DNS Checks

Trigger and retrieve DNS security checks for your domains.

Run DNS Checks

Triggers a complete DNS security check for a domain. This endpoint is rate limited to 5 checks per minute per domain.

POST /api/v1/domains/{id}/checks

Path Parameters

Parameter	Type	Description
`id`	uuid	Domain ID

Response

Returns the results of all DNS checks:

json

{
  "data": {
    "checkedAt": "2024-01-15T10:30:00Z",
    "results": {
      "mx": {
        "records": [
          {"priority": 10, "exchange": "mail.example.com"}
        ],
        "hosts": [...],
        "tlsSupported": true,
        "daneSupported": false,
        "emailReceptionCapability": "active"
      },
      "spf": {
        "record": "v=spf1 include:_spf.google.com ~all",
        "valid": true,
        "allPolicy": "~all",
        "totalLookupCount": 3,
        "detectedProviders": ["Google Workspace"]
      },
      "dkim": [
        {
          "selector": "google",
          "valid": true,
          "keyType": "rsa",
          "keySize": 2048
        }
      ],
      "dmarc": {
        "record": "v=DMARC1; p=reject; rua=mailto:dmarc@example.com",
        "valid": true,
        "policy": "reject",
        "rua": ["mailto:dmarc@example.com"]
      },
      "mtaSts": {
        "valid": true,
        "policyMode": "enforce"
      },
      "tlsRpt": {
        "valid": true,
        "rua": ["mailto:tls-reports@example.com"]
      },
      "bimi": {
        "valid": false,
        "errors": ["No BIMI record found"]
      },
      "dnssec": {
        "enabled": true,
        "valid": true
      }
    }
  }
}

Example

bash

curl -X POST \
  -H "Authorization: Bearer ms_your_token" \
  https://app.mailshield.app/api/v1/domains/550e8400-e29b-41d4-a716-446655440000/checks

Rate Limiting

This endpoint has a stricter rate limit of 5 requests per minute per domain because DNS checks are resource-intensive.

When rate limited, you'll receive a 429 response with a Retry-After header.

TIP

Instead of repeatedly triggering checks, use the Get Domain endpoint to retrieve the latest stored check results.

Check Results

Each DNS check returns detailed information about the configuration.

MX Check

json

{
  "records": [
    {"priority": 10, "exchange": "mail1.example.com"},
    {"priority": 20, "exchange": "mail2.example.com"}
  ],
  "hosts": [
    {
      "hostname": "mail1.example.com",
      "priority": 10,
      "ip": "203.0.113.1",
      "tlsSupported": true,
      "starttlsSupported": true,
      "certificateExpiry": "2025-01-01T00:00:00Z"
    }
  ],
  "tlsSupported": true,
  "daneSupported": false,
  "emailReceptionCapability": "active"
}

Email Reception Capability:

active - Domain actively receives email
null-mx - Null MX record (RFC 7505)
no-mail - No MX records
unreachable - MX hosts not reachable
relay-denied - Mail servers reject mail

SPF Check

json

{
  "record": "v=spf1 include:_spf.google.com ~all",
  "version": "spf1",
  "valid": true,
  "allPolicy": "~all",
  "mechanisms": [...],
  "includeTree": [...],
  "totalLookupCount": 3,
  "flattenedIps": ["172.217.0.0/16", ...],
  "detectedProviders": ["Google Workspace"],
  "errors": [],
  "warnings": ["Consider using -all instead of ~all"]
}

DKIM Check

json

{
  "selector": "google",
  "record": "v=DKIM1; k=rsa; p=MIIBIjAN...",
  "version": "DKIM1",
  "keyType": "rsa",
  "keySize": 2048,
  "publicKey": "MIIBIjAN...",
  "valid": true,
  "errors": [],
  "warnings": []
}

DMARC Check

json

{
  "record": "v=DMARC1; p=reject; rua=mailto:dmarc@example.com",
  "version": "DMARC1",
  "policy": "reject",
  "subdomainPolicy": null,
  "percentage": 100,
  "aspf": "r",
  "adkim": "r",
  "rua": ["mailto:dmarc@example.com"],
  "ruf": [],
  "valid": true,
  "errors": [],
  "warnings": []
}

MTA-STS Check

json

{
  "dnsRecord": "v=STSv1; id=20240115",
  "dnsVersion": "STSv1",
  "dnsId": "20240115",
  "policyFetched": true,
  "policyVersion": "STSv1",
  "policyMode": "enforce",
  "policyMx": ["mail.example.com"],
  "policyMaxAge": 604800,
  "valid": true,
  "errors": []
}

TLS-RPT Check

json

{
  "record": "v=TLSRPTv1; rua=mailto:tls-reports@example.com",
  "version": "TLSRPTv1",
  "rua": ["mailto:tls-reports@example.com"],
  "valid": true,
  "errors": []
}

BIMI Check

json

{
  "selector": "default",
  "record": "v=BIMI1; l=https://example.com/logo.svg",
  "version": "BIMI1",
  "location": "https://example.com/logo.svg",
  "authority": null,
  "logoFetched": true,
  "logoValid": true,
  "logoContentType": "image/svg+xml",
  "valid": true,
  "errors": []
}

DNSSEC Check

json

{
  "enabled": true,
  "valid": true,
  "chainValid": true,
  "dsRecords": [
    {
      "keyTag": 12345,
      "algorithm": 13,
      "digestType": 2,
      "digest": "ABC123..."
    }
  ],
  "errors": []
}

DNS Checks ​

Run DNS Checks ​

Path Parameters ​

Response ​

Example ​

Rate Limiting ​

Check Results ​

MX Check ​

SPF Check ​

DKIM Check ​

DMARC Check ​

MTA-STS Check ​

TLS-RPT Check ​

BIMI Check ​

DNSSEC Check ​

DNS Checks

Run DNS Checks

Path Parameters

Response

Example

Rate Limiting

Check Results

MX Check

SPF Check

DKIM Check

DMARC Check

MTA-STS Check

TLS-RPT Check

BIMI Check

DNSSEC Check