seoautomationsecurityapiemail-deliverability

How to Check Your Domain's Health with an API (SSL, DMARC, Security Headers)

Smart Automation · · 7 min read
Developer checking website health dashboard on laptop

Ever tried manually checking a domain’s health? You open one tool for SSL, another for DNS, yet another for email authentication — and that’s before you even get to security headers. It’s tedious, and honestly, most of us don’t do it until something breaks.

Here’s the thing: your domain’s health affects more than just your website. Email deliverability depends on SPF, DKIM, and DMARC. Security headers protect your visitors from XSS and clickjacking. And if your SSL certificate expires? Your site literally stops working.

The good news is you can check all of this with a single API call. Let me show you how.

The Problem with Manual Domain Checks

Picture this: you’re launching a new project or vetting a potential acquisition. You need to know if a domain is actually healthy — not just “up,” but properly configured.

Traditionally, you’d need to check:

That’s five different tools, five different logins, and five different interfaces to figure out. And if you’re checking multiple domains regularly — for portfolio monitoring, client audits, or automated alerts — it becomes unsustainable.

This is exactly why I started using an API-based approach. One request, comprehensive results.

Meet SiteProbe API

SiteProbe is a unified domain health check API that bundles all five of those checks into a single endpoint. You send a domain, you get back a complete health report with grades and actionable recommendations.

Top view of a neat office desk with a Tuesday planner, smartphone, and gadgets, perfect for scheduling and organization. Photo by cottonbro studio on Pexels

It covers:

The free tier gives you 10 checks per hour without an API key — more than enough to test it out and check your own domains.

How It Works: A Real Example

Here’s the actual request. I’m using curl here, but you can call it from any language — Python, JavaScript, PHP, whatever.

curl -X POST https://siteprobe-api.fly.dev/check \
  -H "Content-Type: application/json" \
  -d '{"domain": "example.com"}'

And here’s the real response I got when I ran this:

{
  "domain": "example.com",
  "checked_at": "2026-03-24T01:54:21.513Z",
  "overall_grade": "C",
  "overall_score": 1.6,
  "checks": {
    "ssl": {
      "grade": "F",
      "score": 0,
      "details": {
        "subject": "example.com",
        "issuer": "SSL Corporation",
        "valid_from": "2026-02-13T18:53:48.000Z",
        "valid_to": "2026-05-14T18:57:50.000Z",
        "days_until_expiry": 51,
        "protocol": "TLSv1.3",
        "is_valid": false
      },
      "issues": ["SSL certificate is invalid or expired"],
      "recommendations": ["Renew your SSL certificate immediately"]
    },
    "dns": {
      "grade": "A",
      "score": 4,
      "details": { ... }
    },
    "email_auth": {
      "grade": "A",
      "score": 4,
      "details": {
        "spf": { "grade": "A", "record": "v=spf1 -all" },
        "dmarc": { "grade": "A", "record": "v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s" },
        "dkim": { "grade": "A", "selectors_found": ["default", "google", "selector1", "selector2", "k1"] }
      }
    },
    "security_headers": {
      "grade": "E",
      "score": 0,
      "details": { "error": "unable to get local issuer certificate" }
    },
    "performance": {
      "grade": "E",
      "score": 0,
      "details": { "error": "unable to get local issuer certificate" }
    }
  },
  "summary": "3 issues found. SSL certificate is invalid or expired..."
}

Notice the overall grade is a C, with failing SSL and security headers checks. That’s useful — you get an instant picture of what’s broken and what needs attention.

Now let’s look at a healthier domain — Google — to see what good looks like:

{
  "domain": "google.com",
  "overall_grade": "B",
  "overall_score": 3,
  "checks": {
    "ssl": { "grade": "A", "score": 4 },
    "dns": { "grade": "A", "score": 4 },
    "email_auth": {
      "grade": "C",
      "score": 2.3,
      "issues": [
        "SPF uses soft fail (~all) instead of hard fail (-all)",
        "No DKIM records found for common selectors"
      ]
    },
    "security_headers": {
      "grade": "C",
      "score": 2,
      "issues": [
        "Missing security header: Content-Security-Policy",
        "Missing security header: X-Content-Type-Options",
        "Missing security header: Strict-Transport-Security",
        "Missing security header: Referrer-Policy",
        "Missing security header: Permissions-Policy"
      ]
    },
    "performance": { "grade": "B", "score": 3 }
  }
}

Even Google — with all their resources — gets a B. The email authentication and security headers sections flag real issues. That’s the value: it doesn’t just check if things are up, it checks if they’re properly configured.

