Email Security API (SPF, DMARC, DKIM) — Free Tier, JSON

Try it

See it work with any domain.

Type any domain to see the live Email security (SPF/DMARC/DKIM) response from the API. Free, no signup — rate-limited to 5 lookups/day per browser.

GET /domain/{d}/email-security

Try: mailchimp.comsendgrid.comgoogle.comgithub.com 0 / 5 today

// Click "Run lookup" to see the live API response for this endpoint

Why this Email Security API

DKIM auto-discovery is the killer feature.

Every other "DKIM API" requires you to know the selector in advance. There's no DNS mechanism to discover selectors — you have to guess. We probe 29 of the most common selectors automatically so you get DKIM data without needing to know what to query.

DKIM auto-discovery across 29 selectors

Google Workspace (google, default), Microsoft 365 (selector1, selector2), Mailchimp (k1, k2, k3), SendGrid (s1, s2, em-sgs), Postmark (pm), Mandrill, Mailgun, generic catchalls, and 15+ more. No selector input required.

SPF + DMARC presence + records

Returns whether each record is present and the raw record content. Useful for catching missing records (deliverability risk) and inspecting policies (DMARC p=, SPF includes, etc.).

Single API call

All three checks (SPF, DMARC, DKIM probing) in one HTTP request. Without this API you'd need 31+ separate DNS queries: 1 SPF + 1 DMARC + 29 DKIM probes.

1-hour cache

Cached responses return in <100ms. SPF/DMARC/DKIM TTLs are typically much longer than 1 hour, so cached data is fresh for almost all use cases.

JSON output

Each section returned as a structured object with present (boolean) and records (array of strings). DKIM also returns found (list of matching selectors) so you know which providers a domain uses.

Bundled with full domain intel

Get just email security via /domain/{d}/email-security, or grab email + DNS + WHOIS + SSL + subdomains in a single /lookup/{d} call. Same API key, same pricing.

Response shape

SPF, DMARC, DKIM — all three sections, structured.

Below: a real response for cloudflare.com. The dkim.found array tells you which providers the domain uses, while dkim.records contains the actual public keys.

GET/domain/cloudflare.com/email-security

{
  "domain": "cloudflare.com",
  "spf": {
    "present": true,
    "records": [
      "v=spf1 ip4:199.15.212.0/22 include:_spf.google.com ~all"
    ]
  },
  "dmarc": {
    "present": true,
    "records": [
      "v=DMARC1; p=reject; rua=mailto:dmarc-rua@cloudflare.com"
    ]
  },
  "dkim": {
    "found": ["google", "selector1"],   // 2 of 29 selectors matched
    "records": [
      {
        "selector": "google",
        "records": ["v=DKIM1; k=rsa; p=MIGfMA0G..."]
      },
      {
        "selector": "selector1",
        "records": ["v=DKIM1; k=rsa; p=MIIBIjANBgk..."]
      }
    ],
    "note": "DKIM auto-probed across 29 common selectors. Custom selectors not in this list won't be found."
  }
}

Code examples

One call. All three checks.

Authenticate with your RapidAPI key, then call GET /domain/{domain}/email-security. The Python example below shows the canonical "audit our sending domain" pattern.

curl "https://domain-intelligence-api.p.rapidapi.com/domain/cloudflare.com/email-security" \
  -H "X-RapidAPI-Host: domain-intelligence-api.p.rapidapi.com" \
  -H "X-RapidAPI-Key: YOUR_RAPIDAPI_KEY"

import requests

domain = "cloudflare.com"
url = f"https://domain-intelligence-api.p.rapidapi.com/domain/{domain}/email-security"
headers = {
    "X-RapidAPI-Host": "domain-intelligence-api.p.rapidapi.com",
    "X-RapidAPI-Key": "YOUR_RAPIDAPI_KEY",
}
r = requests.get(url, headers=headers, timeout=15)
data = r.json()

if not data["spf"]["present"]:
    print(f"WARN: {domain} missing SPF")
if not data["dmarc"]["present"]:
    print(f"WARN: {domain} missing DMARC")
if not data["dkim"]["found"]:
    print(f"WARN: {domain} no DKIM found across 29 selectors")
else:
    print(f"OK: {domain} uses DKIM selectors {data['dkim']['found']}")

// Node 18+ has built-in fetch — no import needed
const domain = "cloudflare.com";
const res = await fetch(
  `https://domain-intelligence-api.p.rapidapi.com/domain/${domain}/email-security`,
  { headers: {
      "X-RapidAPI-Host": "domain-intelligence-api.p.rapidapi.com",
      "X-RapidAPI-Key": "YOUR_RAPIDAPI_KEY",
  }}
);
const data = await res.json();
console.log("SPF:", data.spf.present, "DMARC:", data.dmarc.present);
console.log("DKIM selectors found:", data.dkim.found);

