SSIG-ITE-Mail Security
/
v1

Public API

Lean keyless JSON API for AI agents, scripts and integrations. No signup, no key, just a fair per-IP rate limit.

Quick start

curl https://mailcheck.ssig-it.com/api/v1/check/example.com

That's it. No headers, no token, no auth flow.

Endpoint

GEThttps://mailcheck.ssig-it.com/api/v1/check/{domain}
Runs every check (SPF, DKIM, DMARC, MTA-STS, TLS-RPT, DANE, DNSSEC, reverse DNS, CAA, blacklist, IPv6, BIMI/VMC) and returns the full JSON response including details, fixes and evidence.

Rate limit

30 requests per IP per hour
Cache hits count toward the limit. This bucket is separate from the web form.
  • X-RateLimit-Limittotal quota within the window
  • X-RateLimit-Remainingrequests remaining
  • X-RateLimit-Resetepoch seconds when the window is guaranteed reset
  • Retry-Afteron 429 only — seconds to wait before retrying

Response shape

{
  "checkId":      "a1b2c3d4-...",
  "domain":       "example.com",
  "timestamp":    "2026-04-24T12:00:00.000Z",
  "hygieneScore": 85,
  "grade":        "B",
  "ampel":        "green",
  "publicDnsAssessment": { ... },
  "categories":   { authentication, encryption, dns_security, reputation },
  "checks":       [ { id, status, score, reason, evidence, ... } ],
  "meta":         { durationMs, checksRun, checksSkipped, limitations }
}

Full schema with every field in /api/v1/openapi.json.

Error codes

HTTPerrorMeaning
400invalid_domainInvalid domain, IP literal, or reserved TLD.
429rate_limitedLimit reached — honour Retry-After.
500check_failedUnexpected internal error during the check.

More examples

JavaScript
const res = await fetch('https://mailcheck.ssig-it.com/api/v1/check/example.com');
const data = await res.json();
console.log(data.hygieneScore, data.grade, data.ampel);
Python
import httpx
r = httpx.get('https://mailcheck.ssig-it.com/api/v1/check/example.com')
print(r.json()['hygieneScore'], r.json()['grade'])

CORS

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, OPTIONS
No credentials — origin=* is therefore unrestricted from browsers.

Limitations

  • Assessment is based exclusively on publicly visible DNS and HTTPS signals. Not a TR-03182 compliance proof.
  • DKIM is heuristic: a pool of common selectors is probed. A reliable DKIM assessment requires active mailflow inspection.
  • BIMI: the VMC is only checked by PEM/DER signature and reachability. No chain validation, no revocation, no BIMI root validation.
OpenAPI 3.1 llms.txt← Back to the check