Getting Started
MailSec API provides comprehensive email security and deliverability auditing via REST. A single request returns up to 13 different checks with a numeric score, letter grade, and plain-language verdict.
Base URL
https://api.market/v1/mailsec
Authentication
All requests require an API key via the RapidAPI proxy:
curl -H "X-RapidAPI-Key: YOUR_API_KEY" \
https://api.market/v1/mailsec/audit/example.com
Domain Audit Endpoints
Full Audit
Run all checks on a domain and get a security score (0-100), letter grade (A-F), and detailed results.
GET /v1/audit/{domain}
Response:
{
"domain": "example.com",
"score": 85,
"grade": "B",
"spf": {
"valid": true,
"record": "v=spf1 include:_spf.google.com ~all",
"lookup_count": 4
},
"dkim": {
"found": true,
"selector": "google"
},
"dmarc": {
"valid": true,
"policy": "reject",
"subdomain_policy": "quarantine",
"rua": "mailto:dmarc@example.com"
},
"dnssec": {
"valid": true
},
"mx": {
"records": [
{"priority": 10, "host": "aspmx.l.google.com"}
],
"provider": "Google Workspace",
"redundant": true
}
}
Scoring Breakdown
| Component | Max Points | Details |
|---|---|---|
| SPF | 20 | Valid record with proper mechanisms |
| DMARC | 30 | reject: 30, quarantine: 15, none: 6 |
| DKIM | 20 | At least one valid selector found |
| DNSSEC | 20 | Valid chain of trust |
| MX | 10 | Valid records with redundancy |
Grades: A = 90+, B = 70+, C = 50+, D = 30+, F = <30
Bulk Audit
Audit up to 10 domains in a single request.
POST /v1/audit/bulk
Content-Type: application/json
{
"domains": ["example.com", "example.org"]
}
Deliverability Check
Pre-flight deliverability verdict: READY, CAUTION, or BLOCKED.
GET /v1/deliverability/{domain}
Verdict rules:
- BLOCKED – domain or MX IP listed in Spamhaus
- CAUTION – SPF invalid, DMARC missing or p=none, or no MX records
- READY – SPF valid, DMARC at quarantine/reject, MX present, not blacklisted
Individual Check Endpoints
Each check is also available as a standalone endpoint.
| Endpoint | Description |
|---|---|
GET /v1/spf/{domain} | SPF record, mechanisms, lookup count (RFC 7208 limit: 10) |
GET /v1/dmarc/{domain} | DMARC policy, alignment modes, reporting URIs |
GET /v1/dkim/{domain} | DKIM selector probing (auto-probes 10+ common selectors) |
GET /v1/dnssec/{domain} | DNSSEC chain of trust verification |
GET /v1/mx/{domain} | MX records, provider detection, redundancy status |
GET /v1/bimi/{domain} | BIMI SVG logo URL and Verified Mark Certificate |
GET /v1/mta-sts/{domain} | MTA-STS DNS record + HTTPS policy file |
GET /v1/tlsrpt/{domain} | TLS-RPT reporting URIs (mailto: or https:) |
DKIM Custom Selector
By default, MailSec auto-probes common selectors (google, selector1, s1, mail, k1, etc.). To check a specific selector:
GET /v1/dkim/{domain}?selector=myselector
Email Validation Endpoints
Disposable Domain Check
Check if a domain belongs to a disposable/throwaway email provider. Matches against 100k+ known providers with suffix matching.
GET /v1/email/disposable/{domain}
Email Validation
Full email validation: syntax, IDN normalization, domain existence, MX presence, and disposable check.
GET /v1/email/validate?email=user@example.com
Blacklist Checking
The full audit and deliverability endpoints include Spamhaus blacklist checks:
- Spamhaus DBL – domain reputation (spam, phishing, malware)
- Spamhaus ZEN – MX IP reputation (SBL, XBL, PBL)
A blacklist hit triggers a BLOCKED deliverability verdict.
Rate Limits
| Plan | Calls/month | Rate limit | Overage |
|---|---|---|---|
| Free Trial | 1,000 | 2 req/s | Hard limit |
| Pro | 50,000 | 10 req/s | $0.0005/call |
| Bulk | 250,000 | 50 req/s | $0.0003/call |
The Free Trial includes all endpoints for 7 days. Pro includes all individual endpoints but not the bulk audit. Bulk includes everything.
Performance
- Cold request: 200-800ms (live DNS lookups)
- Cached request: <50ms (TTL-aware in-process cache)
- Bulk endpoint: up to 10 domains audited in parallel
OpenAPI Specification
The full API specification is available as an OpenAPI 3.0 document.
