manual testing and team handoff.
SDKs and CLIUse maintained packages and command-line workflows instead of writing boilerplate.
MCP integrationExpose domain intelligence to AI agents and internal assistant workflows.
Parameters and response map
Scan the inputs, output fields, and status codes before wiring the endpoint into your client.
Parameter
Example Response
HTTP Status Codes
Endpoints
/v1/email-auth
Trust signals before you integrate
Transparent docs, authenticated requests, and visible reliability details make it easier to evaluate DomScan before you ship.
OpenAPI, Swagger, Postman, CLI, SDK, and MCP links are one click away.
Authenticated endpoints use API keys with clear credit costs before you call them.
Start with 10,000 monthly credits and upgrade only when usage grows.
Start from the curl and HTTP samples, then map the parameters into your application code.
Key Features
Parse and validate Sender Policy Framework records.
Check DMARC policy configuration and reporting.
Validate DomainKeys Identified Mail signatures.
Get an overall A-F grade for email security posture.
Receive specific fixes for misconfigurations.
Check common DKIM selectors automatically.
Understand what each policy means in plain English.
Evaluate vulnerability to email spoofing attacks.
Example Request
curl -H "X-API-Key: $DOMSCAN_API_KEY" "https://domscan.net/v1/email-auth?domain=google.com"
Example Response
{
"domain": "google.com",
"spf": {
"record": "v=spf1 include:_spf.google.com ~all",
"lookup_estimate": 1,
"includes": [
"_spf.google.com"
],
"redirect": null,
"macros_present": false,
"macro_references": [],
"lookup_walk_count": 1,
"lookup_limit_exceeded": false,
"walk": [
{
"domain": "google.com",
"depth": 0,
"record": "v=spf1 include:_spf.google.com ~all",
"mechanisms": [
"include:_spf.google.com",
"~all"
],
"includes": [
"_spf.google.com"
],
"redirect": null,
"direct_lookup_count": 1,
"total_lookup_count": 1,
"macros_present": false,
"macro_references": [],
"multiple_records": 1
}
],
"walk_errors": [],
"lookup_tree": {
"root_domain": "google.com",
"node_count": 1,
"max_depth": 0,
"cycles_detected": [],
"nodes": [
{
"domain": "google.com",
"depth": 0,
"status": "present",
"direct_lookup_count": 1,
"total_lookup_count": 1,
"includes": [
"_spf.google.com"
],
"redirect": null,
"mechanisms": [
"include:_spf.google.com",
"~all"
],
"errors": []
}
],
"edges": [
{
"from": "google.com",
"to": "_spf.google.com",
"type": "include"
}
]
}
},
"dkim": [
{
"selector": "google",
"record": "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A",
"key_type": "rsa",
"key_size": 2048
}
],
"dkim_audit": {
"selectors_checked": [
"google",
"default",
"selector1",
"selector2"
],
"selectors_found": [
{
"selector": "google",
"dns_name": "google._domainkey.google.com",
"record": "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A",
"record_type": "TXT",
"cname_targets": [],
"provider_hint": "Google Workspace",
"key_type": "rsa",
"key_size": 2048,
"valid": true,
"revoked": false,
"weak": false,
"hash_algorithms": [
"sha256"
],
"service_type": "email",
"flags": [
"s"
],
"issues": []
}
],
"total_found": 1,
"providers_detected": [
"Google Workspace"
],
"valid_selector_count": 1,
"weak_selector_count": 0,
"revoked_selector_count": 0
},
"bimi": {
"exists": true,
"record": "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem",
"valid": true,
"logo_url": "https://example.com/logo.svg",
"authority_url": "https://example.com/vmc.pem",
"logo_fetch_ok": true,
"logo_http_status": 200,
"logo_content_type": "image/svg+xml",
"logo_bytes": 2048,
"logo_svg_detected": true,
"vmc_present": true,
"vmc_fetched": true,
"vmc_http_status": 200,
"vmc_content_type": "application/x-pem-file",
"vmc_certificate_valid": true,
"vmc_subject": "/CN=Example Inc VMC",
"vmc_issuer": "/CN=Example Issuer",
"vmc_not_before": "2026-01-01T00:00:00Z",
"vmc_not_after": "2027-01-01T00:00:00Z",
"vmc_days_to_expiry": 258,
"vmc_fingerprint_sha256": "AA:BB:CC:DD",
"vmc_san_domains": [
"google.com"
],
"errors": []
},
"dmarc": {
"record": "v=DMARC1; p=reject; rua=mailto:mailauth-reports@google.com",
"tags": {
"v": "DMARC1",
"p": "reject",
"rua": "mailto:mailauth-reports@google.com"
}
},
"mta_sts": {
"exists": true,
"record": "v=STSv1; id=2024010101Z",
"valid": true,
"policy_id": "2024010101Z",
"policy_fetch_ok": true,
"policy_http_status": 200,
"mode": "enforce",
"max_age": 86400,
"mx_hosts": [
"*.google.com"
],
"mx_records": [
"aspmx.l.google.com"
],
"policy_matches_mx": true,
"uncovered_mx": [],
"errors": []
},
"tls_rpt": {
"exists": true,
