Email Security Posture (Composite): a beginner's guide
Single-call composite that fans out across SPF, DKIM, DMARC, and DMARCbis tree-walk
Why your domain needs a bouncer at the inbox door
Email is older than the web, and it was built in a more trusting era. Anyone can send a message claiming to be from your domain unless you tell the world's mail servers to expect otherwise. That's what email security is — three little rulebooks you publish in your DNS (Domain Name System) called SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance). If you set them up correctly, your real emails reach the inbox and impostor emails get blocked. If you don't, you risk landing in the spam folder — or worse, letting scammers send phishing emails wearing your brand.
The Email Security Posture (Composite) endpoint, in plain language
In one sentence: Single-call composite that fans out across [SPF (Sender Policy Framework)](/guides/spf-record-setup-guide), [DKIM (DomainKeys Identified Mail)](/guides/security-dkim), [DMARC (Domain-based Message Authentication, Reporting and Conformance)](/guides/how-to-check-dmarc-record), and DMARCbis tree-walk
Composite endpoint that fans out to analyzeSPF / analyzeDMARC / analyzeDKIM and the DMARCbis DNS (Domain Name System) Tree Walk in parallel, then returns a unified envelope with an overall score, aggregate DNSSEC (Domain Name System Security Extensions) status, a ranked recommendation list (critical → info), and full per-component analyzer payloads. Replaces six sequential API (Application Programming Interface) calls with one — built for security-review screenshots, dashboards, and posture monitoring.
Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.
What is actually happening when you call it
Here's what's actually happening behind the scenes when you call this endpoint:
Calls analyzeSPF, analyzeDMARC, analyzeDKIM, and dnsTreeWalkOrgDomain in parallel via Promise.allSettled so a single failing component does not take the whole composite down. Computes a weighted overall score (DMARC (Domain-based Message Authentication, Reporting and Conformance) 0.45 / SPF (Sender Policy Framework) 0.30 / DKIM (DomainKeys Identified Mail) 0.25), aggregates the DNSSEC (Domain Name System Security Extensions) AD bit (Authenticated Data bit) across all three analyzers, runs cross-cutting rules to build ranked_recommendations (critical → info), and returns each component's full analyzer payload under `components.{SPF,DKIM,DMARC}` for deep-link drill-downs. Surfaces both the PSL organisational domain (the official internet standard) and the DMARCbis DNS (Domain Name System) Tree Walk result so callers can preview the upcoming standard. Caches complete results for 1 hour; degraded results (any component rejected) are never cached.
If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.
Why this specific tool matters
Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the Email Security Posture (Composite) tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.
A complete email-security review previously required six sequential API (Application Programming Interface) calls — fine for SDK consumers but disastrous for security-review workflows. The composite endpoint collapses that into a single screenshot-able artefact with a prioritised to-do list. Ideal for dashboards, vendor risk reviews, and pre-launch checklists.
Picture this in real life. Imagine a security engineer. Here's the situation they're walking into: Prepare a domain's email-security posture for a quarterly security review meeting. Need critical → info ranked recommendations on one page, with deep links to the individual endpoints for follow-up. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the Email Security Posture (Composite) tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.
Three questions this tool answers in plain English. If any of these have ever crossed your mind, the Email Security Posture (Composite) tool is built for you:
Will the emails I send actually reach the inbox, or are they going to spam?
Can someone else send phishing emails pretending to be my domain?
Have I set up the three rulebooks (SPF, DKIM, DMARC) that mailbox providers now require?
You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.
Who gets the most out of this. Small-business owners worried about deliverability, marketing managers onboarding a new email service, IT admins prepping for a security audit, and brand teams protecting against phishing. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.
What happens if you skip this entirely. Skip it and your real emails risk landing in the spam folder while scammers find it easier to impersonate your brand. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.
Available on the free plan. The technical details: `GET /v1/security/email-posture`.
When would I actually use this?
If you're still on the fence about whether the Email Security Posture (Composite) tool belongs in your toolbox, this section is for you. Below you'll meet three real people — a security engineer, a procurement / TPRM, and an MSP / brand protection — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.
Story 1: Security review in a single screenshot
Imagine you're a security engineer. Prepare a domain's email-security posture for a quarterly security review meeting. Need critical → info ranked recommendations on one page, with deep links to the individual endpoints for follow-up.
Why it matters: One API (Application Programming Interface) call replaces six. The ranked_recommendations array is directly screenshot-able for review documents.
Story 2: Vendor email-security due diligence
Imagine you're a procurement / TPRM. Vet a SaaS vendor's email posture before signing — check authentication, transport security readiness via DMARCbis preview, and DNSSEC (Domain Name System Security Extensions) validation in one request.
