IntoDNS.ai API
Automate DNS security checks and email deliverability analysis.
What you get
- •SPF, DKIM, DMARC validation
- •DNSSEC, MTA-STS, BIMI readiness
- •Blacklist detection
- •Email deliverability scoring
- •Raw email debugging
Free & Open API
No authentication required
All endpoints are freely accessible without API keys or registration. Fair usage rate limits apply to ensure availability for everyone.
Example request:
curl -X POST https://intodns.ai/api/scan -H "Content-Type: application/json" -d ''{"domain":"example.com"}''Endpoints
Scanning
/api/scanRuns a full DNS and email authentication scan for a domain with scoring and recommendations
Input
{
"domain": "example.com"
}Output
{
"domain": "example.com",
"timestamp": "2026-01-28T17:59:35.078Z",
"score": 139,
"maxScore": 146,
"percentage": 95,
"grade": "A",
"gradeInfo": {
"grade": "A",
"label": "Very Good",
"description": "Strong security posture"
},
"categories": {
"dns": { "score": 55, "maxScore": 55, "percentage": 100, "status": "pass" },
"email": { "score": 44, "maxScore": 46, "percentage": 96, "status": "pass" },
"security": { "score": 40, "maxScore": 45, "percentage": 89, "status": "pass" }
},
"issues": [...],
"recommendations": [...]
}Also available as: GET /api/scan/quick?domain=example.com
/api/debug-emailAnalyzes a raw email message (MIME source) to diagnose deliverability issues
Input
{
"raw_email": "Full MIME source of the email"
}Output
{
"spf": { "status": "unknown", "details": "...", "aligned": false },
"dkim": { "status": "none", "aligned": false },
"dmarc": { "status": "fail", "alignment": { "spf": false, "dkim": false } },
"spamScore": {
"score": 4,
"threshold": 5,
"rules": [
{ "name": "DMARC_FAIL", "score": 2, "description": "DMARC check failed" }
]
},
"headerAnalysis": { "issues": [...], "warnings": [] },
"suggestions": [
{ "issue": "No DKIM signature", "fix": "Configure DKIM signing", "priority": "high" }
]
}DNS
/api/dns/lookup?domain=example.comLooks up DNS records for a domain. Returns all types by default, or filter with type=A or types=A,MX,TXT
Output
{
"domain": "example.com",
"records": {
"A": [{ "type": "A", "name": "example.com.", "ttl": 3600, "data": "93.184.216.34" }],
"AAAA": [{ "type": "AAAA", "ttl": 3600, "data": "2606:2800:..." }],
"MX": [{ "type": "MX", "ttl": 3600, "data": "10 mail.example.com." }],
"NS": [...], "TXT": [...], "SOA": [...], "CAA": [...]
},
"responseTime": 1065,
"resolver": "Cloudflare DoH"
}/api/dns/dnssec?domain=example.comValidates DNSSEC configuration and trust chain
Output
{
"domain": "example.com",
"signed": true,
"valid": true,
"chain": [
{
"domain": "example.com.",
"algorithm": 13,
"flags": { "value": 257, "zoneKey": true, "secureEntryPoint": true },
"algorithmName": "ECDSA Curve P-256 with SHA-256"
}
],
"errors": []
}/api/dns/propagation?domain=example.comChecks DNS propagation across global resolvers (Google, Cloudflare, Quad9, etc.)
