Email Auth Grader

Audit a domain's email authentication: SPF, DKIM, DMARC, MTA-STS, and BIMI. Returns a letter grade, score, and actionable recommendations.

POST /api/email-auth
Security
<200ms avg latency
API Key auth
5 protocols checked

What is Domain Email Auth Grader?

The Domain Email Auth Grader performs a comprehensive security audit of your domain's email authentication infrastructure. It analyzes DNS TXT records to validate SPF, DKIM, DMARC, BIMI, and MTA-STS configurations against RFC specifications.

Each check is assigned a score, and an overall letter grade (A-F) is calculated based on the security posture of your email authentication setup. The API also provides actionable remediation recommendations to help you improve your domain's email deliverability and security.

Key Features

  • SPF Validation — Verifies Sender Policy Framework record syntax and policy strength
  • DKIM Detection — Checks for DKIM selector presence and configuration
  • DMARC Analysis — Validates DMARC policy and reporting configuration
  • BIMI Support — Optional check for Brand Indicators for Message Identification
  • MTA-STS Verification — Optional check for Mail Transfer Agent Strict Transport Security

Code Examples

curl -X POST https://api.atomicapis.dev/api/email-auth \
  -H "X-RapidAPI-Proxy-Secret: YOUR_SECRET" \
  -H "Content-Type: application/json" \
  -d '{
    "domain": "example.com",
    "dkimSelectors": ["google", "default"]
  }'

Request Parameters

Name Type Required Description
domain string Required The domain to audit (e.g., "example.com")
dkimSelectors string[] Optional DKIM selectors to check (e.g., ["google", "default"])

Response Format

Example Response (200 OK) 
{
  "domain": "example.com",
  "grade": "B",
  "score": 75,
  "spf": {
    "record": "v=spf1 include:_spf.google.com ip4:192.0.2.0/24 ~all",
    "valid": true,
    "allMechanism": "~all",
    "includes": ["_spf.google.com"],
    "issues": [],
    "dnsLookupCount": 3
  },
  "dmarc": {
    "record": "v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]",
    "valid": true,
    "policy": "quarantine",
    "subdomainPolicy": null,
    "percentage": 100,
    "aggregateReportUri": "mailto:[email protected]",
    "forensicReportUri": null,
    "issues": ["DMARC policy is 'quarantine'. Consider upgrading to 'reject' for maximum protection."]
  },
  "dkim": {
    "detected": true,
    "selectorsFound": ["google", "default"]
  },
  "mtaSts": {
    "detected": true,
    "record": "v=STSv1; id=20240115"
  },
  "bimi": {
    "detected": false,
    "record": null
  },
  "recommendations": [
    "Add BIMI record to display brand logo in supported email clients",
    "Consider upgrading DMARC policy to 'reject' for stronger protection"
  ]
}

Response Fields

Field Type Description
domain string The audited domain
grade string Overall letter grade (A, B, C, D, or F)
score number Numerical score from 0-100
spf object SPF record analysis (record, valid, allMechanism, includes, issues, dnsLookupCount)
dmarc object DMARC policy analysis (record, valid, policy, subdomainPolicy, percentage, aggregateReportUri, forensicReportUri, issues)
dkim object DKIM detection results (detected, selectorsFound)
mtaSts object MTA-STS detection results (detected, record)
bimi object BIMI detection results (detected, record)
recommendations array List of actionable remediation recommendations

Use Cases

Security Auditing

Regularly audit your domain's email authentication setup to identify security gaps. Use the letter grade and recommendations to prioritize improvements and maintain a strong security posture against email spoofing and phishing attacks.

POST /api/email-auth { "domain": "yourdomain.com" }

Deliverability Optimization

Improve email deliverability by ensuring proper SPF, DKIM, and DMARC configurations. Major email providers like Gmail and Outlook use these authentication mechanisms to filter spam and verify sender legitimacy.

Grade A = Maximum deliverability score

Compliance Checking

Meet industry compliance requirements (SOC 2, ISO 27001, GDPR) by demonstrating proper email authentication controls. Generate audit reports showing your domain's security configuration against RFC standards.

Export results for compliance documentation

Build Constraints

DNS TXT Lookups Only

All checks are performed via DNS TXT record lookups. No external paid data sources are used.

RFC Spec Compliance

Records are parsed and validated against official RFC specifications for each authentication protocol.

Sub-200ms Response

Stateless operation with sub-200ms response times for all DNS queries and analysis.

Stateless Architecture

No database persistence. Each request is processed independently with no stored state.

Error Codes

Code Status Description
400 Bad Request Invalid domain format or missing required parameters
401 Unauthorized Missing or invalid API key
429 Rate Limited Too many requests. Please slow down.
500 Server Error Internal server error. Please try again later.

MCP Integration MCP Ready

What is MCP?

Model Context Protocol (MCP) allows AI assistants like Claude to call this API as a native tool during conversation. Instead of writing HTTP requests, the AI invokes the tool directly — no API keys or boilerplate needed on the client side.

Tool Details

Tool Class
EmailAuthGraderTools
Method
GradeEmailAuth()

Description

Audits SPF, DKIM, DMARC, MTA-STS, and BIMI records