DEV Community: Łukasz Gogolin The latest articles on DEV Community by Łukasz Gogolin (@lgogolin). https://dev.to/lgogolin https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3921331%2F862a3972-8ff8-4601-83f7-f5d3ce9fde5c.png DEV Community: Łukasz Gogolin https://dev.to/lgogolin en One API Call to Audit Any Domain's Email Security Łukasz Gogolin Sat, 09 May 2026 09:45:46 +0000 https://dev.to/lgogolin/one-api-call-to-audit-any-domains-email-security-2b6k https://dev.to/lgogolin/one-api-call-to-audit-any-domains-email-security-2b6k <p>You know the drill. A customer complains their transactional emails land in spam. Or a B2B trial signup uses a throwaway address. Or someone asks "do we have DMARC set up correctly?" and you open ten browser tabs to find out.</p> <p>I built <a href="https://api.market/fivetag-systems/mailsec" rel="noopener noreferrer">MailSec</a> to replace that entire workflow with one API call.</p> <h2> The problem </h2> <p>Email infrastructure is deceptively complex:</p> <ul> <li> <strong>SPF</strong> has a hard 10-lookup limit that silently breaks when you add one too many <code>include:</code> </li> <li> <strong>DMARC</strong> with <code>p=none</code> does literally nothing — but most teams ship it and assume they're protected</li> <li> <strong>DKIM</strong> selectors vary by provider (<code>google</code>, <code>selector1</code>, <code>k1</code>, <code>s1</code>) and you need to guess which one to check</li> <li> <strong>Spamhaus</strong> listings can tank your deliverability for days before anyone notices</li> <li> <strong>DNSSEC</strong> is either there or it isn't, and most tools make you check separately</li> </ul> <p>The information is all in DNS, but it's scattered across different record types, different query tools, and different mental models. You end up juggling <code>dig</code>, MXToolbox, Spamhaus lookup, and a DMARC analyzer — just to answer "is this domain's email OK?"</p> <h2> One request, full picture </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl https://prod.api.market/api/v1/fivetag-systems/mailsec/v1/audit/cloudflare.com <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"x-api-market-key: YOUR_KEY"</span> </code></pre> </div> <p>Response:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"domain"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cloudflare.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"spf"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"present"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"valid"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"record"</span><span class="p">:</span><span class="w"> </span><span class="s2">"v=spf1 ip4:199.15.212.0/22 ip4:173.245.48.0/20 include:_spf.google.com include:spf1.mcsv.net include:spf.mandrillapp.com include:mail.zendesk.com include:stspg-customer.com include:_spf.salesforce.com -all"</span><span class="p">,</span><span class="w"> </span><span class="nl">"lookupCount"</span><span class="p">:</span><span class="w"> </span><span class="mi">7</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"dmarc"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"present"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"valid"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"record"</span><span class="p">:</span><span class="w"> </span><span class="s2">"v=DMARC1; p=reject; pct=100; rua=mailto:...@dmarc-reports.cloudflare.net,mailto:rua@cloudflare.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"policy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"reject"</span><span class="p">,</span><span class="w"> </span><span class="nl">"subdomainPolicy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"reject"</span><span class="p">,</span><span class="w"> </span><span class="nl">"pct"</span><span class="p">:</span><span class="w"> </span><span class="mi">100</span><span class="p">,</span><span class="w"> </span><span class="nl">"rua"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"mailto:...@dmarc-reports.cloudflare.net"</span><span class="p">,</span><span class="w"> </span><span class="s2">"mailto:rua@cloudflare.com"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"dkim"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"present"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"selector"</span><span class="p">:</span><span class="w"> </span><span class="s2">"k1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"valid"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"dnssec"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"valid"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"mx"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"present"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"redundant"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"records"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"host"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mxa-canary.global.inbound.cf-emailsecurity.net."</span><span class="p">,</span><span class="w"> </span><span class="nl">"priority"</span><span class="p">:</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"host"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mxb-canary.global.inbound.cf-emailsecurity.net."</span><span class="p">,</span><span class="w"> </span><span class="nl">"priority"</span><span class="p">:</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"host"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mxa.global.inbound.cf-emailsecurity.net."</span><span class="p">,</span><span class="w"> </span><span class="nl">"priority"</span><span class="p">:</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"host"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mxb.global.inbound.cf-emailsecurity.net."</span><span class="p">,</span><span class="w"> </span><span class="nl">"priority"</span><span class="p">:</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"score"</span><span class="p">:</span><span class="w"> </span><span class="mi">100</span><span class="p">,</span><span class="w"> </span><span class="nl">"grade"</span><span class="p">:</span><span class="w"> </span><span class="s2">"A"</span><span class="p">,</span><span class="w"> </span><span class="nl">"blacklists"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"dblListed"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"zenListed"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"verdict"</span><span class="p">:</span><span class="w"> </span><span class="s2">"READY"</span><span class="p">,</span><span class="w"> </span><span class="nl">"mtaSts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"present"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"issues"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"mta-sts: no DNS record found"</span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"tlsRpt"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"present"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"issues"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"tlsrpt: no record found"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Cloudflare scores 100/A. SPF with 7 lookups (under the limit of 10), DMARC at <code>reject</code> with full reporting, DKIM present, DNSSEC valid, redundant MX, clean blacklists. Verdict: <strong>READY</strong>.