<?php
$domain = "cloudflare.com";
$ch = curl_init("https://domain-intelligence-api.p.rapidapi.com/domain/$domain/email-security");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    "X-RapidAPI-Host: domain-intelligence-api.p.rapidapi.com",
    "X-RapidAPI-Key: YOUR_RAPIDAPI_KEY",
]);
$data = json_decode(curl_exec($ch), true);
curl_close($ch);
echo "SPF: " . ($data["spf"]["present"] ? "yes" : "no");

Use cases

Common things people build with this Email Security API.

Email deliverability tooling, SaaS onboarding flows, anti-phishing, and security audits are the main applications.

Outbound deliverability audit

Run weekly against your sending domains. Catch missing SPF includes, weak DMARC policies (p=none), or broken DKIM signing before deliverability drops and your campaigns go to spam.

SaaS onboarding email checks

When a customer adds a custom email-sending domain to your platform, verify SPF/DMARC/DKIM are set up correctly before allowing them to send. Cut down support tickets from broken email setups.

Anti-phishing & brand protection

Check sender domains in suspicious emails against expected configurations. Domains with weak/missing email auth are common phishing vectors; strict checks help quarantine before delivery.

DMARC enforcement tracking

Track your DMARC policy migration from p=none → p=quarantine → p=reject across your sending domains. Catch policy regressions automatically.

Email-provider fingerprinting

The DKIM selectors found reveal which providers a domain uses (google → Google Workspace, selector1 → M365, k1 → Mailchimp, etc.). Useful for sales lead enrichment and competitive analysis.

Compliance audits (SOC 2, ISO 27001)

Many compliance frameworks require evidence that email authentication is configured for all sending domains. Run the API daily across your domain inventory and pipe the results into your evidence collection system.

Pricing

Pay only for what you use.

Billed monthly via RapidAPI. Same pricing across all endpoints (email security, DNS, WHOIS, SSL, subdomains, and bundled /lookup). Cancel anytime.

BASIC

$0/mo

For evaluation, side projects, and small-domain audits.

1,000 requests / month
All endpoints included
No credit card required

Start free

Frequently asked questions.

Quick answers to common developer questions about the email security API.

Is your Email Security API free?+

Yes. Free tier includes 1,000 requests per month with no credit card required. Paid tiers start at $9.99/mo for 50,000 requests.

What does "DKIM auto-probed across 29 selectors" mean?+

DKIM keys are published under selector-specific DNS names like google._domainkey.example.com or selector1._domainkey.example.com. There's no DNS mechanism to discover which selectors a domain uses programmatically. Our API probes 29 of the most common selectors (Google Workspace, Microsoft 365, Mailchimp, SendGrid, Postmark, Mandrill, Mailgun, generic selector1/selector2, etc.) so you don't have to know the selector in advance.

What if my domain uses a custom DKIM selector?+

If the selector is not in our 29-selector list, it won't be found via auto-probing. The response's note field documents this limitation. Common custom selectors (like Amazon SES hash-based selectors) require knowing the selector in advance — in that case you'd query DNS for it directly.

Does this validate SPF/DMARC syntax?+

It returns the raw records and whether they're present. For full syntax validation, mechanism parsing, and policy interpretation, you'd implement that client-side or use a dedicated SPF/DMARC parser library. The API surfaces the raw data so you don't have to query DNS yourself.

How fresh is the data?+

Each request resolves DNS in real-time. We cache successful responses for 1 hour to reduce upstream load, but SPF/DMARC/DKIM records typically have much longer TTLs in DNS itself, so 1-hour cache is generally fresh.

What's the rate limit?+

Free tier: 1,000 requests per month. Pro: 50,000/mo. Ultra: 500,000/mo. Mega: 5M/mo. Per-second rate limits are generous on all tiers.

Does this check BIMI, MTA-STS, or DNSBL?+

Not currently. Current scope is SPF, DMARC, and DKIM. BIMI (brand indicators) and MTA-STS (MTA strict transport security) are on the roadmap. DNSBL (blocklist) checking is intentionally out of scope — it's better handled by dedicated abuse-tracking services.

Can I use this to audit email deliverability for outbound mail?+

Yes — this is one of the most common use cases. Run the endpoint against your own sending domains to verify SPF includes are correct, DMARC policy is enforced (p=reject or p=quarantine), and DKIM signing is configured. Run periodically to catch DNS drift before deliverability degrades.

Email Security API — SPF, DMARC, and DKIM in one call.