🔐

Email Auth Validator

Validate email authentication — SPF, DKIM, and DMARC from raw headers.

POST 1 credit /v1/email/auth
curl -X POST "https://email.toolkitapi.io/v1/email/auth" \
  -H "Content-Type: text/plain" \
  -d 'From: [email protected]
Return-Path: <[email protected]>
DKIM-Signature: v=1; a=rsa-sha256; d=toolkitapi.io; s=google; ...'
import httpx

resp = httpx.post(
    "https://email.toolkitapi.io/v1/email/auth",
    json=From: [email protected]
Return-Path: <[email protected]>
DKIM-Signature: v=1; a=rsa-sha256; d=toolkitapi.io; s=google; ...,
)
print(resp.json())
const resp = await fetch("https://email.toolkitapi.io/v1/email/auth", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
  },
  body: JSON.stringify(From: [email protected]
Return-Path: <[email protected]>
DKIM-Signature: v=1; a=rsa-sha256; d=toolkitapi.io; s=google; ...),
});
const data = await resp.json();
console.log(data);
# See curl example
Response 200 OK
{
  "from_domain": "toolkitapi.io",
  "envelope_from": "[email protected]",
  "sending_ip": "198.51.100.42",
  "dkim_selector": "google",
  "dkim_domain": "toolkitapi.io",
  "spf_aligned": true,
  "dkim_aligned": true,
  "dmarc_aligned": true,
  "overall_result": "pass",
  "checks": [
    {"mechanism": "SPF", "result": "pass", "domain": "toolkitapi.io", "detail": "IP 198.51.100.42 is authorized by SPF record"},
    {"mechanism": "DKIM", "result": "pass", "domain": "toolkitapi.io", "detail": "Valid DKIM signature for selector 'google'"},
    {"mechanism": "DMARC", "result": "pass", "domain": "toolkitapi.io", "detail": "SPF and DKIM aligned with DMARC policy"}
  ],
  "query_time_ms": 112.5
}

Try It Live

Live Demo

Description

Validate email authentication — SPF, DKIM, and DMARC from raw headers.

How to Use

1

1. Copy the raw email headers from the suspicious or problematic email. 2. Send them as the POST body (plain text). 3. Optionally provide the `sending_ip` query parameter if it can't be auto-detected from Received headers. 4. Check `overall_result` — "pass", "fail", or "partial".

About This Tool

Email Auth Validator checks an email's authenticity by validating SPF, DKIM, and DMARC from raw email headers. Paste the full header block and the API parses From, Return-Path, and DKIM-Signature headers, then validates SPF (IP vs SPF record), DKIM (public key exists), and DMARC (policy and domain alignment).

Why Use This Tool

Frequently Asked Questions

What headers do I need to include?
At minimum: `From`, `Return-Path`, and `DKIM-Signature`. Including `Received` headers helps auto-detect the sending IP.
What does "partial" mean?
Some mechanisms passed while others failed — e.g., SPF passes but DKIM fails.

Start using Email Auth Validator now

Get your free API key and make your first request in under a minute.