Email Security Posture (Composite)
free/v1/security/email-postureComposite endpoint that fans out to analyzeSPF / analyzeDMARC / analyzeDKIM and the DMARCbis DNS Tree Walk in parallel, then returns a unified envelope with an overall score, aggregate DNSSEC status, a ranked recommendation list (critical → info), and full per-component analyzer payloads. Replaces six sequential API calls with one — built for security-review screenshots, dashboards, and posture monitoring.
What It Does
Calls analyzeSPF, analyzeDMARC, analyzeDKIM, and dnsTreeWalkOrgDomain in parallel via Promise.allSettled so a single failing component does not take the whole composite down. Computes a weighted overall score (DMARC 0.45 / SPF 0.30 / DKIM 0.25), aggregates the DNSSEC AD bit across all three analyzers, runs cross-cutting rules to build ranked_recommendations (critical → info), and returns each component's full analyzer payload under `components.{spf,dkim,dmarc}` for deep-link drill-downs. Surfaces both the PSL organisational domain (RFC 7489) and the DMARCbis DNS Tree Walk result so callers can preview the upcoming standard. Caches complete results for 1 hour; degraded results (any component rejected) are never cached.
Why It's Useful
A complete email-security review previously required six sequential API calls — fine for SDK consumers but disastrous for security-review workflows. The composite endpoint collapses that into a single screenshot-able artefact with a prioritised to-do list. Ideal for dashboards, vendor risk reviews, and pre-launch checklists.
Use Cases
Security review in a single screenshot
Prepare a domain's email-security posture for a quarterly security review meeting. Need critical → info ranked recommendations on one page, with deep links to the individual endpoints for follow-up.
One API call replaces six. The ranked_recommendations array is directly screenshot-able for review documents.
Vendor email-security due diligence
Vet a SaaS vendor's email posture before signing — check authentication, transport security readiness via DMARCbis preview, and DNSSEC validation in one request.
Score + ranked recommendations support a quick vendor risk decision without manual record inspection.
Monitoring dashboard for portfolio domains
Run a daily cron across customer domains to track email-security posture over time. Need a single endpoint per domain that exposes both the score and the underlying analyzer state for change detection.
One request per domain instead of six, with full component payloads for diffing across runs.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to assess. Subdomains are supported — the DMARCbis tree walk traverses ancestors looking for the organisational policy.Example: cloudflare.com |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried domain |
organizational_domain_psl | string | Organisational domain per RFC 7489 (current PSL-based resolution) |
organizational_domain_tree_walk | object | DMARCbis DNS Tree Walk result — surfaced alongside the PSL result for forward-compat preview. Fields: queried_domain, organizational_domain, walked_steps, walked_names, dmarc_record, dnssec_validated, error. |
overall_score | number | Weighted composite score 0–100 (DMARC 0.45 / SPF 0.30 / DKIM 0.25) |
overall_grade | string | Letter grade A+ / A / B / C / D / F |
dnssec_validated | boolean | Aggregate DNSSEC posture — true only when every successful analyzer's underlying lookup carried the AD bit |
ranked_recommendations | array | Severity-sorted action list. Each entry: severity (critical/high/medium/low/info), title (one line), detail (two sentences with the fix), endpoint_ref (which individual endpoint to drill into for context). Critical-first ordering means the top item is the screenshot-able headline. |
components | object | Per-component analyzer payloads. { spf: ComponentSummary, dkim: ComponentSummary, dmarc: ComponentSummary } where ComponentSummary = { ok: boolean, error: string|null, data: <full analyzer result>|null }. Clients can deep-link into the matching endpoint for details. |
Code Examples
curl "https://api.edgedns.dev/v1/security/email-posture" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=cloudflare.com"const response = await fetch(
'https://api.edgedns.dev/v1/security/email-posture?domain=cloudflare.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/security/email-posture',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'cloudflare.com'
}
)
data = response.json()
print(data)Read the full Email Security Posture (Composite) guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.
Try This Endpoint
Test the Email Security Posture (Composite) endpoint live in the playground.