@Mail Domain Check

HTTP reference

Mail Domain Check Public API

Send one domain for eight normalized configuration summaries, or one outbound IP for a focused PTR and forward-DNS result. No account or API key is required.

OpenAPI 3.1.2

POST /api/scan

Send application/json from a server-side HTTP client, the published CLI, or the same-origin browser application.

curl --fail-with-body -sS \
  'https://mail-domain-check-zac2.coral-ibis-2405.chatgpt.site/api/scan?utm_source=api-docs' \
  -H 'Content-Type: application/json' \
  --data '{"domain":"example.com"}'
domain
Required bare domain. Do not include a URL scheme, path, email address, or IP.
dkimSelector
Optional real selector from a mail provider or message header. The service does not guess selectors.
sendingIp
Optional actual public IPv4 or IPv6 outbound address for PTR and A/AAAA forward confirmation.

POST /api/ptr-check

Send only the actual public SMTP outbound address when the domain is unknown or the immediate issue is Gmail 5.7.25 or 4.7.23.

curl --fail-with-body -sS \
  'https://mail-domain-check-zac2.coral-ibis-2405.chatgpt.site/api/ptr-check?utm_source=api-docs' \
  -H 'Content-Type: application/json' \
  --data '{"sendingIp":"8.8.8.8"}'

The result contains PtrDiagnostics: IP version, PTR answer count, forward record type, bounded query counts, forward address count, and forwardConfirmed. PTR hostnames, raw DNS answers, and repair actions are omitted.

Summary response

A successful response includes the normalized domain, scan time, duration, score, grade, status counts, bilingual overall summary, eight bilingual check summaries, and a disclaimer.

{
  "domain": "example.com",
  "score": 100,
  "grade": "A",
  "counts": { "pass": 5, "warn": 0, "fail": 0, "info": 3 },
  "checks": [
    {
      "id": "spf",
      "status": "pass",
      "severity": "info",
      "diagnostics": {
        "spfRecordCount": 1,
        "dnsLookupCount": 4,
        "dnsLookupLimit": 10,
        "lookupComplete": true
      }
    },
    {
      "id": "dmarc",
      "status": "pass",
      "severity": "info",
      "diagnostics": {
        "directRecordCount": 0,
        "policyFound": true,
        "policyDomain": "example.com",
        "inherited": true,
        "policyTag": "sp",
        "policy": "reject",
        "treeWalkQueries": 3,
        "conflictingRecords": false
      }
    },
    {
      "id": "dkim",
      "status": "pass",
      "severity": "info",
      "diagnostics": {
        "recordCount": 1,
        "keyType": "rsa",
        "publicKeyPresent": true,
        "revoked": false,
        "testMode": false,
        "strictIdentity": false,
        "emailServiceAllowed": true,
        "sha256Allowed": true
      }
    }
  ]
}

This abbreviated example shows selected fields. Live responses always contain all eight check summaries and may change as public DNS or HTTPS policy changes.

The SPF summary includes record count, potential DNS-causing term count, the fixed limit of 10, and whether the include or redirect chain expanded completely. A null count means there was no unique policy to expand; an incomplete count is an observed lower bound.

The DMARC summary follows the current RFC 9989 bounded DNS Tree Walk. It identifies the direct-record count, selected policy domain, inherited p/sp/np behavior, alignment modes, aggregate-reporting presence, test mode, historic pct, and discarded record conflicts without returning raw TXT or report destinations.

The MTA-STS summary identifies the STSv1 announcement count and validity, fixed-path HTTPS fetch state, policy validity, mode, maxAge, and MX pattern count. The companion TLS-RPT summary exposes only record state and aggregate mailto or HTTPS destination counts. Raw records, policy contents, MX patterns, and report destinations remain excluded.

When a real dkimSelector is supplied, the DKIM summary includes the exact-host TXT answer count, normalized key type, publication or revocation state, testing and strict-identity flags, email service permission, and SHA-256 permission.

When a real sendingIp is supplied, the PTR summary includes safe counts and forward-confirmation state. The focused /api/ptr-check endpoint returns the same boundary without requiring a domain.

The free response intentionally excludes complete DNS/HTTPS evidence and remediation actions, including raw SPF, DMARC, MTA-STS, and TLS-RPT records, policy contents, MX patterns, report destinations, expanded include targets, raw DKIM records, and public-key material. Those fields are generated server-side again and delivered only through the automated complete-report flow.

Status and rate limits

200
Scan completed. X-RateLimit-Remaining reports the remaining source-address allowance.
400
Invalid JSON, domain, selector, or sending IP.
413 / 415
Body exceeds 8 KiB or Content-Type is not application/json.
429
More than 30 scans in a 60-second source-address window. Respect Retry-After.
500
A DNS, HTTPS, storage, or runtime dependency is temporarily unavailable.

The endpoint is for interactive diagnostics, not bulk enumeration, continuous monitoring, or unsolicited collection. No availability SLA is offered.

Privacy and browser boundary

Free analytics retain irreversible domain and visitor hashes plus aggregate result and source metrics, not raw domains or sending IPs. An optional sending IP is used for the current DNS check and retained with report data only after checkout.

Cross-origin browser calls are not supported. This prevents arbitrary third-party pages from silently using a visitor's browser as an API client. Use the same-origin scanner, the CLI, or a server-side HTTP client.

Machine-readable contract

Continue in the browser scanner

Results describe public configuration at scan time. They do not guarantee inbox placement and do not replace a complete security or compliance audit.