Email Spoofability Score
pro/v1/security/spoofabilityComputes a 0–100 email spoofability score by combining SPF, DMARC, and DKIM analysis with interaction multipliers that model real-world attacker risk. Unlike a weighted average, this endpoint applies compounding penalties when weak authentication policies interact — for example, DMARC p=none combined with SPF ~all more than doubles the spoofability risk of either alone.
What It Does
Runs SPF, DMARC, and DKIM analysis in parallel, then computes per-protocol protection sub-scores (SPF 30%, DMARC 45%, DKIM 25% base weights). Applies conditional interaction multipliers: DMARC p=none with permissive SPF (~all/+all) adds +30% spoofability; missing DKIM with permissive DMARC adds +20%; SPF with >10 lookups (PermError) disables SPF contribution entirely. Returns a classification (locked_down / moderate / vulnerable / open) with the contributing factors broken out, so remediation work can target the highest-impact gap.
Why It's Useful
A flat average hides the non-linear way email authentication actually fails. Real-world bypass relies on specific interactions — e.g., Gmail's ARC-aware evaluation treats a missing DKIM differently from a failing one. This endpoint surfaces those interaction risks in a single number that's comparable across your portfolio while still being drill-downable for remediation.
Use Cases
Portfolio-Wide Deliverability Risk
Score all owned domains monthly and prioritize the lowest-scoring ones for hardening ahead of Google/Yahoo bulk-sender enforcement.
Single number that's comparable across domains and trackable over time.
M&A Email Risk Assessment
Evaluate acquired brands' spoofability to plan authentication uplift during integration.
Factor email-auth debt into acquisition risk models with a quantified score.
Executive Risk Reporting
Report portfolio email-spoofability trend to the board without surfacing raw SPF/DMARC/DKIM details.
Single, stable, defensible metric for executive risk dashboards.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to scoreExample: example.com |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried domain |
spoofability | number | Spoofability score 0–100 (higher = more spoofable) |
classification | string | locked_down | moderate | vulnerable | open |
sub_scores | object | Per-protocol protection scores (spf, dmarc, dkim) 0–100 |
interactions | array | Active interaction multipliers with descriptions and impact |
top_gap | object | Single highest-impact gap to address for the biggest score improvement |
findings | array | Per-protocol findings with severity |
recommendations | array | Prioritized remediation steps |
dns_errors | array | Non-empty when any of SPF / DMARC / DKIM analysis hit a DNS infrastructure error (e.g., SERVFAIL, timeout). The score may be incomplete. |
score_degraded | boolean | True when the score is based on partial data — retry before acting on it. |
Code Examples
curl "https://api.edgedns.dev/v1/security/spoofability" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=example.com"const response = await fetch(
'https://api.edgedns.dev/v1/security/spoofability?domain=example.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/security/spoofability',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'example.com'
}
)
data = response.json()
print(data)Read the full Email Spoofability Score guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.
Try This Endpoint
Test the Email Spoofability Score endpoint live in the playground.