Audit API vs DMARC Reporting: Why Your Stack Needs Both
Tools like Postmark and dmarcian tell you what happened yesterday. Veldica tells you the current DNS setup. See why you need instant audits to automate your email security.
Reports help you monitor trends. Audits help you fix issues and prevent mistakes before they happen.
Overview
Tools like Postmark and dmarcian tell you what happened yesterday. Veldica tells you the current DNS setup. See why you need instant audits to automate your email security.
What Is a DMARC Reporting API?
A DMARC reporting API usually exposes aggregate report data from RUA XML files. It tells you which IPs sent mail, whether SPF and DKIM passed, and whether alignment succeeded after mail was already sent.
That is different from a DNS audit API. A DNS audit checks the records that exist right now, before a sender generates mail flow and before the next aggregate report arrives.
Blueprint for Your Own Reporting Layer
Need a schema before you build or buy a reporting backend? The DMARC Reporting API Blueprint is a fixed-output technical plan for endpoint shape, data model, webhook events, and the boundary between RUA parsing and DNS auditing.
Which path should you use?
| Need | Best path |
|---|---|
| Learn the RUA reporting versus DNS audit boundary | This guide |
| Need one fixed output | Request the blueprint |
| Need recurring current-DNS checks | Use the Veldica API |
| Need custom implementation | Request a separate partner or custom review |
Reports only show you mail that was already sent. They won't find broken subdomains that haven't sent mail yet but are ready to be spoofed.
Reports are delayed by 24 hours. If you make a mistake in your DNS, you won't know until the next day. Our API tells you in seconds.
Use an Audit API to check your setup during updates, and use reports to monitor how things look over time.
Current workflow
Most organizations rely solely on DMARC aggregate reports (RUA) to manage their posture. This creates a risk that reports cannot see.
- Wait 24 hours for a DMARC aggregate report to be generated and delivered.
- Ingest and parse the XML reports in a tool like dmarcian or Postmark DMARC.
- Identify an alignment failure and guess which DNS record caused it.
- Manually inspect the DNS records for the domain to confirm the configuration error.
- Fix the DNS and wait another 24 hours to see if the report turns 'green'.
Where it breaks
This reactive feedback loop is too slow for DevOps and security teams.
- Reports show the past. They can't check a change before it hits your production mail flow.
- Reports often miss subdomains that aren't sending mail, even if they are at risk.
- Managed services can be difficult to use in your internal dashboards or updates.
- Reports don't always audit security settings like MTA-STS or BIMI automatically.
Replacement model
An audit API connects DNS state to report-driven monitoring.
Shows you which IPs are sending mail as your domain. The 'What Happened' layer.
Shows you the current DNS setup, risk level, and how to fix issues. The 'What is Set Up' layer.
Audit your DNS *before* you send mail to verify it is configured correctly. Use reports to confirm how your vendors are actually using it.
Turn a finding into a fix-plan immediately, without waiting for the next day's report.
Verified request
Veldica fits where reports don't: in your code and your automation.
curl -H 'content-type: application/json' \
-H 'X-RapidAPI-Key: YOUR_RAPIDAPI_KEY' \
-H 'X-RapidAPI-Host: email-domain-trust-auditor.p.rapidapi.com' \
-X POST 'https://email-domain-trust-auditor.p.rapidapi.com/v1/free/audits/domain' \
-d '{
"domain": "example.com"
}'You don't need to change your reporting tool to use Veldica. They work together.
Verified response
An Audit API response gives you concrete steps that a complex report cannot.
Instantaneous configuration finding. No mail flow required.
{
"domain": "example.com",
"score": 45,
"grade": "C",
"risk": {
"risk_level": "medium",
"enforcement_status": "none",
"assessment_confidence": "high"
},
"findings": [
{
"id": "dmarc.policy.none",
"check": "dmarc",
"status": "fail",
"severity": "critical",
"title": "DMARC Policy: None (Monitor Only)",
"fix": "Advance to p=quarantine then p=reject after reviewing aggregate reports."
}
],
"recommendations": [
"Advance DMARC policy to p=quarantine to begin enforcement."
]
}Immediate remediation template based on the audit finding.
{
"domain": "example.com",
"template_remediations": [
{
"issue_id": "dmarc.policy.none",
"priority": "p1",
"dns_name": "_dmarc.example.com",
"operation": "replace",
"proposed_value_template": "v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@example.com"
}
]
}Output interpretation
When to use Veldica instead of checking your report dashboard:
- Onboarding: Check a customer's domain in seconds before they send a single email.
- CI/CD: Fail a build if a PR breaks your SPF limit or removes a critical policy.
- Subdomain Discovery: Audit your entire zone to find subdomains that are at risk.
- Validation: Verify that a DNS fix is live the moment you push it.
Production usage: the 360-degree security stack
How a mature security team uses both tools together.
- Use a DMARC reporting tool (Postmark, dmarcian) for long-term monitoring and deliverability trends.
- Trigger a Veldica audit whenever a new domain is added to the portfolio or a DNS change is detected.
- Use Veldica's
compareendpoint to verify the 'before and after' of a DMARC upgrade. - Generate Veldica
fix-plansto hand off implementation tasks to infrastructure teams. - Automate quarterly 'Deep Audits' of the entire portfolio, including MTA-STS and BIMI readiness.
# Audit API (Veldica) - Instant & Static
GET /v1/pro/audits/domain?domain=veldica.com
# Reporting API (Others) - Historical & Behavioral
GET /api/v1/dmarc/reports/daily?domain=veldica.comTool comparison
The core differences in a technical context.
Data source is RUA aggregate XML. Timeframe is historical. Best for sender behavior and alignment trends.
Data source is current DNS plus scoring and remediation. Timeframe is current. Best for preflight checks and fix plans.
Use RUA for passive monitoring and an audit API for active enforcement checks, domain onboarding, and remediation.
Keep Exploring
Use the Workflow Library to browse more guides, comparisons, and integration examples to continue your evaluation.
See the solutions, comparisons, and integration guides collected in one place.
Review grounded audit, compare, fix-plan, and report excerpts before you wire the API into anything.
Jump from the workflow page into the quickstart, endpoint guides, and full OpenAPI reference.
Add the static-truth layer to your stack
Complement your RUA monitoring with instantaneous, programmatic auditing. Start with the free Veldica audit or request a reporting API blueprint if you are designing your own layer.