Back to API Docs
DNS Analysis
POST
/api/v1/phishing/dnsAnalyze a domain's DNS configuration including MX, SPF, DMARC, NS records, and RDAP registration data. Useful for identifying newly registered domains, misconfigured mail security, and suspicious hosting infrastructure.
Permission
phishing:read
Credits
1 credit
Plans
All plans
Request Body
{ "domain": "suspicious-login.com" }| Field | Type | Description |
|---|---|---|
| domain | string | Domain name to analyze (required) |
Validation rules
- Protocol and paths are stripped automatically (e.g.
https://example.com/pathbecomesexample.com) - Maximum 253 characters
- Internal domains (
.local,.internal) are blocked
Response
{
"mxRecords": [
{ "priority": 10, "exchange": "mx1.suspiciousmail.net" },
{ "priority": 20, "exchange": "mx2.suspiciousmail.net" }
],
"spfRecord": "v=spf1 include:suspiciousmail.net ~all",
"dmarcRecord": "v=DMARC1; p=none; rua=mailto:dmarc@suspicious-login.com",
"dmarcParsed": {
"v": "DMARC1",
"p": "none",
"rua": "mailto:dmarc@suspicious-login.com"
},
"aRecords": ["185.234.72.11", "185.234.72.12"],
"reverseDns": ["vps-node11.cheap-hosting.net"],
"nsRecords": ["ns1.registrar-servers.com", "ns2.registrar-servers.com"],
"dnsProvider": "registrar-servers.com",
"registrationDate": "2026-02-28T14:32:00Z",
"domainAgeDays": 20,
"registrar": "NameCheap, Inc."
}| Field | Type | Description |
|---|---|---|
| mxRecords | array | Mail exchanger records with priority and exchange hostname |
| spfRecord | string | null | Raw SPF TXT record value |
| dmarcRecord | string | null | Raw DMARC TXT record value |
| dmarcParsed | object | null | Parsed DMARC tags (v, p, rua, ruf, sp, pct, etc.) |
| aRecords | string[] | IPv4 A record addresses |
| reverseDns | string[] | PTR reverse DNS hostnames for each A record |
| nsRecords | string[] | Authoritative nameserver hostnames |
| dnsProvider | string | null | Inferred DNS provider from NS records |
| registrationDate | string | null | Domain registration date from RDAP (ISO 8601) |
| domainAgeDays | number | null | Number of days since domain registration |
| registrar | string | null | Registrar name from RDAP data |
Code Examples
cURL
curl -X POST https://dfir-lab.ch/api/v1/phishing/dns \
-H "Authorization: Bearer sk-dfir-your-key-here" \
-H "Content-Type: application/json" \
-d '{"domain": "suspicious-login.com"}'Python
import requests
url = "https://dfir-lab.ch/api/v1/phishing/dns"
headers = {
"Authorization": "Bearer sk-dfir-your-key-here",
"Content-Type": "application/json",
}
response = requests.post(url, json={"domain": "suspicious-login.com"}, headers=headers)
data = response.json()
print(f"Domain age: {data['domainAgeDays']} days")
print(f"Registrar: {data['registrar']}")
print(f"DMARC policy: {data['dmarcParsed']['p']}")
for mx in data["mxRecords"]:
print(f"MX: {mx['exchange']} (priority {mx['priority']})")