Skip to content

Domains

DMARC monitoring, DNS health auditing, and one-click DNS fixes.

When your email lands in someone's spam folder, it's usually because your domain's DNS records aren't set up correctly. Email providers like Gmail, Outlook, and Yahoo check your domain's authentication records (SPF, DKIM, and DMARC) every time you send a message, and if something is misconfigured, your email gets downgraded or rejected entirely. Worse, anyone can send email that looks like it came from your domain unless your DMARC policy tells receiving servers to block unauthorized senders.

The challenge is that these problems are invisible until they cause damage. Your sending provider won't tell you that your SPF record has too many DNS lookups, or that a third-party service is sending unauthenticated email as your domain, or that your DMARC policy is set to "none" and isn't actually protecting you. Bounce House fills this gap: it continuously parses the DMARC reports that major email providers send back about your domain's email, audits your DNS configuration, scores your overall email health, and tells you exactly what to fix. Connect a DNS provider like Cloudflare or Route 53, and those fixes can be applied with a single API call.

Add a domain

curl -X POST https://api.bouncehouse.cloud/api/accounts/me/domains \
  -H "Authorization: Bearer bh_your_key" \
  -H "Content-Type: application/json" \
  -d '{"domain": "example.com"}'

Returns: {id, domain_name, verified, created_at}

Set up DMARC reporting

Add a TXT record to start receiving DMARC aggregate reports:

_dmarc.example.com TXT "v=DMARC1; p=none; rua=mailto:{signed-id}@{shard}-bo.ing-bo.ing"

The signed address is generated when you add the domain. Reports from Gmail, Outlook, Yahoo, and other providers flow in automatically via Cloudflare Email Routing, with no SMTP server to manage.

DMARC analysis

Once reports start arriving, Bounce House parses them and gives you a breakdown of every IP address sending email as your domain: how many messages it sent, whether SPF and DKIM passed, whether they were properly aligned with your domain, and how the receiving server handled them.

This surfaces problems that are otherwise invisible: a marketing tool sending as your domain without DKIM signing, an old server still using an IP that's no longer in your SPF record, or a forwarding service that breaks alignment. Each sending source is classified so you can see at a glance which senders are authorized and which aren't.

# List aggregate reports
curl https://api.bouncehouse.cloud/api/accounts/me/domains/example.com/dmarc \
  -H "Authorization: Bearer bh_your_key"

# Get detailed per-source records from a specific report
curl https://api.bouncehouse.cloud/api/accounts/me/domains/example.com/dmarc/{report_id} \
  -H "Authorization: Bearer bh_your_key"

Each record includes source_ip, count, spf_result, dkim_result, disposition, spf_aligned, dkim_aligned, and header_from.

Sending sources

See every IP that has sent email as your domain, aggregated across all reports:

curl https://api.bouncehouse.cloud/api/accounts/me/domains/example.com/sources \
  -H "Authorization: Bearer bh_your_key"

Each source shows total_messages, spf_pass, dkim_pass, and a classification (aligned or unaligned). This is the fastest way to identify unauthorized senders.

Policy guidance

DMARC policies control what happens when authentication fails: p=none just monitors, p=quarantine sends failures to spam, and p=reject blocks them entirely. Moving from none to reject protects your domain from spoofing, but doing it too early (before all your legitimate senders are properly authenticated) will cause your own email to be blocked.

Bounce House tracks your alignment rate over time and tells you when it's safe to tighten your policy:

curl https://api.bouncehouse.cloud/api/accounts/me/domains/example.com/dmarc/policy-guidance \
  -H "Authorization: Bearer bh_your_key"

Returns your current_policy, recommended_policy, alignment_rate, whether you're ready_to_enforce, and specific guidance on what to do next.

DNS records

Fetch current SPF, DKIM, DMARC, and MX records:

curl https://api.bouncehouse.cloud/api/accounts/me/domains/example.com/dns \
  -H "Authorization: Bearer bh_your_key"

Health score

Get a 0-100 health score with findings and recommendations:

curl https://api.bouncehouse.cloud/api/accounts/me/domains/example.com/health \
  -H "Authorization: Bearer bh_your_key"

Returns {score, findings, recommendations}. The score reflects SPF validity (lookup limits, sender coverage), DKIM key publication and alignment, DMARC policy enforcement, and MX configuration.

Track score changes over time:

curl https://api.bouncehouse.cloud/api/accounts/me/domains/example.com/health/history \
  -H "Authorization: Bearer bh_your_key"

DNS recommendations

Get specific DNS changes to improve your configuration:

curl https://api.bouncehouse.cloud/api/accounts/me/domains/example.com/dns/recommendations \
  -H "Authorization: Bearer bh_your_key"

Each recommendation includes record_type, record_name, record_value, action, and status.

One-click DNS fixes

Connect a DNS provider (Cloudflare or Route 53) to apply recommendations directly:

# Connect DNS provider
curl -X POST https://api.bouncehouse.cloud/api/accounts/me/domains/example.com/dns/provider \
  -H "Authorization: Bearer bh_your_key" \
  -H "Content-Type: application/json" \
  -d '{"provider": "cloudflare", "zone_id": "...", "api_token": "..."}'

# Approve a recommendation
curl -X POST https://api.bouncehouse.cloud/api/accounts/me/domains/example.com/dns/recommendations/{id}/approve \
  -H "Authorization: Bearer bh_your_key"

# Apply it (creates/updates the DNS record)
curl -X POST https://api.bouncehouse.cloud/api/accounts/me/domains/example.com/dns/recommendations/{id}/apply \
  -H "Authorization: Bearer bh_your_key"

Provider credentials are encrypted at rest.

Forward operational email

Route abuse, postmaster, and custom-tagged email to Bounce House using your email provider's forwarding rules:

abuse@example.com      → example-com_abuse_{hmac}@{account-name}.{shard}-bo.ing-bo.ing
postmaster@example.com → example-com_postmaster_{hmac}@{account-name}.{shard}-bo.ing-bo.ing
security@example.com   → example-com_security_{hmac}@{account-name}.{shard}-bo.ing-bo.ing

Built-in tags (abuse, postmaster) get standard handlers. Custom tags get processing rules you define via tag routes.

Generate a signed address for any tag:

curl -X POST https://api.bouncehouse.cloud/api/accounts/me/addresses \
  -H "Authorization: Bearer bh_your_key" \
  -H "Content-Type: application/json" \
  -d '{"tag": "security"}'

Was this page helpful?