# SSIG Mail Security Check

Public email-security DNS/HTTPS scanner. SPF, DKIM, DMARC, MTA-STS,
TLS-RPT, DANE, DNSSEC, reverse DNS, CAA, blacklist, IPv6, BIMI/VMC.

## Public API

- Docs:      https://mailcheck.ssig-it.com/api
- OpenAPI:   https://mailcheck.ssig-it.com/api/v1/openapi.json
- Endpoint:  GET https://mailcheck.ssig-it.com/api/v1/check/{domain}
- Rate:      30 requests per IP per 1 hour (cache hits count)
- Auth:      none
- CORS:      Access-Control-Allow-Origin: *

Example:
    curl https://mailcheck.ssig-it.com/api/v1/check/example.com

Rate-limit headers on every response:
    X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset
    Retry-After (on 429)

Error shape:
    { "error": "invalid_domain" | "rate_limited" | "check_failed",
      "message": "<human-readable>" }

## Scope

Assessment is based exclusively on publicly visible DNS and HTTPS signals.
Not a BSI TR-03182 / TR-03108 compliance proof. DKIM is heuristic —
common selector probe, not a compliance claim. BIMI VMC validation covers
reachability and PEM/DER recognition, not chain, revocation or BIMI-root.

Operated by SSIG-IT GmbH · https://mailcheck.ssig-it.com