Why it matters: Score + ranked recommendations support a quick vendor risk decision without manual record inspection.
Story 3: Monitoring dashboard for portfolio domains
Imagine you're an MSP / brand protection. Run a daily cron across customer domains to track email-security posture over time. Need a single endpoint per domain that exposes both the score and the underlying analyzer state for change detection.
Why it matters: One request per domain instead of six, with full component payloads for diffing across runs.
Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the Email Security Posture (Composite) tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:
When setting up email on a brand-new domain.
After signing up for a new email-sending service (Mailchimp, SendGrid, HubSpot, etc.).
When a customer reports that your emails are landing in their spam folder.
Before a security audit, a SOC 2 review, or a major marketing campaign.
If you can see yourself in even one of those bullets, the Email Security Posture (Composite) tool will pay for itself the first time you use it.
Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the Email Security Posture (Composite) tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.
The easiest way: just ask your AI assistant
If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:
"Use the Email Security Posture (Composite) tool to check cloudflare.com and explain anything that looks wrong in plain language."
The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.
MCP (Model Context Protocol) access is free on every plan, including the free tier. One API key works for both REST and AI — you do not have to choose.
The technical way: call it from code
If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.
# Replace edns_live_YOUR_KEY with your real API key from the dashboard
curl -H "Authorization: Bearer edns_live_YOUR_KEY" \
"https://api.edgedns.dev/v1/security/email-posture?domain=cloudflare.com"What you need to provide
There's just one piece of information you need to provide. The table below explains exactly what it is and what a real value looks like.
| Field | Type | Required? | What it means | Example |
|---|---|---|---|---|
domain | string | Yes | The domain to assess. Subdomains are supported — the DMARCbis tree walk traverses ancestors looking for the organisational policy. | cloudflare.com |
What you get back
When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.
| Field | Type | What you'll see in it |
|---|---|---|
domain | string | The queried domain |
organizational_domain_psl | string | Organisational domain per the official internet standard (current PSL-based resolution) |
organizational_domain_tree_walk | object | DMARCbis DNS (Domain Name System) Tree Walk result — surfaced alongside the PSL result for forward-compat preview. Fields: queried_domain, organizational_domain, walked_steps, walked_names, dmarc_record, dnssec_validated, error. |
overall_score | number | Weighted composite score 0–100 (DMARC (Domain-based Message Authentication, Reporting and Conformance) 0.45 / SPF (Sender Policy Framework) 0.30 / DKIM (DomainKeys Identified Mail) 0.25) |
overall_grade | string | Letter grade A+ / A / B / C / D / F |
dnssec_validated | boolean | Aggregate DNSSEC (Domain Name System Security Extensions) posture — true only when every successful analyzer's underlying lookup carried the AD bit (Authenticated Data bit) |
ranked_recommendations | array | Severity-sorted action list. Each entry: severity (critical/high/medium/low/info), title (one line), detail (two sentences with the fix), endpoint_ref (which individual endpoint to drill into for context). Critical-first ordering means the top item is the screenshot-able headline. |
components | object | Per-component analyzer payloads. { SPF: ComponentSummary, DKIM: ComponentSummary, DMARC: ComponentSummary } where ComponentSummary = { ok: boolean, error: string|null, data: <full analyzer result>|null }. Clients can deep-link into the matching endpoint for details. |
Words you might be wondering about
If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.
DNS (Domain Name System) — The internet's address book. When you type a website name, DNS turns it into the actual numeric address computers use to find each other.
API (Application Programming Interface) — A way for one program to ask another program for something — like a waiter taking your order to the kitchen.
SPF (Sender Policy Framework) — A list, published in your DNS, of which servers are allowed to send email pretending to be you. Helps stop spammers from forging your address.
DKIM (DomainKeys Identified Mail) — A digital signature added to every email you send. The receiving mail server checks the signature to make sure the message really came from you and was not changed in transit.
DMARC (Domain-based Message Authentication, Reporting and Conformance) — An email rulebook you publish in your DNS. It tells receiving servers what to do with email that fails SPF or DKIM checks — ignore it, send it to spam, or block it entirely.
DNSSEC (Domain Name System Security Extensions) — A way to digitally sign DNS records so attackers can't trick your computer into looking up the wrong server.
RFC (Request for Comments) — The official internet standards documents. When someone says 'RFC 8484' they mean a specific numbered standards document — in that case, the one defining DNS over HTTPS.
AD bit (Authenticated Data bit) — A flag that recursive resolvers set in their reply when they successfully validated DNSSEC. Useful as a signal but not the same as verifying the cryptography yourself — it tells you what the resolver said, not what the math shows.
Need Programmatic Access?
Automate domain intelligence with 100+ API endpoints and a free MCP server for AI integration.