# Email Auth # DMARC Reports ## Get DMARC Report Status `client.EmailAuth.DMARCReports.Get(ctx, query) (*DMARCReportGetResponse, error)` **get** `/zones/{zone_id}/email/auth/dmarc-reports` Retrieves the current DMARC report configuration and status for a zone. Returns the RUA prefix, enabled status, approved sources, and DNS records. ### Parameters - `query DMARCReportGetParams` - `ZoneID param.Field[string]` Identifier. ### Returns - `type DMARCReportGetResponse struct{…}` Response for GET/PATCH /dmarc-reports - `ApprovedSources []DMARCReportGetResponseApprovedSource` List of approved sending sources (omitted when empty) - `Created Time` Deprecated, use created_at - `CreatedAt Time` Creation timestamp - `Domain string` The source domain - `IPs []string` Resolved IP addresses from SPF - `Modified Time` Deprecated, use modified_at - `ModifiedAt Time` Last modification timestamp - `Name string` Source name (typically same as domain) - `Slug string` URL-friendly identifier - `Tag string` Source UUID - `Created Time` Deprecated, use created_at - `CreatedAt Time` Creation timestamp - `Enabled bool` Whether DMARC reports are enabled - `Modified Time` Deprecated, use modified_at - `ModifiedAt Time` Last modification timestamp - `Records DMARCReportGetResponseRecords` Live DNS records for the zone, grouped by type - `BimiRecords []DMARCReportGetResponseRecordsBimiRecord` BIMI TXT records - `ID string` DNS record ID - `Content string` Record content - `Name string` DNS record name - `TTL int64` Time to live in seconds - `Type string` Record type - `CNAMEDKIMRecords []DMARCReportGetResponseRecordsCnamedkimRecord` CNAME records for DKIM - `ID string` DNS record ID - `Content string` Record content - `Name string` DNS record name - `TTL int64` Time to live in seconds - `Type string` Record type - `CNAMEDMARCRecords []DMARCReportGetResponseRecordsCnamedmarcRecord` CNAME records at _dmarc (problematic) - `ID string` DNS record ID - `Content string` Record content - `Name string` DNS record name - `TTL int64` Time to live in seconds - `Type string` Record type - `CNAMESPFRecords []DMARCReportGetResponseRecordsCnamespfRecord` CNAME records for SPF - `ID string` DNS record ID - `Content string` Record content - `Name string` DNS record name - `TTL int64` Time to live in seconds - `Type string` Record type - `DKIMRecords []DMARCReportGetResponseRecordsDKIMRecord` DKIM TXT records - `ID string` DNS record ID - `Content string` Record content - `Name string` DNS record name - `TTL int64` Time to live in seconds - `Type string` Record type - `DMARCRecords []DMARCReportGetResponseRecordsDMARCRecord` DMARC TXT records - `ID string` DNS record ID - `Content string` Record content - `Name string` DNS record name - `TTL int64` Time to live in seconds - `Type string` Record type - `SPFRecords []DMARCReportGetResponseRecordsSPFRecord` SPF TXT records - `ID string` DNS record ID - `Content string` Record content - `Name string` DNS record name - `TTL int64` Time to live in seconds - `Type string` Record type - `RuaPrefix string` Prefix for DMARC RUA addresses (32-char hex string) - `SkipWizard bool` Whether to skip the setup wizard - `Status DMARCReportGetResponseStatus` DMARC configuration status - `const DMARCReportGetResponseStatusMissingDMARCReport DMARCReportGetResponseStatus = "missing-dmarc-report"` - `const DMARCReportGetResponseStatusMultipleDMARCReports DMARCReportGetResponseStatus = "multiple-dmarc-reports"` - `const DMARCReportGetResponseStatusMissingDMARCRua DMARCReportGetResponseStatus = "missing-dmarc-rua"` - `const DMARCReportGetResponseStatusCNAMEOnDMARCRecord DMARCReportGetResponseStatus = "cname-on-dmarc-record"` - `Tag string` Use `zone_id` instead - `ZoneID string` Zone identifier ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/email_auth" "github.com/cloudflare/cloudflare-go/option" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) dmarcReport, err := client.EmailAuth.DMARCReports.Get(context.TODO(), email_auth.DMARCReportGetParams{ ZoneID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", dmarcReport.ZoneID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "approved_sources": [ { "created": "2024-01-15T10:30:00.12345Z", "created_at": "2024-01-15T10:30:00.12345Z", "domain": "sendgrid.net", "ips": [ "192.168.1.1", "10.0.0.1" ], "modified": "2024-01-15T11:45:00.12345Z", "modified_at": "2024-01-15T11:45:00.12345Z", "name": "SendGrid", "slug": "sendgrid-net", "tag": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "created": "2024-01-15T10:30:00.12345Z", "created_at": "2024-01-15T10:30:00.12345Z", "enabled": true, "modified": "2024-01-15T11:45:00.12345Z", "modified_at": "2024-01-15T11:45:00.12345Z", "records": { "bimi_records": [ { "id": "e5bb46707a802688812d5d1c9f7977d4", "content": "\"v=DMARC1; p=none; rua=mailto:rua@dmarc-reports.cloudflare.net\"", "name": "_dmarc.example.com", "ttl": 300, "type": "TXT" } ], "cname_dkim_records": [ { "id": "e5bb46707a802688812d5d1c9f7977d4", "content": "\"v=DMARC1; p=none; rua=mailto:rua@dmarc-reports.cloudflare.net\"", "name": "_dmarc.example.com", "ttl": 300, "type": "TXT" } ], "cname_dmarc_records": [ { "id": "e5bb46707a802688812d5d1c9f7977d4", "content": "\"v=DMARC1; p=none; rua=mailto:rua@dmarc-reports.cloudflare.net\"", "name": "_dmarc.example.com", "ttl": 300, "type": "TXT" } ], "cname_spf_records": [ { "id": "e5bb46707a802688812d5d1c9f7977d4", "content": "\"v=DMARC1; p=none; rua=mailto:rua@dmarc-reports.cloudflare.net\"", "name": "_dmarc.example.com", "ttl": 300, "type": "TXT" } ], "dkim_records": [ { "id": "e5bb46707a802688812d5d1c9f7977d4", "content": "\"v=DMARC1; p=none; rua=mailto:rua@dmarc-reports.cloudflare.net\"", "name": "_dmarc.example.com", "ttl": 300, "type": "TXT" } ], "dmarc_records": [ { "id": "e5bb46707a802688812d5d1c9f7977d4", "content": "\"v=DMARC1; p=none; rua=mailto:rua@dmarc-reports.cloudflare.net\"", "name": "_dmarc.example.com", "ttl": 300, "type": "TXT" } ], "spf_records": [ { "id": "e5bb46707a802688812d5d1c9f7977d4", "content": "\"v=DMARC1; p=none; rua=mailto:rua@dmarc-reports.cloudflare.net\"", "name": "_dmarc.example.com", "ttl": 300, "type": "TXT" } ] }, "rua_prefix": "9233c80fc89f43e3a7b749605f651868", "skip_wizard": false, "status": "missing-dmarc-report", "tag": "023e105f4ecef8ad9ca31a8372d0c353", "zone_id": "023e105f4ecef8ad9ca31a8372d0c353" } } ``` ## Configure DMARC Reports `client.EmailAuth.DMARCReports.Edit(ctx, params) (*DMARCReportEditResponse, error)` **patch** `/zones/{zone_id}/email/auth/dmarc-reports` Updates the DMARC report configuration for a zone. At least one of `enabled` or `skip_wizard` must be provided. When enabling, the handler will ensure the DMARC RUA record exists in DNS. ### Parameters - `params DMARCReportEditParams` - `ZoneID param.Field[string]` Path param: Identifier. - `Enabled param.Field[bool]` Body param: Enable or disable DMARC reports for this zone - `SkipWizard param.Field[bool]` Body param: Skip the DMARC setup wizard ### Returns - `type DMARCReportEditResponse struct{…}` Response for GET/PATCH /dmarc-reports - `ApprovedSources []DMARCReportEditResponseApprovedSource` List of approved sending sources (omitted when empty) - `Created Time` Deprecated, use created_at - `CreatedAt Time` Creation timestamp - `Domain string` The source domain - `IPs []string` Resolved IP addresses from SPF - `Modified Time` Deprecated, use modified_at - `ModifiedAt Time` Last modification timestamp - `Name string` Source name (typically same as domain) - `Slug string` URL-friendly identifier - `Tag string` Source UUID - `Created Time` Deprecated, use created_at - `CreatedAt Time` Creation timestamp - `Enabled bool` Whether DMARC reports are enabled - `Modified Time` Deprecated, use modified_at - `ModifiedAt Time` Last modification timestamp - `Records DMARCReportEditResponseRecords` Live DNS records for the zone, grouped by type - `BimiRecords []DMARCReportEditResponseRecordsBimiRecord` BIMI TXT records - `ID string` DNS record ID - `Content