Why Each Check Matters

Let me break down why each of these five areas deserves your attention.

SSL / TLS — Don’t Let Your Site Go Dark

Your SSL certificate is what makes the little padlock appear in the browser. But it also has an expiry date — typically 90 days to a year. Let it expire and your site shows a security warning to visitors. In extreme cases, it stops loading entirely.

This happens more often than you’d think. Teams migrate servers, forget to set up auto-renewal, and suddenly their site is down with a terrifying error message. The SiteProbe API tells you not just if the cert is valid, but exactly when it expires (days_until_expiry) and which protocol it’s using (you want TLSv1.3, not older versions).

Email Authentication — SPF, DKIM, DMARC

This is the one most people ignore until their emails start landing in spam.

SPF (Sender Policy Framework) says “this server is allowed to send email for this domain.” Without it, receiving mail servers have no way to verify you’re not a spoofed sender.

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your emails. It’s like a tamper-evident seal — if someone modifies the email in transit, the signature breaks.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties it all together. It tells receiving servers what to do when authentication fails — reject outright, quarantine, or do nothing. If you don’t have DMARC, you’re basically leaving your domain open for email spoofing.

And here’s why it matters right now: Google and Microsoft both started enforcing stricter email authentication in 2024. If you’re sending any email from your domain — newsletters, transactional emails, support messages — and you don’t have proper SPF/DKIM/DMARC setup, your emails are going to spam. Maybe not always, but consistently enough to matter.

The SiteProbe API checks all three and tells you the policy in plain English.

Security Headers — The Invisible Shield

These are HTTP headers your server sends that tell browsers how to behave. They don’t affect your page visually, but they have a huge impact on security:

These are fundamental security controls, and most sites are missing several of them. The API checks for 10+ headers and tells you exactly which ones are missing.

Performance — Speed Affects Everything

Performance impacts user experience, SEO, and conversion rates. The API checks:

A slow site kills conversions. Google uses page speed as a ranking factor. This check gives you the baseline numbers without needing to run Lighthouse manually.

Automating Your Domain Monitoring

The real power isn’t in checking one domain manually — it’s in setting up automated monitoring.

Here’s a simple example in Python:

import requests

def check_domain_health(domain):
    response = requests.post(
        "https://siteprobe-api.fly.dev/check",
        json={"domain": domain}
    )
    data = response.json()
    
    # Alert if grade is below B
    if data["overall_score"] < 3:
        print(f"⚠️ {domain} needs attention: {data['summary']}")
        for check, info in data["checks"].items():
            if info.get("issues"):
                print(f"  - {check}: {info['issues']}")
    
    return data

# Check your domains
for domain in ["yoursite.com", "anotherdomain.com"]:
    check_domain_health(domain)

You could run this as a scheduled job, integrate it into your deployment pipeline, or trigger alerts when grades drop. The JSON response is structured specifically for programmatic consumption — easy to parse, easy to act on.

When to Use This

This approach makes sense in a few real scenarios:

  1. Portfolio monitoring — if you manage multiple domains, you need a quick way to audit them all at once
  2. Client onboarding — verify a client’s existing setup before you start work
  3. Due diligence — evaluating a domain for acquisition? The API gives you an instant health report
  4. Post-incident checks — after a migration or DNS change, verify everything is working
  5. Ongoing alerts — get notified before SSL certificates expire or security headers disappear

The free tier (10 checks/hour) handles most of these use cases. If you’re building something that checks hundreds of domains, the paid plans start at $19/month for 1,000 checks.

Wrapping Up

Manual domain checking is one of those tasks that feels minor until something breaks. Your SSL expires silently. Your DMARC policy is missing and your transactional emails start bouncing. You don’t notice until users complain.

With an API-based approach, you get a complete picture in seconds — and you can automate it to run regularly. No more logging into five different tools. No more surprises.

The SiteProbe API covers everything in one request: SSL, DNS, email authentication, security headers, and performance. It’s free to try, and the response format is clean enough to build alerts around.

Go test your own domain. I’ll wait.

← Back to all articles