Blog / DNS & Email Security

DNS Intelligence API: SPF, DKIM & DMARC Checks (2026)

April 11, 2026 · 10 min read

Email deliverability is a DNS problem. If your SPF record is misconfigured, your emails land in spam. If your DMARC policy is set to none, anyone can spoof your domain. If you have no DKIM record, receiving servers have no way to verify that your messages were not tampered with in transit.

The DetectZeStack GET /dns endpoint goes beyond basic DNS resolution. It resolves all record types (A, AAAA, CNAME, MX, NS, TXT, PTR), then parses and grades SPF, DMARC, and DKIM configurations, identifies email and DNS providers, and computes an overall email security grade. All from a single API call.

What the /dns Endpoint Returns

The endpoint accepts a domain query parameter and returns structured JSON with every DNS record type plus email authentication analysis:

Field Description
a / aaaa IPv4 and IPv6 address records
cname Canonical name alias (if any)
mx Mail exchange records with host and priority
ns Authoritative nameservers
txt All TXT records (SPF, verification tokens, etc.)
ptr Reverse DNS for the first A record
email_provider Identified email provider (Google Workspace, Microsoft 365, etc.)
dns_provider Identified DNS provider (Cloudflare, Route 53, etc.)
spf Parsed SPF record with mechanism, includes, grade, and issues
dmarc Parsed DMARC record with policy, subdomain policy, reporting URIs, grade, and issues
dkim DKIM probe result with selector tested, existence, grade, and issues
email_security_grade Overall email security grade (A–F)
email_security_summary Human-readable summary of the email security posture
query_ms Total DNS resolution time in milliseconds

Quick Start: Check Email Security

Get a free API key from RapidAPI (no credit card required), then run:

curl -s "https://detectzestack.p.rapidapi.com/dns?domain=stripe.com" \
  -H "x-rapidapi-key: YOUR_API_KEY" \
  -H "x-rapidapi-host: detectzestack.p.rapidapi.com" | python3 -m json.tool

Example response (email security fields highlighted):

{
  "domain": "stripe.com",
  "a": ["185.166.143.26", "185.166.143.18"],
  "aaaa": [],
  "cname": "",
  "mx": [
    {"host": "aspmx.l.google.com.", "priority": 1},
    {"host": "alt1.aspmx.l.google.com.", "priority": 5}
  ],
  "ns": ["ns-cloud-a1.googledomains.com.", "ns-cloud-a2.googledomains.com."],
  "txt": ["v=spf1 include:_spf.google.com include:servers.mcsv.net ~all", "..."],
  "ptr": ["185-166-143-26.example.ptr."],
  "email_provider": "Google Workspace",
  "dns_provider": "Google Cloud DNS",
  "spf": {
    "record": "v=spf1 include:_spf.google.com include:servers.mcsv.net ~all",
    "exists": true,
    "mechanism": "~all",
    "includes": ["_spf.google.com", "servers.mcsv.net"],
    "grade": "B",
    "issues": ["Uses ~all (softfail) instead of -all (hardfail)"]
  },
  "dmarc": {
    "record": "v=DMARC1; p=reject; rua=mailto:[email protected]",
    "exists": true,
    "policy": "reject",
    "subdomain_policy": "",
    "rua": "mailto:[email protected]",
    "ruf": "",
    "grade": "A",
    "issues": []
  },
  "dkim": {
    "selector_tested": "google",
    "exists": true,
    "grade": "A",
    "issues": []
  },
  "email_security_grade": "A",
  "email_security_summary": "Strong email security posture. SPF, DMARC, and DKIM are all configured.",
  "query_ms": 142
}

One API call, complete picture: DNS records, email provider identification, and full SPF/DMARC/DKIM analysis — all from a single GET /dns request.

How the Email Security Grading Works

Each email authentication protocol is graded individually, then combined into an overall email_security_grade:

SPF Grading

DMARC Grading

DKIM Grading

The overall email_security_grade is a composite: an A requires all three protocols to be well-configured. A single F on any protocol pulls the overall grade down.

Use Case: MSP Client Email Audits

Managed Service Providers handle email configuration for dozens or hundreds of client domains. Manually checking SPF, DMARC, and DKIM for each domain is tedious. Here is a Python script that audits an entire client portfolio:

import requests
import json

API_KEY = "your-rapidapi-key"
headers = {
    "x-rapidapi-key": API_KEY,
    "x-rapidapi-host": "detectzestack.p.rapidapi.com"
}

# MSP client domains
CLIENTS = [
    "client-alpha.com", "client-beta.io", "client-gamma.org",
    "client-delta.co", "client-epsilon.net"
]

print(f"{'Domain':<25} {'Email':>5} {'SPF':>4} {'DMARC':>6} {'DKIM':>5} {'Grade':>6} {'Provider':<20}")
print("-" * 85)

for domain in CLIENTS:
    r = requests.get(
        f"https://detectzestack.p.rapidapi.com/dns?domain={domain}",
        headers=headers
    )
    data = r.json()

    spf_grade = data.get("spf", {}).get("grade", "N/A") if data.get("spf") else "N/A"
    dmarc_grade = data.get("dmarc", {}).get("grade", "N/A") if data.get("dmarc") else "N/A"
    dkim_grade = data.get("dkim", {}).get("grade", "N/A") if data.get("dkim") else "N/A"
    overall = data.get("email_security_grade", "N/A")
    provider = data.get("email_provider", "Unknown")

    print(f"{domain:<25} {provider:>5} {spf_grade:>4} {dmarc_grade:>6} {dkim_grade:>5} {overall:>6} {provider:<20}")

For 50 client domains checked monthly, that is 50 requests — well within the free tier. If you run weekly audits, that is 200 requests per month — still covered by the free tier.