string` Record content - `Name string` DNS record name - `TTL int64` Time to live in seconds - `Type string` Record type - `CNAMEDKIMRecords []DMARCReportEditResponseRecordsCnamedkimRecord` CNAME records for DKIM - `ID string` DNS record ID - `Content string` Record content - `Name string` DNS record name - `TTL int64` Time to live in seconds - `Type string` Record type - `CNAMEDMARCRecords []DMARCReportEditResponseRecordsCnamedmarcRecord` CNAME records at _dmarc (problematic) - `ID string` DNS record ID - `Content string` Record content - `Name string` DNS record name - `TTL int64` Time to live in seconds - `Type string` Record type - `CNAMESPFRecords []DMARCReportEditResponseRecordsCnamespfRecord` CNAME records for SPF - `ID string` DNS record ID - `Content string` Record content - `Name string` DNS record name - `TTL int64` Time to live in seconds - `Type string` Record type - `DKIMRecords []DMARCReportEditResponseRecordsDKIMRecord` DKIM TXT records - `ID string` DNS record ID - `Content string` Record content - `Name string` DNS record name - `TTL int64` Time to live in seconds - `Type string` Record type - `DMARCRecords []DMARCReportEditResponseRecordsDMARCRecord` DMARC TXT records - `ID string` DNS record ID - `Content string` Record content - `Name string` DNS record name - `TTL int64` Time to live in seconds - `Type string` Record type - `SPFRecords []DMARCReportEditResponseRecordsSPFRecord` SPF TXT records - `ID string` DNS record ID - `Content string` Record content - `Name string` DNS record name - `TTL int64` Time to live in seconds - `Type string` Record type - `RuaPrefix string` Prefix for DMARC RUA addresses (32-char hex string) - `SkipWizard bool` Whether to skip the setup wizard - `Status DMARCReportEditResponseStatus` DMARC configuration status - `const DMARCReportEditResponseStatusMissingDMARCReport DMARCReportEditResponseStatus = "missing-dmarc-report"` - `const DMARCReportEditResponseStatusMultipleDMARCReports DMARCReportEditResponseStatus = "multiple-dmarc-reports"` - `const DMARCReportEditResponseStatusMissingDMARCRua DMARCReportEditResponseStatus = "missing-dmarc-rua"` - `const DMARCReportEditResponseStatusCNAMEOnDMARCRecord DMARCReportEditResponseStatus = "cname-on-dmarc-record"` - `Tag string` Use `zone_id` instead - `ZoneID string` Zone identifier ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/email_auth" "github.com/cloudflare/cloudflare-go/option" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) response, err := client.EmailAuth.DMARCReports.Edit(context.TODO(), email_auth.DMARCReportEditParams{ ZoneID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", response.ZoneID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "approved_sources": [ { "created": "2024-01-15T10:30:00.12345Z", "created_at": "2024-01-15T10:30:00.12345Z", "domain": "sendgrid.net", "ips": [ "192.168.1.1", "10.0.0.1" ], "modified": "2024-01-15T11:45:00.12345Z", "modified_at": "2024-01-15T11:45:00.12345Z", "name": "SendGrid", "slug": "sendgrid-net", "tag": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "created": "2024-01-15T10:30:00.12345Z", "created_at": "2024-01-15T10:30:00.12345Z", "enabled": true, "modified": "2024-01-15T11:45:00.12345Z", "modified_at": "2024-01-15T11:45:00.12345Z", "records": { "bimi_records": [ { "id": "e5bb46707a802688812d5d1c9f7977d4", "content": "\"v=DMARC1; p=none; rua=mailto:rua@dmarc-reports.cloudflare.net\"", "name": "_dmarc.example.com", "ttl": 300, "type": "TXT" } ], "cname_dkim_records": [ { "id": "e5bb46707a802688812d5d1c9f7977d4", "content": "\"v=DMARC1; p=none; rua=mailto:rua@dmarc-reports.cloudflare.net\"", "name": "_dmarc.example.com", "ttl": 300, "type": "TXT" } ], "cname_dmarc_records": [ { "id": "e5bb46707a802688812d5d1c9f7977d4", "content": "\"v=DMARC1; p=none; rua=mailto:rua@dmarc-reports.cloudflare.net\"", "name": "_dmarc.example.com", "ttl": 300, "type": "TXT" } ], "cname_spf_records": [ { "id": "e5bb46707a802688812d5d1c9f7977d4", "content": "\"v=DMARC1; p=none; rua=mailto:rua@dmarc-reports.cloudflare.net\"", "name": "_dmarc.example.com", "ttl": 300, "type": "TXT" } ], "dkim_records": [ { "id": "e5bb46707a802688812d5d1c9f7977d4", "content": "\"v=DMARC1; p=none; rua=mailto:rua@dmarc-reports.cloudflare.net\"", "name": "_dmarc.example.com", "ttl": 300, "type": "TXT" } ], "dmarc_records": [ { "id": "e5bb46707a802688812d5d1c9f7977d4", "content": "\"v=DMARC1; p=none; rua=mailto:rua@dmarc-reports.cloudflare.net\"", "name": "_dmarc.example.com", "ttl": 300, "type": "TXT" } ], "spf_records": [ { "id": "e5bb46707a802688812d5d1c9f7977d4", "content": "\"v=DMARC1; p=none; rua=mailto:rua@dmarc-reports.cloudflare.net\"", "name": "_dmarc.example.com", "ttl": 300, "type": "TXT" } ] }, "rua_prefix": "9233c80fc89f43e3a7b749605f651868", "skip_wizard": false, "status": "missing-dmarc-report", "tag": "023e105f4ecef8ad9ca31a8372d0c353", "zone_id": "023e105f4ecef8ad9ca31a8372d0c353" } } ``` # SPF # Inspect ## Inspect SPF Record `client.EmailAuth.SPF.Inspect.Get(ctx, params) (*SPFInspectGetResponse, error)` **get** `/zones/{zone_id}/email/auth/spf/inspect` Inspects a specific SPF TXT record and returns a parsed tree structure in the spflimit-worker format. The record ID must be provided via the `id` query parameter. Returns a recursive tree showing: - Parsed components with their qualifiers and types - Nested includes recursively resolved within components - Per-component and total lookup counts - Detailed error information with context ### Parameters - `params SPFInspectGetParams` - `ZoneID param.Field[string]` Path param: Identifier. - `ID param.Field[string]` Query param: DNS record ID (rec_tag) to inspect ### Returns - `type SPFInspectGetResponse struct{…}` Recursive SPF inspection tree - `Components []unknown` Parsed SPF components (mechanisms) - `Domain string` Domain being inspected - `Record string` Raw SPF record content - `TotalLookups int64` Total number of DNS lookups performed across all includes - `Errors []SPFInspectGetResponseError` All errors encountered during inspection, collected from the entire tree. This includes errors from nested includes at any depth, providing a quick overview of all issues without needing to traverse the nested structure. Each error includes a `domain` field to identify where it occurred. Empty array if no errors (omitted from JSON when empty). - `Code string` Error code. Known values: - `lookup_failed` — DNS TXT lookup failed - `spf_not_found` — no SPF record found - `invalid_spf` — record does not start with `v=spf1` - `invalid_domain` — PSL validation failed - `loop_detected` — include/redirect cycle detected - `invalid_mechanism` — unrecognised or malformed mechanism - `resource_limit_exceeded` — internal resource protection limits exceeded (recursion depth or query budget) - `max_lookups` — RFC 7208 10-lookup limit exceeded - `Domain string` Domain where the error occurred - `Message string` Human-readable error message - `Details string` Additional error-specific details (optional). - For `invalid_domain` errors: the invalid domain string - For `invalid_mechanism` errors: the invalid mechanism text (e.g., "invalidmech123") - For `loop_detected` errors: the domain that caused the loop - For other error types: not present ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/email_auth" "github.com/cloudflare/cloudflare-go/option" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) inspect, err := client.EmailAuth.SPF.Inspect.Get(context.TODO(), email_auth.SPFInspectGetParams{ ZoneID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), ID: cloudflare.F("id"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", inspect.Components) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "components": [ {} ], "domain": "example.com", "record": "v=spf1 ip4:203.0.113.1 include:spf.example.com -all", "total_lookups": 2, "errors": [ { "code": "max_lookups", "domain": "example.com", "message": "RFC 7208 10-lookup limit exceeded", "details": "invalid" } ] } } ```