Output
{
"domain": "example.com",
"recordType": "A",
"results": [
{
"resolver": { "ip": "8.8.8.8", "name": "Google", "country": "US" },
"records": [{ "type": "A", "data": "93.184.216.34" }],
"responseTime": 29,
"success": true
}
]
}/api/dns/tlsa?domain=example.comChecks DANE/TLSA records for mail server certificate verification
Output
{
"domain": "example.com",
"port": 25,
"protocol": "tcp",
"tlsaDomain": "_25._tcp.example.com",
"exists": true,
"records": [
{
"usage": 3,
"usageDescription": "DANE-EE: Domain-issued certificate",
"selectorDescription": "SubjectPublicKeyInfo",
"matchingTypeDescription": "SHA-256 hash"
}
]
}Email Security
/api/email/spf?domain=example.comParses and validates the SPF record, including lookup count and mechanisms
Output
{
"exists": true,
"record": "v=spf1 include:_spf.google.com -all",
"valid": true,
"policy": "fail",
"lookups": 3,
"issues": [],
"includes": ["_spf.google.com"],
"mechanisms": ["include:_spf.google.com", "-all"]
}/api/email/dkim?domain=example.comDiscovers DKIM selectors and validates DKIM records
Output
{
"selectorsChecked": ["default", "google", "selector1", ...],
"selectorsFound": [
{
"selector": "selector1",
"record": "v=DKIM1; k=rsa; p=MIGf...",
"valid": true,
"keyType": "rsa",
"keyLength": 2048
}
],
"hasDkim": true,
"issues": []
}/api/email/dmarc?domain=example.comParses and validates the DMARC record with policy details
Output
{
"exists": true,
"valid": true,
"record": "v=DMARC1; p=reject; pct=100; ruf=mailto:[email protected]",
"policy": "reject",
"subdomainPolicy": "reject",
"percentage": 100,
"reportingEnabled": true,
"rua": [],
"ruf": ["mailto:[email protected]"],
"issues": []
}/api/email/bimi?domain=example.comChecks BIMI (Brand Indicators for Message Identification) record
Output
{
"exists": false,
"record": null,
"valid": false,
"logoUrl": null,
"authorityUrl": null,
"issues": ["No BIMI record found"]
}/api/email/mta-sts?domain=example.comChecks MTA-STS (Strict Transport Security) configuration
Output
{
"exists": false,
"record": null,
"policyId": null,
"policy": null,
"policyUrl": "https://mta-sts.example.com/.well-known/mta-sts.txt",
"valid": false,
"issues": ["No MTA-STS TXT record found"]
}/api/email/blacklist?domain=example.comChecks if mail server IPs are listed on email blacklists (Spamhaus, SpamCop, Barracuda, etc.)
Output
{
"domain": "example.com",
"mailServers": [
{
"hostname": "mx1.example.com",
"ip": "1.2.3.4",
"blacklistResult": {
"listed": false,
"blacklists": [
{ "name": "Spamhaus ZEN", "severity": "critical", "listed": false },
{ "name": "SpamCop", "severity": "high", "listed": false }
]
}
}
]
}/api/email/check?domain=example.comFull email security check combining SPF, DKIM, DMARC with overall score
Output
{
"domain": "example.com",
"score": 100,
"spf": { "exists": true, "valid": true, "policy": "fail", "lookups": 7 },
"dkim": { "hasDkim": true, "selectorsFound": [...] },
"dmarc": { "exists": true, "valid": true, "policy": "reject" }
}/api/email/sender-requirements?domain=example.comChecks compliance with Google and Yahoo bulk sender requirements
Output
{
"domain": "example.com",
"overallStatus": "compliant",
"passedCount": 6,
"failedCount": 0,
"checks": [
{
"id": "spf-auth",
"name": "SPF Authentication",
"status": "pass",
"googleRequired": true,
"yahooRequired": true
}
]
}Reports & Badges
/api/badge/{domain}Returns an SVG badge showing the domain's security grade
Returns image/svg+xml content. Embed in markdown or HTML:
/api/pdf/{domain}Generates a PDF report of the scan results
Returns application/pdf content.
curl "https://intodns.ai/api/pdf/example.com" -o report.pdf/api/hall-of-fameReturns the list of domains with top security scores
Output
{
"entries": [
{ "domain": "example.com", "score": 95, "grade": "A", "addedAt": 1769345378042 }
],
"total": 1
}/api/healthHealth check endpoint for monitoring
Output
{
"status": "healthy",
"services": { "redis": { "status": "up" }, "api": { "status": "up" } },
"uptime": 109512
}Use Cases
Common automation scenarios
- •CI/CD check before mail deploy - Validate DNS configuration before deploying email infrastructure changes
- •Transactional email audit - Test real outbound emails to debug deliverability issues
- •Ongoing blacklist monitoring - Schedule automated checks to detect reputation problems early
Rate Limits
Fair usage limits to ensure availability for everyone
| Endpoint | Limit | Window |
|---|---|---|
| /api/scan/* | 10 requests | per minute |
| /api/dns/* | 30 requests | per minute |
| /api/email/* | 20 requests | per minute |
| /api/debug-email | 10 requests | per minute |
| /api/badge/* | 60 requests | per minute (cached) |
Rate limits reset every minute. Cached responses (like badges) don't count against your limit.
Error Responses
Standard error format for all endpoints
{
"error": "Error message describing what went wrong"
}400 - Bad Request (invalid parameters)
429 - Too Many Requests (rate limited)
500 - Internal Server Error
Machine-readable documentation
Technical documentation for AI assistants and automated tooling
Markdown format optimized for ChatGPT, Claude, and other LLM citations