HEXL
Catalog/security-email-auth

Security

Email auth spoofability grade (SPF/DMARC/DKIM) A-F API

Email-authentication posture grader for a domain: looks up SPF (TXT at the root), DMARC (TXT at _dmarc.<domain>), and probes common DKIM selectors over DNS-over-HTTPS, then PARSES them into structured facts (SPF final qualifier -all/~all/?all/+all and DNS-lookup count, DMARC p=/sp=/pct=/rua/alignment, DKIM selector presence) and collapses them into a letter grade A-F, a 0-100 score, a spoofability verdict (can an attacker forge mail From: this domain?), a deliverability read, machine-readable issue codes, and a prioritised list of concrete remediation fixes with the exact record to publish. Unlike a raw record dump, this returns the decision an agent can branch on. Answers 'Can someone spoof email from this domain?', 'Is this domain's email authentication set up correctly?', 'What SPF/DMARC/DKIM fixes does this domain need?', 'Will mail from this domain land in the inbox?'.

Price$0.1per request
MethodPOST
Route/v1/security/email-auth
StatusLive
MIME typeapplication/json
Rate limit60/minute
Cache3600s public
securityemailspfdmarcdkimspoofingphishingdeliverabilitydnsdomain
API URLhttps://x402.hexl.dev/v1/security/email-auth
Integration docs
Example request
{
  "domain": "github.com"
}
Example response
{
  "domain": "github.com",
  "grade": "B",
  "score": 75,
  "spoofability": "moderate",
  "spoofVerdict": "Spoofing is partially mitigated (DMARC quarantine), but the posture is not airtight — forged mail is quarantined rather than rejected.",
  "deliverability": "Strong. SPF, DKIM and DMARC are all present — legitimate mail authenticates and is unlikely to be junked on auth grounds.",
  "summary": "Grade B (75/100). Spoofing risk: moderate.",
  "spf": {
    "present": true,
    "qualifier": "~all",
    "lookupCount": 8,
    "record": "v=spf1 ip4:192.30.252.0/22 include:spf.protection.outlook.com include:_netblocks.google.com ~all"
  },
  "dmarc": {
    "present": true,
    "policy": "quarantine",
    "subdomainPolicy": "reject",
    "pct": 100,
    "hasAggregateReporting": true,
    "alignment": {
      "spf": null,
      "dkim": null
    },
    "record": "v=DMARC1; p=quarantine; sp=reject; pct=100; rua=mailto:dmarc@github.com; ruf=mailto:dmarc@github.com; fo=1"
  },
  "dkim": {
    "present": true,
    "selectorsFound": [
      "google",
      "selector1",
      "k1"
    ]
  },
  "issues": [
    "SPF_SOFTFAIL",
    "DMARC_QUARANTINE"
  ],
  "remediation": [
    {
      "priority": "medium",
      "issue": "DMARC policy is quarantine — spoofed mail goes to spam rather than being rejected outright.",
      "fix": "After confirming clean DMARC reports, upgrade p=quarantine to p=reject."
    },
    {
      "priority": "medium",
      "issue": "SPF ends in ~all (softfail) — forged mail is tagged, not rejected.",
      "fix": "Once you're confident every legitimate sender is listed, tighten ~all to -all.",
      "example": "v=spf1 ip4:192.30.252.0/22 include:spf.protection.outlook.com -all"
    }
  ],
  "disclaimer": "Best-effort assessment of public DNS email-authentication records. DKIM probing checks a fixed set of common selectors and may miss a custom selector (a 'DKIM not found' result is not proof DKIM is unconfigured). This is a security/deliverability heuristic, not a guarantee that mail cannot be spoofed or will be delivered."
}
Input schema
{
  "type": "object",
  "required": [
    "domain"
  ],
  "properties": {
    "domain": {
      "type": "string",
      "description": "Domain name to assess, e.g. \"github.com\" (bare domain; scheme/path/email local-part are stripped)."
    }
  },
  "examples": [
    {
      "domain": "github.com"
    },
    {
      "domain": "neverssl.com"
    }
  ]
}
Output schema
{
  "type": "object",
  "additionalProperties": true
}