How to Check Your Website's Health Programmatically (SSL, DNS, Email Auth, Headers)

You’ve built something great. Your website is live, customers are finding you, and everything seems to be working. But behind the scenes, things can quietly break. That SSL certificate expires on a Saturday night. Your email deliverability drops because SPF isn’t configured right. A missing security header triggers a warning in someone’s audit tool.

These aren’t hypotheticals — they’re the kind of issues that show up when you’re not looking. And the cost adds up: lost trust, emails landing in spam, security vulnerabilities you didn’t know existed.

The good news? You don’t have to manually check these things. You can automate the entire health check in a single API call.

What a Complete Site Health Check Actually Covers

A proper domain health check isn’t just “is the site up?” It means verifying five key areas that directly impact your users, your security, and your business. Think of it like a check-up at the doctor — you don’t just ask “am I breathing?” You want the full picture: heart rate, blood work, vision, everything.

Here’s what actually matters when you’re serious about site health:

SSL/TLS — Is your certificate valid, not expired, and using modern protocols? A broken SSL immediately triggers browser warnings that send visitors running.

DNS — Are your records resolving correctly? Wrong A records mean people can’t find you. Missing MX records break incoming email.

Email Authentication — This is the one most people forget. SPF, DKIM, and DMARC determine whether your outgoing emails actually reach inboxes or get flagged as spam. One missing record and your carefully crafted emails vanish into the void.

Security Headers — Things like Content-Security-Policy, HSTS, and X-Frame-Options. They don’t affect how your site looks, but they protect your visitors from XSS, clickjacking, and MIME-sniffing attacks.

Performance — Response time, TTFB, whether HTTP/2 is supported, if compression is working. These affect both user experience and SEO.

Checking these manually across multiple tools is painful. But there’s a better way.

One Call, Full Picture: The SiteProbe API

SiteProbe API is a unified API that runs all five checks in a single request. You send a domain, you get back a comprehensive health report with grades and actionable recommendations.

Top view of a neat office desk with a Tuesday planner, smartphone, and gadgets, perfect for scheduling and organization. Photo by cottonbro studio on Pexels

Here’s how simple it is:

curl -X POST https://siteprobe-api.fly.dev/check \
  -H "Content-Type: application/json" \
  -d '{"domain": "google.com"}'

No API key needed for the free tier — up to 10 checks per hour. Add an API key for higher limits and authentication.

What the Response Looks Like

Here’s the real output for google.com (condensed for readability):

{
  "domain": "google.com",
  "overall_grade": "B",
  "overall_score": 3,
  "checks": {
    "ssl": {
      "grade": "A",
      "score": 4,
      "details": {
        "subject": "*.google.com",
        "issuer": "Google Trust Services",
        "valid_from": "2026-02-23T18:19:44.000Z",
        "valid_to": "2026-05-18T18:19:43.000Z",
        "days_until_expiry": 55,
        "protocol": "TLSv1.3",
        "is_valid": true
      },
      "issues": [],
      "recommendations": []
    },
    "dns": {
      "grade": "A",
      "score": 4,
      "details": {
        "records": {
          "A": ["142.250.195.174"],
          "MX": [{"exchange": "smtp.google.com", "priority": 10}],
          "NS": ["ns3.google.com", "ns2.google.com", ...],
          "TXT": [...]
        }
      },
      "issues": [],
      "recommendations": []
    },
    "email_auth": {
      "grade": "C",
      "score": 2.3,
      "details": {
        "spf": {
          "record": "v=spf1 include:_spf.google.com ~all",
          "issues": ["SPF uses soft fail (~all) instead of hard fail (-all)"]
        },
        "dmarc": {
          "record": "v=DMARC1; p=reject; ...",
          "policy": "reject"
        },
        "dkim": {
          "grade": "F",
          "issues": ["No DKIM records found for common selectors"]
        }
      }
    },
    "security_headers": {
      "grade": "C",
      "score": 2,
      "details": {
        "headers_present": ["X-Frame-Options"],
        "headers_missing": [
          "Content-Security-Policy",
          "X-Content-Type-Options",
          "Strict-Transport-Security",
          "Referrer-Policy",
          "Permissions-Policy"
        ]
      }
    },
    "performance": {
      "grade": "B",
      "score": 3,
      "details": {
        "timings": {
          "dns_ms": 3,
          "tcp_ms": 4,
          "tls_ms": 104,
          "ttfb_ms": 310,
          "total_ms": 725
        },
        "http2_supported": true,
        "compression": "gzip"
      }
    }
  },
  "summary": "7 issues found. SPF uses soft fail (~all) instead of hard fail (-all). No DKIM records found..."
}

Every response includes an overall grade (A-F), a numeric score, detailed results for each category, specific issues found, and plain-English recommendations for fixing them.

