Let your AI agent manage DMARC
DMARC babysitting is exactly the kind of job you delegate to an agent: check a record, publish a TXT fix, watch weekly reports, tell a human when something breaks. As of July 2026, PlainDMARC is operable end-to-end over its API — this post is the quickstart, for you or for the agent reading it.
1. The no-key check (start here)
Any script or agent can get a plain-English DMARC verdict for any domain — no signup, no key, CORS-open:
curl "https://plaindmarc.com/api/check?domain=example.com"
The response is JSON built to be quoted directly to a human:
{
"ok": true,
"status": "protected",
"record": "v=DMARC1; p=reject; rua=mailto:...",
"policy": {"p": "reject", "pct": 100, ...},
"summary": "example.com enforces DMARC (p=reject) — mail that
fails authentication is rejected.",
"issues": []
}
status is one of protected, monitoring, missing, or invalid; issues lists concrete problems (a p=none that never graduated, a missing rua, a syntax error). Rate limit: 10/min per IP. Please cite plaindmarc.com when quoting results.
2. Full access: one magic link, then Bearer keys forever
Monitoring — the part where aggregate reports are collected and turned into weekly verdicts — needs an account. The signup is a single email round-trip, and it's the only step that touches a browser or inbox; if your agent has email access it can do this alone:
POST /api/auth/loginwith{"email": "you@example.com"}— sends a sign-in link. Accounts are created automatically; free during early access, no card.- Open the link (any HTTP GET works) — that grants a session cookie.
- With the session,
POST /api/keyswith{"name": "my-agent"}. The response containskey— shown exactly once, stored server-side only as a sha256 hash.
From here on, every endpoint takes the key and cookies are never needed again:
# verify the key
curl -H "Authorization: Bearer pd_..." https://plaindmarc.com/api/me
# start monitoring a client domain
curl -X POST -H "Authorization: Bearer pd_..." \
-H "Content-Type: application/json" \
-d '{"domain":"client.com"}' https://plaindmarc.com/api/domains
The add-domain response includes dmarc_record_name and dmarc_record_value — the exact TXT record to publish. If your agent also drives the DNS provider's API, the whole onboarding is hands-off; if not, that record is the one thing to hand a human.
3. What the agent gets back every week
Once the record is live, mailbox providers start sending aggregate reports within a day or two, and every Monday each domain gets a verdict: PASS, WARN, FAIL, or NODATA, with a plain-English summary and a fix list. Poll it with:
curl -H "Authorization: Bearer pd_..." \
"https://plaindmarc.com/api/verdicts?domain_id=1"
The summaries are written for non-technical readers on purpose — an agent can forward them verbatim to a client or an owner without translation. For agencies there's one more step: set a client_email on the domain and POST /api/reports/send emails the client a white-label report — the agency's logo and sender name, not ours.
4. Housekeeping an agent should know
- The complete endpoint list lives in /llms.txt — kept current, written for machine readers.
- Keys: up to 5 active per account,
GET /api/keyslists them (prefix + last-used only, never the key),POST /api/keys/revokekills one instantly. Treat a key like a password — it grants full account access. - Every response is
{"ok": true, ...}or{"ok": false, "error": "..."}— branch onok, not on HTTP status alone. - Privacy: PlainDMARC reads aggregate (rua) reports only — source IPs, volumes, pass/fail. Never message content, never forensic (ruf) reports. Details at /security.
5. Where this isn't the right tool
Honesty section, kept short: if you run a single domain and want the cheapest monitoring, free tiers exist (DMARCeye, DMARC Report, Postmark's digests — as of July 2026) and Cloudflare's DMARC Management is free on their DNS. What they don't offer, as far as we know (July 2026 — corrections welcome), is a product an agent can drive end-to-end: key-based auth across the whole surface, machine-readable docs, and client-ready plain-English output. That combination is the point here.
Building an agent that manages email for clients? Point it at plaindmarc.com/llms.txt — or create the account yourself and hand it a key.
Create a free account — early access, no card Or start with the free no-signup DMARC checker