Skip to content
POST AI agent ready /v1/email-security/report

Email Security Report API - SPF, DMARC & DKIM Audit

Send a domain name and receive a full email authentication audit. The endpoint checks SPF, DMARC, and DKIM records, assigns a letter grade (A through F) with a numeric score out of 100, and returns actionable recommendations for improving email security posture.

Parameters

stringrequired

Domain to audit for email security.

Code examples

curl -X POST https://api.botoi.com/v1/email-security/report \
  -H "Content-Type: application/json" \
  -d '{"domain":"example.com"}'

When to use this API

Email deliverability audits

Run this check before launching email campaigns to confirm SPF, DMARC, and DKIM are configured correctly. A missing or misconfigured record can send your emails straight to spam folders.

Compliance checks for security certifications

SOC 2 and ISO 27001 auditors ask about email authentication controls. Generate this report as evidence that SPF, DMARC, and DKIM are in place and correctly configured.

Domain security monitoring

Schedule weekly audits of your production domains. Alert your security team when the grade drops or when a previously configured record goes missing.

Frequently asked questions

How is the grade calculated?
The score is based on the presence and strength of SPF, DMARC, and DKIM records. SPF with -all scores higher than ~all. DMARC with reject scores higher than quarantine or none. Missing records reduce the score significantly.
Which DKIM selector does it check?
The endpoint checks common selectors including "google", "default", "selector1", and "selector2". If your selector is non-standard, DKIM may show as not found even if it exists.
Can this endpoint detect email spoofing?
It does not scan for active spoofing. It evaluates whether your DNS records are configured to prevent spoofing. A strong SPF, DMARC, and DKIM setup makes spoofing your domain significantly harder.
What does rua and ruf mean in the DMARC section?
rua is the address that receives aggregate DMARC reports (daily summaries). ruf is the address for forensic reports (individual failure notifications). Both are optional but recommended.
Does this work for subdomains?
Yes. DMARC inherits from the parent domain if no subdomain-specific record exists. SPF and DKIM are checked directly on the subdomain you provide.

Get your API key

Free tier includes 5 requests per minute with no credit card required. Upgrade for higher limits.

Sign up free View full docs