Introduction
DMARC is one of the highest-signal DNS records for evaluating a domain's email security posture. A single record can tell you whether the domain is only monitoring authentication failures, quarantining suspicious mail, or asking receivers to reject messages that fail policy.
For a one-off check, a DNS command is enough. For vendor reviews, signup trust scoring, continuous monitoring, or customer-domain onboarding, you need a repeatable API workflow. The WhoisJSON DNS Lookup API returns DMARC alongside MX, TXT, BIMI, MTA-STS, TLS-RPT and other DNS records through the documented /nslookup endpoint. This article is the DMARC-specific deep dive; for every DNS record type, see the broader DNS Lookup API guide.
What Is a DMARC Lookup API?
A DMARC lookup API accepts a domain name, checks the domain's DMARC DNS record, and returns the result as structured JSON. The application using the API can then decide whether the policy is missing, weak, or aligned with the expected security baseline.
GET /api/v1/nslookup?domain=example.com. The endpoint returns all available DNS record types in one response; filter the JSON client-side for DMARC, TXT, MX, BIMI, MTASTS and TLSRPT.This matters because DMARC rarely stands alone. A domain with DMARC but no MX record may not be used for inbound mail. A domain with MX and SPF TXT records but no DMARC is often less mature. A domain with DMARC plus MTA-STS and TLS-RPT usually has a stronger mail-security posture.
DMARC Lookup API vs DNS Lookup API
The DMARC lookup intent is narrower than a generic DNS lookup. That distinction keeps the content useful and avoids duplicating a general DNS article.
| Page | Search intent | Main output |
|---|---|---|
| DNS Lookup API guide | Query A, AAAA, MX, TXT, NS, CAA, SOA, DMARC, BIMI, MTA-STS and TLS-RPT records. | Full DNS inventory in JSON. |
| DMARC Lookup API guide | Check email authentication policy and interpret the DMARC posture of a domain. | DMARC policy plus supporting email-security signals. |
The API call is the same documented /nslookup endpoint. The workflow is different: parse the DMARC policy, assess enforcement level, then use related records as context.
Query DMARC Records in JSON
Authenticate with the Authorization: TOKEN=YOUR_API_KEY header and pass the root domain as the domain query parameter.
curl "https://whoisjson.com/api/v1/nslookup?domain=example.com" \
-H "Authorization: TOKEN=YOUR_API_KEY"The response shape depends on what the domain publishes. When DMARC exists, read the DMARC array.
{
"MX": [
{ "exchange": "mail.example.com", "priority": 10 }
],
"TXT": [
"v=spf1 include:_spf.example.net -all"
],
"DMARC": [
"v=DMARC1; p=reject; rua=mailto:[email protected]"
],
"BIMI": [
"v=BIMI1; l=https://example.com/bimi.svg"
],
"MTASTS": [
"v=STSv1; id=20260526000000Z"
],
"TLSRPT": [
"v=TLSRPTv1; rua=mailto:[email protected]"
]
}The OpenAPI file documents these fields as part of the Nslookup schema. The API does not require you to construct _dmarc.example.com yourself; query the root domain and read the DMARC key.
How to Interpret DMARC Policy
DMARC policy is usually expressed through the p tag. Start there, then inspect reporting and alignment tags when present.
| Finding | Meaning | Typical risk |
|---|---|---|
| No DMARC record | The domain has no published DMARC policy. | Medium for active business or vendor domains. |
p=none | Monitoring mode. Receivers report failures but are not asked to quarantine or reject. | Low to medium; acceptable during rollout, weak as a final state. |
p=quarantine | Receivers are asked to treat failing messages as suspicious. | Stronger enforcement. |
p=reject | Receivers are asked to reject messages that fail DMARC evaluation. | Strongest common enforcement policy. |
rua= | Aggregate report destination. | Useful for operations and compliance evidence. |
sp= | Subdomain policy. Overrides the root policy for subdomains when present. | Important for brands, SaaS platforms, and domains with many customer-facing subdomains. |
pct= | Percentage of failing mail to which the policy should apply. | Useful during staged rollout; risky if pct stays low on mature production domains. |
Python Example: Check DMARC Policy
This example calls the documented DNS endpoint and extracts a simple policy verdict from the DMARC array.
import requests
API_KEY = "YOUR_API_KEY"
BASE_URL = "https://whoisjson.com/api/v1"
HEADERS = {"Authorization": f"TOKEN={API_KEY}"}
def parse_dmarc_policy(record: str) -> str | None:
parts = [part.strip() for part in record.split(";")]
for part in parts:
if part.lower().startswith("p="):
return part.split("=", 1)[1].strip().lower()
return None
def check_dmarc(domain: str) -> dict:
response = requests.get(
f"{BASE_URL}/nslookup",
headers=HEADERS,
params={"domain": domain},
timeout=10,
)
response.raise_for_status()
data = response.json()
dmarc_records = data.get("DMARC") or []
mx_records = data.get("MX") or []
txt_records = data.get("TXT") or []
spf_records = [
value for value in txt_records
if value.lower().startswith("v=spf1")
]
if not dmarc_records:
return {
"domain": domain,
"hasDmarc": False,
"policy": None,
"risk": "medium" if mx_records else "low",
"status": "missing",
"reasons": ["no DMARC record"],
}
policy = parse_dmarc_policy(dmarc_records[0])
risk = "low"
status = "unknown"
if policy == "none":
risk = "medium"
status = "monitoring"
elif policy in ("quarantine", "reject"):
risk = "low"
status = "enforced"
return {
"domain": domain,
"hasDmarc": True,
"policy": policy,
"hasMx": len(mx_records) > 0,
"hasSpf": len(spf_records) > 0,
"risk": risk,
"status": status,
"record": dmarc_records[0],
}
print(check_dmarc("example.com"))
Node.js Example: Audit Email Security Signals
In production you usually want more than one boolean. This Node.js example returns DMARC enforcement plus the supporting email-security fields documented for /nslookup.
