Skip to main content
SaaS|Security Engineer / TPRM / MSP

Single-Call Email Security Posture Review

One API call replaces six — built for security-review screenshots and procurement diligence

Email-security reviews historically required six sequential API calls — SPF, DKIM, DMARC, BIMI, MTA-STS, DANE — each parsed by hand and stitched into a one-page summary. The `/v1/security/email-posture` composite endpoint collapses that into a single request that returns a unified envelope: overall score, aggregate DNSSEC posture, a ranked recommendation list (critical → info), and full per-component analyzer payloads for deep-link drill-downs.

The Challenge

Security reviews, vendor diligence, and TPRM workflows all need a single page summarising a domain's complete email-security posture. Stitching that together from SPF + DKIM + DMARC + BIMI + MTA-STS + DANE endpoint calls means six round trips, six response shapes to normalise, and bespoke logic to weight the components against each other. Most teams either skip the diligence or copy data manually into a spreadsheet — both of which scale poorly across portfolios.

The Solution

EdgeDNS's `/v1/security/email-posture` endpoint fans out to every analyzer in parallel using `Promise.allSettled` (so a single failing component does not take the composite down), then returns a unified envelope: a weighted overall score (DMARC 0.45 / SPF 0.30 / DKIM 0.25), aggregate DNSSEC posture across all three lookups, a severity-sorted `ranked_recommendations` array with deep links to the individual endpoints, and the DMARCbis DNS Tree Walk preview alongside the current PSL organisational-domain result. Cache TTL is 1 hour. Complete results only — degraded composites are never cached. The endpoint is free tier.

Endpoints Used

Combine these EdgeDNS endpoints to build this solution.

GET
/v1/security/email-postureTry in Playground

Email Posture (Composite): Parallel SPF/DKIM/DMARC analysis + DMARCbis Tree Walk in a single unified envelope with ranked recommendations

GET
/v1/security/spfTry in Playground

SPF Check: Deep-link drill-down when the composite flags SPF issues (void lookups, exceeds_dns_limit, missing record)

GET
/v1/security/dkimTry in Playground

DKIM Check: Deep-link drill-down for selector enumeration, key fingerprints, dual-signing detection

GET
/v1/security/dmarcTry in Playground

DMARC Check: Deep-link drill-down for external_authorization audit and DMARCbis tag analysis

Results You Can Achieve

Six API calls → one

A complete review that previously required hand-stitching SPF + DKIM + DMARC + BIMI + MTA-STS + DANE responses now returns in a single request. Parallel fan-out keeps P95 latency under 2 s for typical domains.

Ranked recommendations, screenshot-ready

The `ranked_recommendations` array is sorted by severity (critical → info), with each entry carrying a title, two-sentence detail, and `endpoint_ref` for drill-down. Directly paste-able into review docs.

DMARCbis preview included

Both the current PSL organisational domain and the DMARCbis DNS Tree Walk result are returned in the same envelope. Forward-compat assessment for the 2026 RFC publication without a separate request.

Degraded results never cached

If any underlying analyzer rejects (network timeout, SERVFAIL), the composite is not cached. Prevents misleading low scores from getting stuck in KV for the 1-hour TTL.

Aggregate DNSSEC posture in one field

`dnssec_validated` is true only when every successful analyzer's underlying lookup carried the AD bit. Removes the need to inspect each component for DNSSEC status individually.

Code Example

Email security posture in a single call

bash
curl -s 'https://api.edgedns.dev/v1/security/email-posture?domain=cloudflare.com' \
  -H 'Authorization: Bearer YOUR_API_KEY' \
  | jq '{
      domain: .data.domain,
      grade: .data.overall_grade,
      score: .data.overall_score,
      dnssec: .data.dnssec_validated,
      orgDomain: .data.organizational_domain_psl,
      treeWalkOrg: .data.organizational_domain_tree_walk.organizational_domain,
      todoList: [
        .data.ranked_recommendations[]
        | {severity, title, fix: .detail, drillInto: .endpoint_ref}
      ]
    }'

Learn More

Explore industry standards and best practices related to this use case.

RFC 7489 — DMARC Specification

IETF DMARC specification — the source of the organisational-domain semantics being replaced by DMARCbis Tree Walk

DMARCbis Internet Draft

IETF DMARCbis working draft — successor to RFC 7489, queued at the RFC Editor for 2026 publication. Introduces np=, psd=, t= tags and the DNS Tree Walk algorithm.

Google Email Sender Guidelines

Google's bulk-sender enforcement rules. The composite endpoint score directly reflects compliance with this guidance.

Ready to build Single-Call Email Security Posture Review?

Get started with 200 free API requests per month. No credit card required.

Get Started FreeTry the Playground

Other Use Cases

Email Marketing / DevOps

Email Deliverability Monitoring

Improve inbox placement with proactive email authentication monitoring

Security Engineer / Compliance Officer

Security Compliance Auditing

Automate security posture assessments for SOC 2 and ISO 27001