</p> <p>Now try a domain that doesn't have its act together and you'll see the score drop, issues appear, and the verdict shift to <code>CAUTION</code> or <code>BLOCKED</code>.</p> <h2> What's behind the score </h2> <p>The audit scores five components out of 100:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Check</th> <th>Max points</th> <th>What it measures</th> </tr> </thead> <tbody> <tr> <td>SPF</td> <td>20</td> <td>Valid record, <code>all</code> mechanism present, lookup count under 10</td> </tr> <tr> <td>DMARC</td> <td>30</td> <td>Present, enforced (<code>quarantine</code>/<code>reject</code>), reporting configured</td> </tr> <tr> <td>DKIM</td> <td>20</td> <td>Key found at a known selector</td> </tr> <tr> <td>DNSSEC</td> <td>20</td> <td>DS record present, chain of trust valid</td> </tr> <tr> <td>MX</td> <td>10</td> <td>MX records exist, redundant hosts</td> </tr> </tbody> </table></div> <p>Grades: A (90+), B (70+), C (50+), D (30+), F (&lt;30).</p> <p>DMARC is weighted heaviest because it's the single biggest factor in whether spoofed mail gets through. A domain with <code>p=none</code> is essentially unprotected — MailSec won't call that "ready."</p> <p>MTA-STS, TLS-RPT, and BIMI are included in the audit response for visibility but are <strong>informational only</strong> — they don't affect the score. Adoption is still too low to penalize domains without them.</p> <h2> Beyond the full audit </h2> <p>You don't always need everything. Each check has its own endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Just SPF</span> GET /v1/spf/<span class="o">{</span>domain<span class="o">}</span> <span class="c"># Just DMARC policy</span> GET /v1/dmarc/<span class="o">{</span>domain<span class="o">}</span> <span class="c"># DKIM — auto-probes common selectors, or pass ?selector=google</span> GET /v1/dkim/<span class="o">{</span>domain<span class="o">}</span> <span class="c"># MTA-STS — DNS record + HTTPS policy file (RFC 8461)</span> GET /v1/mta-sts/<span class="o">{</span>domain<span class="o">}</span> <span class="c"># TLS-RPT — reporting URIs for TLS failures (RFC 8460)</span> GET /v1/tlsrpt/<span class="o">{</span>domain<span class="o">}</span> <span class="c"># Is this a throwaway email domain?</span> GET /v1/email/disposable/<span class="o">{</span>domain<span class="o">}</span> <span class="c"># Full email validation: syntax + DNS + disposable check</span> GET /v1/email/validate?email<span class="o">=</span>user@example.com <span class="c"># Deliverability verdict without DNSSEC (focused on inbox placement)</span> GET /v1/deliverability/<span class="o">{</span>domain<span class="o">}</span> </code></pre> </div> <h2> Real use cases </h2> <h3> 1. Validate B2B signups </h3> <p>Before provisioning a trial, check if the domain is real, has working email, and isn't disposable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl .../v1/email/validate?email<span class="o">=</span>cto@acme-corp.com </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cto@acme-corp.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"syntaxValid"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"domainExists"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"mxPresent"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"disposable"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"deliverable"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Block <code>mailinator.com</code>, <code>guerrillamail.com</code>, and 100k+ other throwaway domains automatically. The disposable check does suffix-walking, so <code>anything.mailinator.com</code> is caught too.</p> <h3> 2. Pre-flight transactional sends </h3> <p>About to send a welcome email, invoice, or password reset? Check the recipient's domain first:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl .../v1/deliverability/their-domain.com </code></pre> </div> <p>If <code>verdict</code> is <code>BLOCKED</code>, that domain is in Spamhaus — your email probably won't arrive. If <code>CAUTION</code>, their SPF/DMARC is misconfigured and replies/bounces may behave unexpectedly. Only send with confidence when <code>verdict</code> is <code>READY</code>.</p> <h3> 3. Customer onboarding — "Check my domain" button </h3> <p>Building a SaaS that sends email on behalf of customers? Give them a one-click domain health check in your onboarding flow. Hit <code>/v1/audit/{domain}</code> and render the results:</p> <blockquote> <p>"Your DMARC policy is set to <code>none</code> — this means spoofed emails from your domain won't be blocked. Change it to <code>quarantine</code> or <code>reject</code> to protect your brand."</p> </blockquote> <h3> 4. Monitor your own domains </h3> <p>Run a daily cron against <code>/v1/audit/bulk</code> with your company's domains. Alert when:</p> <ul> <li>Score drops below a threshold</li> <li>DMARC policy changes from <code>reject</code> to <code>none</code> </li> <li>A new Spamhaus listing appears</li> <li>SPF lookup count crosses 8 (getting close to the limit of 10)</li> </ul> <h3> 5. Audit third-party vendors </h3> <p>Before integrating with a partner who'll send email on your behalf, check their domain. A vendor with <code>p=none</code> DMARC and no DKIM is a phishing risk to your customers.</p> <h2> Performance </h2> <ul> <li>Live DNS lookups on every request (no stale scrapes)</li> <li>In-process cache respects each record's TTL — repeat queries are &lt;50ms</li> <li>Full audit fans out all checks in parallel — cold lookups typically 200-800ms</li> <li>Bulk endpoint audits up to 10 domains in a single request</li> </ul> <h2> Get started </h2> <p>MailSec is available on <a href="https://api.market/fivetag-systems/mailsec" rel="noopener noreferrer">api.market</a>. Sign up, grab your API key, and start auditing domains in minutes.</p> <p>Try it now — pick any domain you're curious about and see what comes back. You might be surprised by your own.</p> webdev security api devops