POST /api/scan
Send application/json from a server-side HTTP client, the published CLI, or the same-origin browser application.
curl --fail-with-body -sS \
'https://mail-domain-check-zac2.coral-ibis-2405.chatgpt.site/api/scan?utm_source=api-docs' \
-H 'Content-Type: application/json' \
--data '{"domain":"example.com"}'
domain- Required bare domain. Do not include a URL scheme, path, email address, or IP.
dkimSelector- Optional real selector from a mail provider or message header. The service does not guess selectors.
sendingIp- Optional actual public IPv4 or IPv6 outbound address for PTR and A/AAAA forward confirmation.
POST /api/ptr-check
Send only the actual public SMTP outbound address when the domain is unknown or the immediate issue is Gmail 5.7.25 or 4.7.23.
curl --fail-with-body -sS \
'https://mail-domain-check-zac2.coral-ibis-2405.chatgpt.site/api/ptr-check?utm_source=api-docs' \
-H 'Content-Type: application/json' \
--data '{"sendingIp":"8.8.8.8"}'
The result contains PtrDiagnostics: IP version, PTR answer count, forward record type, bounded query counts, forward address count, and forwardConfirmed. PTR hostnames, raw DNS answers, and repair actions are omitted.
Summary response
A successful response includes the normalized domain, scan time, duration, score, grade, status counts, bilingual overall summary, eight bilingual check summaries, and a disclaimer.
{
"domain": "example.com",
"score": 100,
"grade": "A",
"counts": { "pass": 5, "warn": 0, "fail": 0, "info": 3 },
"checks": [
{
"id": "spf",
"status": "pass",
"severity": "info",
"diagnostics": {
"spfRecordCount": 1,
"dnsLookupCount": 4,
"dnsLookupLimit": 10,
"lookupComplete": true
}
},
{
"id": "dmarc",
"status": "pass",
"severity": "info",
"diagnostics": {
"directRecordCount": 0,
"policyFound": true,
"policyDomain": "example.com",
"inherited": true,
"policyTag": "sp",
"policy": "reject",
"treeWalkQueries": 3,
"conflictingRecords": false
}
},
{
"id": "dkim",
"status": "pass",
"severity": "info",
"diagnostics": {
"recordCount": 1,
"keyType": "rsa",
"publicKeyPresent": true,
"revoked": false,
"testMode": false,
"strictIdentity": false,
"emailServiceAllowed": true,
"sha256Allowed": true
}
}
]
}
This abbreviated example shows selected fields. Live responses always contain all eight check summaries and may change as public DNS or HTTPS policy changes.
The SPF summary includes record count, potential DNS-causing term count, the fixed limit of 10, and whether the include or redirect chain expanded completely. A null count means there was no unique policy to expand; an incomplete count is an observed lower bound.
The DMARC summary follows the current RFC 9989 bounded DNS Tree Walk. It identifies the direct-record count, selected policy domain, inherited p/sp/np behavior, alignment modes, aggregate-reporting presence, test mode, historic pct, and discarded record conflicts without returning raw TXT or report destinations.
The MTA-STS summary identifies the STSv1 announcement count and validity, fixed-path HTTPS fetch state, policy validity, mode, maxAge, and MX pattern count. The companion TLS-RPT summary exposes only record state and aggregate mailto or HTTPS destination counts. Raw records, policy contents, MX patterns, and report destinations remain excluded.
When a real dkimSelector is supplied, the DKIM summary includes the exact-host TXT answer count, normalized key type, publication or revocation state, testing and strict-identity flags, email service permission, and SHA-256 permission.
When a real sendingIp is supplied, the PTR summary includes safe counts and forward-confirmation state. The focused /api/ptr-check endpoint returns the same boundary without requiring a domain.
The free response intentionally excludes complete DNS/HTTPS evidence and remediation actions, including raw SPF, DMARC, MTA-STS, and TLS-RPT records, policy contents, MX patterns, report destinations, expanded include targets, raw DKIM records, and public-key material. Those fields are generated server-side again and delivered only through the automated complete-report flow.
Status and rate limits
200- Scan completed.
X-RateLimit-Remainingreports the remaining source-address allowance. 400- Invalid JSON, domain, selector, or sending IP.
413 / 415- Body exceeds 8 KiB or Content-Type is not
application/json. 429- More than 30 scans in a 60-second source-address window. Respect
Retry-After. 500- A DNS, HTTPS, storage, or runtime dependency is temporarily unavailable.
The endpoint is for interactive diagnostics, not bulk enumeration, continuous monitoring, or unsolicited collection. No availability SLA is offered.
Privacy and browser boundary
Free analytics retain irreversible domain and visitor hashes plus aggregate result and source metrics, not raw domains or sending IPs. An optional sending IP is used for the current DNS check and retained with report data only after checkout.
Cross-origin browser calls are not supported. This prevents arbitrary third-party pages from silently using a visitor's browser as an API client. Use the same-origin scanner, the CLI, or a server-side HTTP client.
Machine-readable contract
Continue in the browser scanner
Results describe public configuration at scan time. They do not guarantee inbox placement and do not replace a complete security or compliance audit.