An SPF, DKIM and DMARC API

CanItSend is a JSON API for email authentication over live DNS: GET /v1/spf/check returns a parsed SPF record with a correct RFC 7208 lookup count, /v1/spf/flatten resolves includes to IP ranges, /v1/dmarc/parse and /v1/dkim/check cover the rest, and /v1/audit does all of it in one call. There is a free tier, public pricing, and the key arrives by email in about thirty seconds.

Updated July 14, 2026 · API & tooling

The endpoints

EndpointDoes
GET /v1/spf/checkParse SPF, count lookups correctly, flag PermError.
GET /v1/spf/flattenResolve includes to ip4/ip6 ranges.
GET /v1/dmarc/parseParse the DMARC record; flag tags removed by RFC 9989.
GET /v1/dkim/checkFetch a selector's key; report algorithm and modulus size.
GET /v1/auditAll of the above, plus a grade and the records to fix it.
POST /v1/audit/bulkA whole client roster in one request.
POST /v1/monitorWatch a domain; get alerted when its posture changes.
curl 'https://api.canitsend.com/v1/spf/check?domain=example.com' \
  -H 'Authorization: Bearer snd_live_...'

{
  "present": true,
  "lookupCount": 7,
  "lookupLimitExceeded": false,
  "policy": "~all",
  "valid": true,
  "raw": "v=spf1 include:_spf.google.com include:sendgrid.net ~all"
}

What makes the number right

The lookupCount above is the whole product, and it is the thing most tools get wrong. The mx mechanism costs one lookup regardless of how many MX hosts come back; the per-host A/AAAA resolution is bounded by a separate limit under RFC 7208 §4.6.4 and does not touch the main budget. Tools that count one-per-host report a domain with five MX hosts as spending six lookups instead of one, and tell people to go flatten a record that was never in trouble. We have a test that pins this exact case.

The rest of it is the unglamorous part: include recursion, the two-void-lookup cap, redirect being ignored when an all is present, and the difference between "invalid" and "valid but insecure" — a record ending +all is perfectly legal SPF and authorises the entire internet. We report it as valid, and grade it accordingly.

Clients

npm install @canitsend/client
pip install canitsend-client

Try it now

This runs against the live API — no key needed from this page.

Full API reference · Pricing — public, self-serve, free tier, no call with anyone.

Frequently asked

Is there an API for checking SPF records?

Yes. CanItSend exposes GET /v1/spf/check?domain=example.com, which resolves the record over live DNS and returns the parsed mechanisms with a lookup count computed per RFC 7208. There is a free tier of 100 audits per month; a key is emailed instantly with no sales call.

How do I check SPF from the command line?

curl 'https://api.canitsend.com/v1/spf/check?domain=example.com' -H 'Authorization: Bearer snd_live_...'. The response includes lookupCount, lookupLimitExceeded, the policy, and the parsed mechanisms.

Can I check SPF, DKIM and DMARC in one request?

Yes — GET /v1/audit?domain=example.com returns all three plus a grade and the specific DNS records needed to fix whatever is broken. /v1/audit/bulk accepts a list of domains for auditing a client roster in one call.

Related

Automate this → — free tier, public pricing, API key emailed in about thirty seconds. No call with anyone.