Breaking Down Each Check

SSL/TLS

Your SSL certificate is the foundation of trust. Without it, browsers show terrifying warning screens that send visitors running. The API checks:

Is the certificate currently valid?
When does it expire? (Critical for automation — you can alert before it actually expires)
Is it using TLS 1.2 or 1.3? (No ancient protocols allowed)
Is the certificate chain trusted?
What issuer signed it?

The expiry check alone is worth its weight in gold. Certificates typically last a year, and in the chaos of running a business, it’s easy to lose track. An automated alert 30 days before expiry gives you breathing room to renew. Many teams have learned this the hard way — nothing kills customer trust faster than a browser warning screen on your own checkout page.

The protocol check matters too. TLS 1.0 and 1.1 are deprecated. If your server still supports them, you’re exposing users to known vulnerabilities. Modern browsers already block connections using these old versions. The API flags this so you can update your server config.

DNS

DNS is the phonebook of the internet. Every time someone types your domain, DNS translates it into an IP address. The API pulls your DNS records and checks they’re configured correctly:

A records — Maps your domain to an IPv4 address
AAAA records — Maps your domain to an IPv6 address (important for the growing portion of users on IPv6)
MX records — Where incoming email gets delivered
NS records — Which nameservers are authoritative for your domain
TXT records — Everything from SPF and DMARC to domain verification strings for Google, Microsoft, and other services

A misconfigured DNS record won’t crash your site visibly, but it’ll cause subtle failures: email not arriving, certain users in certain regions can’t reach you, or third-party integrations silently failing. Ever wonder why your Google verification isn’t working? It’s almost always a DNS issue.

DNS changes also propagate slowly — sometimes taking hours or even days to reach all corners of the internet. The API shows you what’s currently published so you can diagnose “it works for me but not for them” problems quickly.

Email Authentication (SPF, DKIM, DMARC)

This is where things get interesting for anyone sending email.

SPF (Sender Policy Framework) — Lists which servers are allowed to send email for your domain. The API checks if it’s published and whether it uses ~all (soft fail) or -all (hard fail). Hard fail is better because it tells receiving servers to reject unauthorized mail outright.

DKIM (DomainKeys Identified Mail) — A cryptographic signature that proves the email actually came from you. The API looks for DKIM records on common selectors. If it finds none, that’s an issue.

DMARC — The policy that tells receivers what to do when SPF or DKIM fails. A p=reject policy is the gold standard — it means “drop emails that fail authentication.”

The google.com example shows exactly this: SPF is there but uses soft fail, DMARC is strong, and DKIM is missing. That’s a C grade. Most sites score worse.

Security Headers

Modern browsers support headers that tell them how to behave. Missing headers don’t break your site, but they leave visitors exposed.

The API checks for:

Content-Security-Policy (blocks XSS by limiting what scripts can run)
X-Content-Type-Options (prevents MIME sniffing)
Strict-Transport-Security (forces HTTPS — critical for security)
Referrer-Policy (controls what info leaks to third parties)
Permissions-Policy (restricts browser features like camera, mic, geolocation)

Google.com — one of the most sophisticated web properties on the planet — is missing most of these. That’s not unusual. It’s why you check.

Performance

Speed is a feature. The API measures the complete request lifecycle:

DNS resolution — How fast your domain resolves to an IP
TCP connection — Time to establish a connection to the server
TLS handshake — Time to negotiate the encrypted connection (includes certificate validation)
Time to First Byte (TTFB) — How fast the server starts sending content
Total request time — The full round-trip from request start to content complete
HTTP/2 support — Whether the server supports modern multiplexing
Compression — Whether gzip or Brotli is enabled
Redirect chain — How many hops before reaching the final page

A TTFB over 500ms feels sluggish to users. Even worse, slow TTFB hurts your SEO — Google factors page speed into rankings. The redirect chain check catches situations where you’re sending users through unnecessary hops, like HTTP → HTTPS → www → non-www → final page.

For e-commerce, every 100ms of latency can meaningfully impact conversion rates. Performance isn’t just a “nice to have” — it’s directly tied to revenue.

Why This Matters for Real Projects

Here’s where this becomes genuinely useful, not just interesting.

