An SPF, DKIM and DMARC API
CanItSend is a JSON API for email authentication over live DNS: GET /v1/spf/check returns a parsed SPF record with a correct RFC 7208 lookup count, /v1/spf/flatten resolves includes to IP ranges, /v1/dmarc/parse and /v1/dkim/check cover the rest, and /v1/audit does all of it in one call. There is a free tier, public pricing, and the key arrives by email in about thirty seconds.
The endpoints
| Endpoint | Does |
|---|---|
GET /v1/spf/check | Parse SPF, count lookups correctly, flag PermError. |
GET /v1/spf/flatten | Resolve includes to ip4/ip6 ranges. |
GET /v1/dmarc/parse | Parse the DMARC record; flag tags removed by RFC 9989. |
GET /v1/dkim/check | Fetch a selector's key; report algorithm and modulus size. |
GET /v1/audit | All of the above, plus a grade and the records to fix it. |
POST /v1/audit/bulk | A whole client roster in one request. |
POST /v1/monitor | Watch a domain; get alerted when its posture changes. |
curl 'https://api.canitsend.com/v1/spf/check?domain=example.com' \
-H 'Authorization: Bearer snd_live_...'
{
"present": true,
"lookupCount": 7,
"lookupLimitExceeded": false,
"policy": "~all",
"valid": true,
"raw": "v=spf1 include:_spf.google.com include:sendgrid.net ~all"
}
What makes the number right
The lookupCount above is the whole product, and it is the thing most tools get
wrong. The mx mechanism costs one lookup regardless of how many MX
hosts come back; the per-host A/AAAA resolution is bounded by a separate limit under
RFC 7208 §4.6.4 and does not touch the main budget. Tools that count one-per-host report a domain
with five MX hosts as spending six lookups instead of one, and tell people to go flatten a record
that was never in trouble. We have a test that pins this exact case.
The rest of it is the unglamorous part: include recursion, the two-void-lookup cap,
redirect being ignored when an all is present, and the difference between
"invalid" and "valid but insecure" — a record ending +all is perfectly legal SPF and
authorises the entire internet. We report it as valid, and grade it accordingly.
Clients
npm install @canitsend/client pip install canitsend-client
Try it now
This runs against the live API — no key needed from this page.
Full API reference · Pricing — public, self-serve, free tier, no call with anyone.
Frequently asked
Is there an API for checking SPF records?
Yes. CanItSend exposes GET /v1/spf/check?domain=example.com, which resolves the record over live DNS and returns the parsed mechanisms with a lookup count computed per RFC 7208. There is a free tier of 100 audits per month; a key is emailed instantly with no sales call.
How do I check SPF from the command line?
curl 'https://api.canitsend.com/v1/spf/check?domain=example.com' -H 'Authorization: Bearer snd_live_...'. The response includes lookupCount, lookupLimitExceeded, the policy, and the parsed mechanisms.
Can I check SPF, DKIM and DMARC in one request?
Yes — GET /v1/audit?domain=example.com returns all three plus a grade and the specific DNS records needed to fix whatever is broken. /v1/audit/bulk accepts a list of domains for auditing a client roster in one call.
Related
- Looking for an MXToolbox alternative? — MXToolbox is a good diagnostic site.
- The SPF 10-lookup limit, explained — SPF allows 10 DNS lookups.
- What an email validation API can honestly verify — Syntax, MX, disposable domains, role accounts and typos are all checkable.
- Setting up email authentication, in the right order — A working sequence for SPF, DKIM and DMARC that doesn't reject your own mail on the way.
Automate this → — free tier, public pricing, API key emailed in about thirty seconds. No call with anyone.