How to Use DMARC Check APIs for Automated Domain Verification

A DMARC check API is a programmatic endpoint that accepts a domain name and returns structured data about its DMARC DNS record. Instead of running manual lookups one domain at a time through a web interface, developers and managed service providers can integrate a DMARC check API into their own dashboards, monitoring scripts, and client onboarding workflows. The API parses the raw TXT record from DNS and returns fields such as the policy level, subdomain policy, aggregate report address, forensic report address, alignment mode, and percentage tag in a machine-readable format like JSON. This eliminates human error from copy-paste interpretation and makes it possible to monitor hundreds or thousands of domains on a scheduled basis without any manual intervention whatsoever.

What Is a DMARC Check API?

At its core, a DMARC check API performs a DNS TXT lookup for the _dmarc subdomain of any given domain and returns the parsed result. When you query _dmarc.example.com, the API retrieves the raw record string such as v=DMARC1; p=reject; rua=mailto:dmarc@example.com and breaks it into individual fields. A well-designed API also validates the record syntax, flags common misconfigurations like missing rua tags or conflicting policies, and returns an overall health score. According to a 2025 report by Valimail, only 28.5% of all domains worldwide have reached DMARC enforcement at p=quarantine or p=reject, which means the vast majority of domains still need active monitoring. Automating that monitoring through an API is the only practical approach when you manage more than a handful of domains.

Why Should You Automate DMARC Checks?

Manual DMARC verification does not scale. An MSP managing 200 client domains cannot realistically log into a web tool, type each domain, read the output, and record the results in a spreadsheet every week. Automation solves three problems simultaneously. First, it provides continuous monitoring so that DNS changes, whether intentional or accidental, are detected within hours rather than weeks. Second, it creates an auditable record of each domain’s DMARC posture over time, which is essential for compliance reporting under frameworks like PCI DSS v4.0 that now mandate DMARC. Third, it enables proactive alerting so that if a client’s record disappears or downgrades from p=reject to p=none, your team is notified immediately. According to the Anti-Phishing Working Group’s 2024 trend report, phishing volume exceeded 1.3 million unique attacks in a single quarter, reinforcing why continuous automated monitoring matters.

How Does DMARC Report’s API Work?

DMARC Report’s API provides a RESTful interface for querying DMARC records and retrieving aggregate report data. After authenticating with an API key, you send a GET request with the target domain and receive a JSON response containing the full parsed DMARC record, validation status, and any detected issues. The API also exposes endpoints for pulling aggregate report summaries, sender source breakdowns, and authentication pass/fail rates over configurable time ranges. This means you can build a single integration that both checks the DNS record configuration and monitors the actual email authentication results flowing through that domain. The combination of record validation and report analysis in one API eliminates the need to stitch together multiple tools.

How Do You Query a DMARC Record with curl?

The simplest way to test DMARC Report’s API is with a curl command from your terminal. Below is a basic example that queries a domain’s DMARC record:

curl -X GET "https://api.dmarcreport.com/v1/dmarc-check?domain=example.com" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json"

The response returns a JSON object with fields including policy, subdomain_policy, rua, ruf, adkim, aspf, pct, and a valid boolean. You can pipe this into jq for formatted output or feed it directly into your monitoring pipeline.

Python Example

For scheduled monitoring, Python is a natural fit. Here is a minimal example using the requests library:

import requests

API_KEY = "YOUR_API_KEY"
domain = "example.com"

response = requests.get(
    f"https://api.dmarcreport.com/v1/dmarc-check?domain={domain}",
    headers={"Authorization": f"Bearer {API_KEY}"}
)

data = response.json()
print(f"Policy: {data['policy']}, Valid: {data['valid']}")

You can wrap this in a loop over your domain list and run it as a daily cron job, storing results in a database for trend analysis and alerting on any policy downgrades or record removals.

JavaScript Example

If your monitoring dashboard runs on Node.js, the integration is equally straightforward:

const response = await fetch(
  "https://api.dmarcreport.com/v1/dmarc-check?domain=example.com",
  {
    headers: {
      "Authorization": "Bearer YOUR_API_KEY",
      "Accept": "application/json"
    }
  }
);

const data = await response.json();
console.log(`Policy: ${data.policy}, Valid: ${data.valid}`);

This can be embedded in a serverless function that runs on a schedule, feeding results into Slack alerts, a client portal, or a compliance reporting dashboard.

How Do DMARC Check API Providers Compare?

Several providers offer DMARC check APIs, each with different strengths. MXToolbox provides a general-purpose DNS lookup API that covers DMARC among many other record types, but it is oriented toward ad-hoc diagnostics rather than continuous monitoring at scale. Valimail offers an enterprise-grade API focused on DMARC enforcement automation, though pricing targets large organizations. DMARCian provides API access as part of its management platform with a focus on visualization. DMARC Report’s API differentiates by combining record checking with aggregate report analysis in a single platform, making it particularly well-suited for MSPs who need both configuration validation and ongoing authentication monitoring across their entire client portfolio. The key factors to evaluate are rate limits, response format consistency, the depth of validation logic, and whether the API also exposes report data beyond just DNS record parsing.

What Are Common Mistakes When Using DMARC APIs?

The most frequent mistake is checking the DMARC record once during onboarding and then never again. DNS records can be accidentally deleted during domain migrations, overwritten by other administrators, or silently modified by hosting providers. A second common error is ignoring the pct tag in API responses. A domain with p=reject; pct=0 looks protected at first glance but is effectively doing nothing because zero percent of failing messages are subject to the reject policy. Good API integrations should flag this condition explicitly. Finally, many teams forget to monitor subdomain policies separately. The sp tag controls subdomain behavior, and if it is absent, the main domain policy applies to subdomains by default, which may or may not be the intended configuration.

Verifying Your Setup

After integrating the API, validate your results against a manual check using DMARC Report’s free checker tool. Compare the API response fields with the web tool output to confirm your parsing logic is correct. Run this validation across at least ten domains with different policy configurations to catch edge cases in your integration code.

FAQ

Can I use a DMARC check API for free?

Most providers offer a free tier with limited daily queries. DMARC Report provides a free trial that includes API access so you can test your integration before committing to a paid plan. Rate limits on free tiers typically range from 50 to 500 queries per day.

How often should I poll domains via the API?

For most organizations, a daily check is sufficient since DMARC records rarely change more than once per day. MSPs onboarding new clients may want to poll every few hours during the initial setup phase to confirm DNS propagation after record creation.

Does the API detect DMARC record syntax errors?

Yes. A well-designed DMARC check API validates the record against RFC 7489 syntax requirements and flags issues such as duplicate tags, invalid policy values, missing version identifiers, and malformed mailto URIs in the rua or ruf fields.

---

Start monitoring your domains automatically with a DMARC Report free trial and integrate the API into your existing workflow today.