Use Case: Email Deliverability Monitoring

Email deliverability specialists need to monitor SPF, DMARC, and DKIM configurations continuously. A DNS record change by IT, a new sending service that was not added to SPF includes, or a DKIM key rotation that broke the selector can all cause deliverability problems.

#!/bin/bash
# email-security-monitor.sh — weekly cron job
# 0 9 * * 1 /opt/scripts/email-security-monitor.sh

DOMAINS=("yourdomain.com" "marketing.yourdomain.com" "transactional.yourdomain.com")
API_KEY="your-rapidapi-key"
SLACK_WEBHOOK="https://hooks.slack.com/services/T.../B.../xxx"

for domain in "${DOMAINS[@]}"; do
  RESULT=$(curl -s "https://detectzestack.p.rapidapi.com/dns?domain=$domain" \
    -H "x-rapidapi-key: $API_KEY" \
    -H "x-rapidapi-host: detectzestack.p.rapidapi.com")

  GRADE=$(echo "$RESULT" | python3 -c "import sys,json; print(json.load(sys.stdin).get('email_security_grade', 'F'))")
  SUMMARY=$(echo "$RESULT" | python3 -c "import sys,json; print(json.load(sys.stdin).get('email_security_summary', 'Unable to check'))")

  if [[ "$GRADE" == "D" || "$GRADE" == "F" ]]; then
    curl -s -X POST "$SLACK_WEBHOOK" \
      -H "Content-Type: application/json" \
      -d "{\"text\":\"Email security alert for $domain: Grade $GRADE - $SUMMARY\"}"
  fi
done

Use Case: Vendor Email Security Assessment

Before partnering with a vendor or onboarding a supplier, check whether they have proper email authentication. A vendor without DMARC is a phishing vector — attackers can spoof their domain to target your employees.

curl -s "https://detectzestack.p.rapidapi.com/dns?domain=vendor.com" \
  -H "x-rapidapi-key: YOUR_API_KEY" \
  -H "x-rapidapi-host: detectzestack.p.rapidapi.com" \
  | python3 -c "
import sys, json
data = json.load(sys.stdin)
grade = data.get('email_security_grade', 'Unknown')
summary = data.get('email_security_summary', '')
spf = data.get('spf', {})
dmarc = data.get('dmarc', {})

print(f'Email Security Grade: {grade}')
print(f'Summary: {summary}')
print(f'SPF: {spf.get(\"grade\", \"N/A\")} - {spf.get(\"mechanism\", \"none\")}')
print(f'DMARC: {dmarc.get(\"grade\", \"N/A\")} - policy={dmarc.get(\"policy\", \"none\")}')

if dmarc.get('policy') == 'none' or not dmarc.get('exists'):
    print('WARNING: Vendor domain can be spoofed (no DMARC enforcement)')
"

Pricing

Plan Requests/Month Price Use Case
Free 100 $0/mo Test with your domains, monthly audits
Pro 1,000 $9/mo MSP with 20-30 client domains, weekly checks
Ultra 10,000 $29/mo Large MSP or agency, daily monitoring
Mega 50,000 $79/mo Enterprise, vendor assessments at scale

All endpoints (/dns, /certificate/check, /security, /analyze, etc.) share the same monthly quota. One API key covers your entire security monitoring workflow.

Free tier: 100 requests/month. Enough for monthly audits of up to 100 domains. Get your API key on RapidAPI — no credit card required.

DNS Intelligence Beyond Email

The /dns endpoint is not only for email authentication. The full DNS record set reveals infrastructure decisions that are invisible to browser-based detection tools:

For a deeper dive into how DNS records expose technology choices, see DNS-Based Technology Detection.

Comparison: DNS Intelligence API vs Manual dig/nslookup

Capability dig / nslookup DetectZeStack /dns
DNS record resolution Yes (one record type at a time) Yes (all types in one call)
SPF parsing and grading Manual (read TXT, interpret yourself) Automatic (grade + issues)
DMARC analysis Manual (dig _dmarc.domain TXT) Automatic (policy, reporting, grade)
DKIM probing Manual (guess selectors, dig each one) Automatic (8 common selectors probed)
Email provider identification Manual (interpret MX records) Automatic
DNS provider identification Manual (interpret NS records) Automatic
Overall email security grade Not available A–F composite grade
Structured output Text (requires parsing) JSON
Batch automation Requires scripting HTTP requests in any language

dig and nslookup are essential debugging tools. But when you need to audit 50 domains for email authentication compliance, structured JSON with automated grading saves hours of manual interpretation.

Related Reading

Audit Email Security with One API Call

SPF, DMARC, and DKIM grading for any domain. 100 requests per month free. No credit card required.

Get Your Free API Key

Get API updates and tech detection tips

Join the mailing list. No spam, unsubscribe anytime.