Audit a Domain Before You Trust It¶

Before you integrate a vendor, accept user-generated links, or onboard a new supplier, it's worth running a quick domain audit. A low health score, expired certificate, or blacklisted IP are signals that something is wrong — or that the domain shouldn't be trusted at all.

This page shows how to build a complete domain audit using the DNS Toolkit: a health score, SSL certificate check, DNSSEC validation, security header analysis, and IP reputation — in a single workflow.

For full parameter and response schema details, see the API reference →

The audit workflow¶

The recommended sequence is:

Health score — fast overall grade. If it's A or B, the domain is reasonably well-configured.
Certificate — check the SSL cert is valid and not expiring soon.
DNSSEC — confirm the domain has a valid chain of trust.
Security headers — inspect HTTP-level security hardening.
Blacklist — check the domain's IP against ~30 DNS-based blocklists.

Here's the full audit in one Python script:

# pip install toolkitapi
from toolkitapi import DNS

domain = "example.com"

with DNS(api_key="YOUR_KEY") as dns:
    # 1. Overall health
    health = dns.health(domain)
    print(f"Health: {health.score}/100 (Grade {health.grade})")
    failed = [c for c in health.checks if c.status == "fail"]
    for check in failed:
        print(f"  ✗ {check.check}: {check.detail}")

    # 2. SSL certificate
    cert = dns.certificate(domain)
    print(f"Cert: {cert.subject} — expires {cert.expires_in_days}d")
    if cert.expires_in_days < 30:
        print("  ⚠ Certificate expiring soon!")

    # 3. DNSSEC
    dnssec = dns.dnssec(domain)
    status = "✓ signed" if dnssec.signed else "✗ not signed"
    print(f"DNSSEC: {status}")

    # 4. Security headers
    headers = dns.security_headers(domain)
    print(f"Headers: {headers.score}/100 (Grade {headers.grade})")

    # 5. Blacklist
    bl = dns.blacklist(domain)
    listed = [r for r in bl.results if r.listed]
    if listed:
        print(f"Blacklisted on {len(listed)} list(s):")
        for r in listed:
            print(f"  - {r.blacklist}")
    else:
        print(f"Blacklist: clean across {len(bl.results)} lists")

Step 1 — DNS health score¶

The health endpoint runs ~15 checks covering NS redundancy, SOA config, MX presence, SPF, DMARC, CAA, and more. It returns a score from 0–100 and a letter grade A–F.

from toolkitapi import DNS

with DNS(api_key="YOUR_KEY") as dns:
    result = dns.health("example.com")
    print(f"Score: {result.score}/100  Grade: {result.grade}")
    for check in result.checks:
        icon = "✓" if check.status == "pass" else ("⚠" if check.status == "warn" else "✗")
        print(f"  {icon} {check.check}: {check.detail}")

curl "https://dns.toolkitapi.io/v1/health?domain=example.com" \
  -H "X-API-Key: YOUR_KEY"

const params = new URLSearchParams({ domain: "example.com" });
const r = await fetch(`https://dns.toolkitapi.io/v1/health?${params}`, {
  headers: { "X-API-Key": "YOUR_KEY" },
});
const data = await r.json();
console.log(`Score: ${data.score}  Grade: ${data.grade}`);

Interpreting the grade:

Grade	Score	What it means
A	90–100	Well configured — no significant issues
B	75–89	Minor gaps — review warnings
C	60–74	Notable issues — take action
D	40–59	Significant problems
F	0–39	Severely misconfigured or broken

Step 2 — SSL certificate¶

Checks the live TLS certificate: validity, expiry date, issuer, and whether it matches the domain.

from toolkitapi import DNS

with DNS(api_key="YOUR_KEY") as dns:
    cert = dns.certificate("example.com")
    print(f"Valid: {cert.valid}")
    print(f"Issuer: {cert.issuer}")
    print(f"Expires in: {cert.expires_in_days} days")
    print(f"Subject: {cert.subject}")

curl "https://dns.toolkitapi.io/v1/certificate?domain=example.com" \
  -H "X-API-Key: YOUR_KEY"

const params = new URLSearchParams({ domain: "example.com" });
const r = await fetch(`https://dns.toolkitapi.io/v1/certificate?${params}`, {
  headers: { "X-API-Key": "YOUR_KEY" },
});
const data = await r.json();
console.log(`Expires in ${data.expires_in_days} days`);

Step 3 — DNSSEC¶

Checks whether the domain has DNSSEC enabled and whether the chain of trust is valid.

from toolkitapi import DNS

with DNS(api_key="YOUR_KEY") as dns:
    result = dns.dnssec("example.com")
    print(f"Signed: {result.signed}")
    if result.signed:
        print(f"Algorithm: {result.algorithm}")
        print(f"Key tag: {result.key_tag}")

curl "https://dns.toolkitapi.io/v1/dnssec?domain=example.com" \
  -H "X-API-Key: YOUR_KEY"

const params = new URLSearchParams({ domain: "example.com" });
const r = await fetch(`https://dns.toolkitapi.io/v1/dnssec?${params}`, {
  headers: { "X-API-Key": "YOUR_KEY" },
});
const data = await r.json();
console.log(`DNSSEC signed: ${data.signed}`);

Step 4 — Security headers¶

Analyses the HTTP response headers for security best practices: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Returns a 0–100 score and A–F grade.

from toolkitapi import DNS

with DNS(api_key="YOUR_KEY") as dns:
    result = dns.security_headers("example.com")
    print(f"Score: {result.score}/100  Grade: {result.grade}")
    for header in result.headers:
        present = "✓" if header.present else "✗"
        print(f"  {present} {header.name}")

curl "https://dns.toolkitapi.io/v1/security-headers?domain=example.com" \
  -H "X-API-Key: YOUR_KEY"

const params = new URLSearchParams({ domain: "example.com" });
const r = await fetch(`https://dns.toolkitapi.io/v1/security-headers?${params}`, {
  headers: { "X-API-Key": "YOUR_KEY" },
});
const data = await r.json();
console.log(`Headers grade: ${data.grade}`);

Step 5 — Blacklist check¶

Checks the domain's IP against ~30 DNS-based reputation blocklists. Returns a per-list verdict and the resolved IP.

from toolkitapi import DNS

with DNS(api_key="YOUR_KEY") as dns:
    result = dns.blacklist("example.com")
    listed = [r for r in result.results if r.listed]
    if listed:
        print(f"Listed on {len(listed)} blocklist(s)")
        for entry in listed:
            print(f"  - {entry.blacklist}")
    else:
        print(f"Clean across {len(result.results)} lists")

curl "https://dns.toolkitapi.io/v1/blacklist?domain=example.com" \
  -H "X-API-Key: YOUR_KEY"

const params = new URLSearchParams({ domain: "example.com" });
const r = await fetch(`https://dns.toolkitapi.io/v1/blacklist?${params}`, {
  headers: { "X-API-Key": "YOUR_KEY" },
});
const data = await r.json();
const listed = data.results.filter(r => r.listed);
console.log(`Listed on ${listed.length} blocklist(s)`);

When to use each check¶

You want to know...	Use
Is this domain generally well-configured?	`GET /v1/health`
Is the SSL cert valid and not expiring?	`GET /v1/certificate`
Has DNS been tampered with (spoofing risk)?	`GET /v1/dnssec`
Is the site hardened against clickjacking, XSS?	`GET /v1/security-headers`
Is the IP sending spam or hosting malware?	`GET /v1/blacklist`
Which CAs are allowed to issue certs?	`GET /v1/caa`