const API_KEY = 'YOUR_API_KEY';
const BASE_URL = 'https://whoisjson.com/api/v1';
function getPolicy(record) {
return String(record || '')
.split(';')
.map((part) => part.trim())
.find((part) => part.toLowerCase().startsWith('p='))
?.split('=')[1]
?.trim()
?.toLowerCase() || null;
}
async function auditEmailDns(domain) {
const url = new URL(`${BASE_URL}/nslookup`);
url.searchParams.set('domain', domain);
const response = await fetch(url, {
headers: { Authorization: `TOKEN=${API_KEY}` }
});
if (!response.ok) {
throw new Error(`DNS lookup failed: ${response.status}`);
}
const data = await response.json();
const dmarc = data.DMARC || [];
const txt = data.TXT || [];
const policy = getPolicy(dmarc[0]);
return {
domain,
dmarcRecord: dmarc[0] || null,
dmarcPolicy: policy,
enforced: policy === 'quarantine' || policy === 'reject',
hasMx: Boolean((data.MX || []).length),
hasSpf: txt.some((value) => String(value).toLowerCase().startsWith('v=spf1')),
hasBimi: Boolean((data.BIMI || []).length),
hasMtaSts: Boolean((data.MTASTS || []).length),
hasTlsRpt: Boolean((data.TLSRPT || []).length)
};
}
auditEmailDns('example.com')
.then(console.log)
.catch(console.error);
Common DMARC API Use Cases
DMARC checks become more valuable when they are tied to a business workflow instead of treated as a standalone DNS lookup.
Vendor risk review
Check whether vendors that send or receive mail on business-critical domains publish DMARC, whether the policy is enforced, and whether reporting is configured before approval or renewal.
Customer domain onboarding
Verify MX, SPF TXT, and DMARC before activating email-heavy product features for a customer-owned domain, then surface clear setup guidance when policy is missing or still in monitoring mode.
Domain monitoring and downgrade detection
Store the previous DMARC record and alert when policy is downgraded from reject to quarantine or none, when pct is lowered unexpectedly, or when the record disappears.
For high-volume checks, reuse the retry and backoff patterns from the rate limits and retries guide, and keep the broader DNS inventory logic in the DNS Lookup API guide.
Where DMARC Fits in Domain Intelligence
DMARC is a mail-security signal, not a full domain reputation system. It becomes stronger when combined with other WhoisJSON endpoints and fields.
WHOIS and RDAP
Use domain age, expiry, registrar and EPP status to understand whether the domain is established or newly created.
DNS lookup
Use MX, TXT, DMARC, BIMI, MTA-STS and TLS-RPT to evaluate mail-security posture.
Vendor audit
Add DMARC to vendor domain security reviews alongside SSL, subdomains and WHOIS ownership.
Signup risk
Use missing or weak DMARC as one secondary signal in email domain reputation scoring.
FAQ
What is a DMARC lookup API?
A DMARC lookup API checks the DMARC DNS record for a domain and returns structured JSON that can be used in audits, onboarding checks, monitoring and security workflows.
Which endpoint returns DMARC records?
Query /api/v1/nslookup with the root domain. The response can include a DMARC array when the domain publishes a DMARC record.
Does WhoisJSON expose DKIM selector discovery?
No. The documented DNS endpoint returns TXT records for the queried domain and specific email security records such as DMARC, BIMI, MTA-STS and TLS-RPT. It does not expose a dedicated DKIM selector discovery endpoint.
Is p=none bad?
Not always. p=none is useful during DMARC rollout because it collects reports without asking receivers to enforce quarantine or rejection. For mature production domains, p=quarantine or p=reject is usually a stronger final posture.
Can I check SPF with the same API call?
Yes. SPF is published as a TXT record, so read the TXT array and look for values that start with v=spf1.
Conclusion
A DMARC lookup API turns email authentication policy into a repeatable, machine-readable control. Instead of manually checking DNS records, you can query one endpoint, read the DMARC policy, and add MX, SPF TXT, BIMI, MTA-STS and TLS-RPT context.
Keep the scope clear: DMARC is not a complete fraud verdict, but it is a useful signal for vendor audits, customer-domain onboarding, compliance evidence and email domain reputation workflows.
Check DMARC records with WhoisJSON
Query DMARC, MX, TXT, BIMI, MTA-STS, TLS-RPT and standard DNS records with one API key.
Check DMARC RecordsView Documentation