"record": "v=TLSRPTv1; rua=mailto:sts-reports@google.com",
"valid": true,
"rua": [
"mailto:sts-reports@google.com"
],
"errors": []
},
"client_access": {
"provider_hint": {
"id": "google_workspace",
"name": "Google Workspace"
},
"mx_records": [
"aspmx.l.google.com"
],
"services": [
{
"service": "imap",
"host": "imap.gmail.com",
"port": 993,
"source": "provider_default",
"priority": null,
"weight": null,
"tls_mode": "implicit",
"reachable": true,
"tls_negotiated": true,
"starttls_offered": null,
"protocol": "TLSv1.3",
"cipher": "TLS_AES_256_GCM_SHA384",
"certificate": {
"subject": "/CN=imap.gmail.com",
"issuer": "/CN=WR2",
"not_before": "2026-01-01T00:00:00Z",
"not_after": "2026-07-01T00:00:00Z",
"days_to_expiry": 70,
"expired": false,
"san_domains": [
"imap.gmail.com"
],
"public_key_type": "EC",
"public_key_bits": 256,
"fingerprint_sha256": "CC:DD:EE:FF",
"hostname_match": true,
"chain_valid": true,
"chain_error": null
},
"chain_depth": 2,
"error": null
}
],
"reachable_service_count": 1,
"secure_service_count": 1
},
"autodiscover": {
"provider_hint": {
"id": "google_workspace",
"name": "Google Workspace"
},
"mx_records": [
"aspmx.l.google.com"
],
"srv": {
"autodiscover": [],
"submission": [],
"submissions": [],
"imap": [],
"imaps": [],
"pop3": [],
"pop3s": []
},
"thunderbird_autoconfig": {
"subdomain": {
"url": "https://autoconfig.google.com/mail/config-v1.1.xml?emailaddress=postmaster%40google.com",
"status_code": 404,
"content_type": "text/html",
"final_url": "https://autoconfig.google.com/mail/config-v1.1.xml?emailaddress=postmaster%40google.com",
"redirect_count": 0,
"incoming": [],
"outgoing": [],
"error": null
},
"well_known": {
"url": "https://google.com/.well-known/autoconfig/mail/config-v1.1.xml?emailaddress=postmaster%40google.com",
"status_code": 200,
"content_type": "application/xml",
"final_url": "https://google.com/.well-known/autoconfig/mail/config-v1.1.xml?emailaddress=postmaster%40google.com",
"redirect_count": 0,
"incoming": [
{
"type": "imap",
"hostname": "imap.gmail.com",
"port": 993,
"socket_type": "SSL"
}
],
"outgoing": [
{
"type": "smtp",
"hostname": "smtp.gmail.com",
"port": 587,
"socket_type": "STARTTLS"
}
],
"error": null
}
},
"outlook_autodiscover": {
"url": "https://autodiscover.google.com/autodiscover/autodiscover.xml",
"status_code": 401,
"content_type": "text/html",
"final_url": "https://autodiscover.google.com/autodiscover/autodiscover.xml",
"redirect_count": 0,
"auth_required": true,
"error": null
},
"recommended": [
{
"service": "imap",
"host": "imap.gmail.com",
"port": 993,
"tls_mode": "implicit",
"source": "provider_default"
}
]
},
"edge_summary": {
"relay_configured": true,
"evidence_sources": [
"spf_walk",
"mail_policies",
"bimi_audit",
"dkim_audit",
"mail_client_access",
"mail_autodiscover"
],
"spf_lookup_count": 1,
"spf_lookup_limit_exceeded": false,
"dkim_valid_selector_count": 1,
"dkim_weak_selector_count": 0,
"dkim_revoked_selector_count": 0,
"providers_detected": [
"Google Workspace"
],
"mta_sts_enforced": true,
"tls_rpt_configured": true,
"bimi_logo_verified": true,
"vmc_certificate_valid": true,
"client_access_reachable_services": 1,
"client_access_secure_services": 1,
"autodiscover_recommendation_count": 1
},
"provider_selector_recommendations": [
{
"provider": "Google Workspace",
"selectors": [
"google",
"20230601",
"20210112"
],
"source": "detected",
"checked_selectors": [
"google"
],
"found_selectors": [
"google"
],
"missing_selectors": [
"20230601",
"20210112"
]
}
],
"grade": "A",
"notes": []
}
Frequently Asked Questions
Sender Policy Framework (SPF) is a DNS record that specifies which mail servers are authorized to send email for your domain.
Domain-based Message Authentication, Reporting & Conformance (DMARC) tells receiving servers how to handle emails that fail SPF or DKIM checks.
DomainKeys Identified Mail (DKIM) adds a digital signature to outgoing emails, allowing receivers to verify the message was not altered.
SPF, DKIM, and DMARC work together. SPF authorizes servers, DKIM signs messages, and DMARC sets policy. All three provide comprehensive protection.
Related Tools & Resources
HTTP Status Codes
We document the HTTP status codes you should handle so you can distinguish successful responses, auth issues, credits, rate limits, missing data, and upstream failures.
Request successful
Invalid parameters
Not enough credits to run this request.
Rate limit exceeded
Internal error
Upstream RDAP error
Upstream service unavailable or temporarily rate limited.
Upstream lookup timed out.
Check Email Authentication