# Email Security API > Inspect any domain's email-authentication posture — its protection against spoofing and phishing — via live DNS. Pass a domain and the service looks up and validates SPF (the v=spf1 record, its all-qualifier and the 10-lookup limit), DMARC (the _dmarc policy p=none/quarantine/reject, plus sp, pct and rua/ruf reporting addresses), DKIM (probing the common selectors at selector._domainkey, or pass your own), BIMI and the MX servers — then returns an A+-to-F grade with a prioritised list of issues and concrete advice. A second endpoint parses the DMARC record tag by tag with a plain-English interpretation of the policy. Built for email-deliverability and anti-spoofing audits, vendor and third-party risk assessment, security onboarding and continuous monitoring. An email-authentication analyzer — distinct from mailbox/address validation (email), raw DNS record lookup (dns) and the HTTP security-header grader (secheaders). Pure live DNS, no upstream key, no cache. ## Authentication All requests require your oanor API key in the `x-oanor-key` header. Get one at https://www.oanor.com/developer/keys. ```bash curl -H "x-oanor-key: oanor_live_…" "https://api.oanor.com/emailsec-api/..." ``` ## Pricing - **Free** (Free) — 2,380 calls/Mo, 2 req/s - **Starter** ($7/Mo) — 47,500 calls/Mo, 8 req/s - **Pro** ($22/Mo) — 242,000 calls/Mo, 20 req/s - **Mega** ($57/Mo) — 885,000 calls/Mo, 50 req/s ## Endpoints ### Email Security #### `GET /v1/check` — Email-auth posture + grade **Parameters:** - `domain` (query, required, string) — Domain to inspect Example: `cloudflare.com` - `selector` (query, optional, string) — DKIM selector(s) to check **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/emailsec-api/v1/check?domain=cloudflare.com" ``` **Response:** ```json { "data": { "mx": [ { "exchange": "mxb-canary.global.inbound.cf-emailsecurity.net", "priority": 5 }, { "exchange": "mxa-canary.global.inbound.cf-emailsecurity.net", "priority": 5 }, { "exchange": "mxa.global.inbound.cf-emailsecurity.net", "priority": 10 }, { "exchange": "mxb.global.inbound.cf-emailsecurity.net", "priority": 10 } ], "spf": { "found": true, "valid": true, "issues": [], "policy": "fail (-all)", "record": "v=spf1 ip4:199.15.212.0/22 ip4:173.245.48.0/20 include:_spf.google.com include:spf1.mcsv.net include:spf.mandrillapp.com include:mail.zendesk.com include:stspg-customer.com include:_spf.salesforce.com -all", "lookups": 6, "all_qualifier": "-" }, "bimi": { "found": true, "record": "v=BIMI1; l=https://www.cloudflare.com/cloudflare_1171114652.svg; a=https://www.cloudflare.com/cloudflare_1171114652.pem" }, "dkim": { "found": true, "records": [ { "length": 226, "selector": "k1", "record_present": true }, { "length": 234, …(truncated, see openapi.json for full schema) ``` #### `GET /v1/dmarc` — Parse a DMARC record **Parameters:** - `domain` (query, required, string) — Domain to inspect Example: `github.com` **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/emailsec-api/v1/dmarc?domain=github.com" ``` **Response:** ```json { "data": { "pct": "100", "rua": "mailto:dmarc@github.com", "ruf": "mailto:dmarc@github.com", "aspf": null, "adkim": null, "found": true, "valid": true, "domain": "github.com", "issues": [], "policy": "quarantine", "record": "v=DMARC1; p=quarantine; sp=reject; pct=100; rua=mailto:dmarc@github.com; ruf=mailto:dmarc@github.com; fo=1", "queried": "_dmarc.github.com", "interpretation": { "p": "send failing mail to spam" }, "subdomain_policy": "reject" }, "meta": { "timestamp": "2026-06-01T23:40:50.426Z", "request_id": "74a0febd-efb0-4140-b054-c2979c5a0a53" }, "status": "ok", "message": "DMARC record parsed", "success": true } ``` ### Meta #### `GET /v1/meta` — Checks, selectors & grade scale **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/emailsec-api/v1/meta" ``` **Response:** ```json { "data": { "note": "Inspect a domain's email-authentication posture — its protection against spoofing and phishing — via live DNS. /v1/check?domain=google.com looks up and validates SPF (v=spf1, the 'all' qualifier and the 10-lookup limit), DMARC (the _dmarc policy p=none/quarantine/reject, sp, pct, rua/ruf), DKIM (probing common selectors at selector._domainkey, or pass ?selector=), BIMI and MX, then returns an A+-to-F grade with a prioritised list of issues and advice. /v1/dmarc parses the DMARC record tag by tag with a plain-English interpretation of the policy. Pure DNS lookups, always live. Ideal for email-deliverability and anti-spoofing audits, vendor and third-party risk assessment, and onboarding checks. An email-authentication analyzer — distinct from mailbox/address validation (email), raw DNS record lookup (dns) and the HTTP security-header grader (secheaders). No key, no cache.", "checks": [ "SPF (v=spf1)", "DMARC (_dmarc, v=DMARC1)", "DKIM (selector._domainkey)", "BIMI (default._bimi)", "MX" ], "grades": [ "A+", "A", "B", "C", "D", "F" ], "endpoints": [ "/v1/check", "/v1/dmarc", "/v1/meta" ], "dkim_selectors_probed": [ "default", "google", "selector1", "selector2", …(truncated, see openapi.json for full schema) ``` --- Marketplace page: https://www.oanor.com/api/emailsec-api OpenAPI spec: https://www.oanor.com/api/emailsec-api/openapi.json