Back to API DocsTry this endpoint in the playground →
DNS Analysis
POST
/api/v1/phishing/dnsAnalyze a domain's DNS configuration including MX, SPF, DMARC, BIMI, MTA-STS, NS records, RDAP registration data, and Certificate Transparency logs. Useful for identifying newly registered domains, misconfigured mail security, recently issued certificates, and suspicious hosting infrastructure.
Permission
phishing:read
Credits
1 credit
Plans
All plans
Request Body
{ "domain": "suspicious-login.com" }| Field | Type | Description |
|---|---|---|
| domain | string | Domain name to analyze (required) |
Validation rules
- Protocol and paths are stripped automatically (e.g.
https://example.com/pathbecomesexample.com) - Maximum 253 characters
- Internal domains are blocked:
.local,.internal,.localhost,.localdomain,.lan,.home
Response
{
"data": {
"domain": "suspicious-login.com",
"mxRecords": [
"10 mx1.suspiciousmail.net",
"20 mx2.suspiciousmail.net"
],
"spfRecord": "v=spf1 include:suspiciousmail.net ~all",
"dmarcRecord": "v=DMARC1; p=none; rua=mailto:dmarc@suspicious-login.com",
"dmarcParsed": {
"version": "DMARC1",
"policy": "none",
"subdomainPolicy": null,
"rua": "mailto:dmarc@suspicious-login.com",
"ruf": null,
"adkim": null,
"aspf": null,
"pct": null,
"valid": true
},
"dmarcExternalValid": null,
"aRecords": ["185.234.72.11", "185.234.72.12"],
"reverseDns": "vps-node11.cheap-hosting.net",
"nsRecords": ["ns1.registrar-servers.com", "ns2.registrar-servers.com"],
"dnsProvider": "Namecheap",
"bimi": {
"found": false,
"version": null,
"logoUrl": null,
"authorityUrl": null,
"rawRecord": null
},
"mtaSts": {
"hasDnsRecord": false,
"policyId": null,
"mode": null,
"mxPatterns": [],
"maxAge": null,
"rawPolicy": null
},
"registrationDate": "2026-02-28T14:32:00Z",
"domainAgeDays": 20,
"lastChanged": "2026-03-10T08:15:00Z",
"registrar": "NameCheap, Inc.",
"certTransparency": {
"domain": "suspicious-login.com",
"newestCertIssuedAt": "2026-03-01T00:00:00",
"certAgeDays": 19,
"certCount": 2,
"issuer": "C=US, O=Let's Encrypt, CN=R3",
"suspicious": true,
"reason": "Domain certificate issued 19 days ago — moderately suspicious"
}
},
"meta": {
"request_id": "req_a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"credits_used": 1,
"credits_remaining": 499,
"processing_time_ms": 1842
}
}| Field | Type | Description |
|---|---|---|
| domain | string | The analyzed domain (cleaned/normalized) |
| mxRecords | string[] | Mail exchanger records as "priority exchange" strings, sorted by priority |
| spfRecord | string | null | Raw SPF TXT record value |
| dmarcRecord | string | null | Raw DMARC TXT record value |
| dmarcParsed | object | null | Parsed DMARC tags: version, policy, subdomainPolicy, rua, ruf, adkim, aspf, pct, valid |
| dmarcExternalValid | boolean | null | Whether external DMARC report destinations are authorized (null if no external destinations) |
| aRecords | string[] | IPv4 A record addresses |
| reverseDns | string | null | PTR reverse DNS hostname for the first A record |
| nsRecords | string[] | Authoritative nameserver hostnames |
| dnsProvider | string | null | Inferred DNS provider from NS records (e.g. Cloudflare, Amazon Route 53) |
| bimi | object | null | BIMI (Brand Indicators for Message Identification) record: found, version, logoUrl, authorityUrl, rawRecord |
| mtaSts | object | null | MTA-STS (Mail Transfer Agent Strict Transport Security) check: hasDnsRecord, policyId, mode, mxPatterns, maxAge, rawPolicy |
| registrationDate | string | null | Domain registration date from RDAP (ISO 8601) |
| domainAgeDays | number | null | Number of days since domain registration |
| lastChanged | string | null | Date of last RDAP change event (ISO 8601) |
| registrar | string | null | Registrar name from RDAP data |
| certTransparency | object | CT log check: domain, newestCertIssuedAt, certAgeDays, certCount, issuer, suspicious, reason |
Code Examples
cURL
curl -X POST https://api.dfir-lab.ch/v1/phishing/dns \
-H "Authorization: Bearer sk-dfir-your-key-here" \
-H "Content-Type: application/json" \
-d '{"domain": "suspicious-login.com"}'Python
import requests
url = "https://api.dfir-lab.ch/v1/phishing/dns"
headers = {
"Authorization": "Bearer sk-dfir-your-key-here",
"Content-Type": "application/json",
}
response = requests.post(url, json={"domain": "suspicious-login.com"}, headers=headers)
result = response.json()
data = result["data"]
meta = result["meta"]
print(f"Domain age: {data['domainAgeDays']} days")
print(f"Registrar: {data['registrar']}")
print(f"DMARC policy: {data['dmarcParsed']['policy']}")
print(f"Credits remaining: {meta['credits_remaining']}")
for mx in data["mxRecords"]:
print(f"MX: {mx}")