For Web Agencies

You’re managing dozens or hundreds of client sites. Checking each one manually is impossible. With the SiteProbe API, you can build a dashboard that shows the health of every client domain at a glance. Alert on C grades or below. Catch certificate expirations before they become emergencies. Show clients a real security score they can understand.

For CI/CD Pipelines

Automate health checks as part of your deployment process. Run the API check after each deploy and fail the pipeline if the overall score drops below a threshold. You could even block deployments if SSL is broken or critical security headers are missing. This shifts security left — you catch problems before they reach production.

For SaaS Platforms

If you’re building a platform that lets users connect their own domains (like a white-labeled SaaS or a multi-tenant product), you need to validate those domains. Run the health check on each connected domain during onboarding and periodically thereafter. Warn users when their domain health degrades. It’s a trust signal — you care about their setup working correctly.

For Solo Developers and Founders

You might only have one or two domains. Still valuable. Set up a scheduled check (daily, weekly) and get a webhook notification when something breaks. You’ll never wake up to an expired certificate again.

The Free Tier

SiteProbe has a genuinely useful free tier. You get 10 checks per hour without an API key — enough for development, testing, and occasional manual checks. No credit card, no sign-up friction, no time limit.

Once you need more, the pricing scales reasonably: $0/month for 100 checks per month with an API key (better rate limits and authenticated access), then $19/month for 1,000 checks with priority support and webhook notifications. For most use cases, the free tier handles everything.

The key insight: you don’t need to run checks constantly. Once a day is enough to catch most issues before they become emergencies. Set a schedule, not a stream.

Putting It Into Code

Here’s a quick example in Node.js to get you started:

const fetch = require('node-fetch');

async function checkDomainHealth(domain) {
  const response = await fetch('https://siteprobe-api.fly.dev/check', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ domain })
  });
  
  const result = await response.json();
  
  console.log(`${domain} overall: ${result.overall_grade} (${result.overall_score}/4)`);
  console.log(`Issues found: ${result.checks.email_auth.issues.length}`);
  
  if (result.overall_score < 3) {
    console.log('ALERT: Health score below threshold');
    // Trigger your notification here
  }
  
  return result;
}

checkDomainHealth('your-site.com');

That’s it. Five lines of code and you have continuous visibility into your domain’s health.

What to Do Next

If you manage any web properties, you owe it to yourself to check their health programmatically. Start with your own domain — run the curl command above and see what comes back. Fix the issues that matter most to your situation.

The API handles all five check categories, but you don’t have to act on everything at once. Start with SSL expiry (easy win), then email authentication (huge impact on deliverability), then security headers (important but more involved).

For agencies and platforms, this becomes part of your operational hygiene. Integrate it into your dashboards, your alerts, your deployment pipelines.域名健康检查 done right saves real time and prevents real problems.

Common Scenarios and How to Handle Them

A few practical situations where this API genuinely saves time:

You’re migrating domains — Moving to a new host or registrar? Run the health check before and after. Make sure DNS propagated correctly, SSL is working, and email isn’t broken during the transition.

You’re acquiring a site — Due diligence isn’t just about traffic and SEO. Run a health check and you might discover the site has a month-old SSL certificate, broken email, or zero security headers. These are fixable but need to be accounted for.

You’re managing a legacy codebase — Old projects often have old configs. The security headers section is particularly useful for finding forgotten gaps in legacy applications.

You’re building a client onboarding flow — If you’re setting up domains for clients, run a check during onboarding and save the baseline. Future deviations from that baseline are worth investigating.

What Not to Do

Don’t treat every issue as urgent. A “C” grade for email authentication isn’t a fire — it’s information. Prioritize by impact: SSL expiry and DNS are critical; security headers are important but often can wait. The API gives you the full picture so you can decide what matters for your situation.

Also, don’t check too aggressively. DNS propagation takes time, and hammering the API every minute won’t give you better data — it’ll just hit rate limits. Daily checks are plenty for most use cases.

Where This Fits in Your Stack

You can integrate the SiteProbe check into pretty much anything:

Monitoring tools like Datadog or Grafana (send results as custom metrics)
Alerting systems (Slack, PagerDuty, OpsGenie)
Your existing uptime monitor (add health checks alongside HTTP checks)
A simple cron job that emails you a weekly summary
Your admin dashboard for client-facing transparency

The JSON response is structured for easy parsing. Pull the overall_score, iterate through checks.*.issues, and you’ve got everything you need.

The SiteProbe API is free to try. No API key required for basic checks. Start with one domain — you’ll immediately see why this beats checking things manually.