Find out if any domain is safe, legitimate, and well-configured — in a single scan.

A single scan runs six categories of checks in parallel, then layers AI analysis on top. Each category is independently scored, and each can be drilled into via its dedicated standalone tool.

A scammer can register a domain, issue a free Let's Encrypt cert, publish SPF/DMARC, and put up a believable landing page in under an hour. Individual signals are easy to defeat. The signal lives in the combination:

• Domain age is gameable but slow. Anything under 90 days old warrants scrutiny regardless of how polished the site looks. Most phishing and malware infrastructure has a registration date in the last quarter.
• SSL is no longer a trust signal. Let's Encrypt issues certificates in seconds, for free. The presence of HTTPS tells you nothing about legitimacy — only that someone bothered to run certbot.
• Working SPF/DMARC isn't proof of anything. It just means the sender configured email authentication. Phishers do this routinely — DMARC alignment improves their inbox placement rate.
• Real organic traffic is hard to fake. So is a clean blacklist history across ten independent providers. So is a long registration with a Tier-1 registrar (MarkMonitor, Network Solutions, GoDaddy Corporate Services). The combined signal is what separates legitimate from synthetic.

A single request fans out to fourteen upstream sources — RDAP, recursive DNS, SSL handshake, port scanner, ten blacklist DNS queries, GeoIP, ASN, and traffic analytics — concurrently. Total response time is bounded by the slowest single call, not the sum. The collected data then runs through two analyzers: a deterministic rules engine and an AI reviewer.

• Stage 1 — Fan-out (parallel) All fourteen upstream calls dispatched concurrently. SSL handshake, port scan, and traffic API are typically the longest legs.
• Stage 2 — Normalize Each source's response mapped to a canonical schema. Missing fields surface as null, not as errors — a partial scan is still useful.
• Stage 3 — Local rules engine Deterministic checks: domain age buckets, expiry runway, WHOIS privacy state, DNSSEC presence, deprecated TLS, blacklist hits. Produces the LocalAnalysis block — uniform, strict, repeatable.
• Stage 4 — AI review Full structured record passed to the AI analyzer. Produces overall health, reputation, and phishing risk scores plus prioritized security recommendations and any suspicious patterns detected.
• Stage 5 — Merge & return Both analyses returned alongside the raw data. Disagreement between LocalAnalysis and AiAnalysis is exposed deliberately — it's diagnostic, not a bug.

Domain Health returns four scores from two complementary engines. LocalAnalysis is deterministic and strict. AiAnalysis is contextual. Disagreement between them is informative.

• Health Score (0–100) Overall configuration quality. Reflects DNS hygiene, SSL/TLS posture, email auth completeness, registrar quality, and lock status. A high score means the domain is well-managed; it does not certify the operator's intent.
• Reputation Score (0–100) Inferred from blacklist standing, age, traffic patterns, and registrar tier. Independent of the configuration score — a brand-new but well-configured domain will score low here until it accrues history.
• Phishing Risk (0–100, lower is better) An estimate of how likely the domain is to be used for phishing, based on the combination of all signals. Note: the LocalAnalysis variant is strict (unsigned DNSSEC alone is enough to push it to 'High'). The AiAnalysis variant is contextual.
• Risk Level — Low / Medium / High Composite categorization from the AI engine. Use this as the headline; use the four numeric scores to understand why.

• Maturity labels — New · Young · Established · Mature · Veteran LocalAnalysis bucketizes domain age. Veteran is 10+ years (microsoft.com, in the sample, is 12,800 days old). Sub-90-day domains land in 'New' and are flagged regardless of other signals.
• Expiry labels — Critical · Warning · Healthy Critical: under 30 days to expiry. Warning: under 90 days. Healthy: 90+ days remaining. Useful for portfolio monitoring.
• Privacy labels — Public · Private · Privacy service WHOIS contacts are typically redacted under GDPR for individuals (Private). Some registrants use explicit privacy proxies (Privacy service). Public is rare since 2018.

// microsoft.com — LocalAnalysis vs AiAnalysis disagree
{
  "LocalAnalysis": {
    "overall": {
      "healthScore":     90,
      "reputationScore": 90,
      "phishingRisk":    "High"   // ← strict rules: DNSSEC unsigned ⇒ High
    }
  },
  "AiAnalysis": {
    "overall_health_score": "92",
    "reputation_score":     "99",
    "phishing_risk":        "5",   // ← context-aware: microsoft.com is not phishing
    "risk_level":           "Low"
  }
}

// Takeaway: disagreement means the domain has a structural weakness
// (unsigned DNSSEC, deprecated TLS) but isn't actually being abused.
// Both engines agreeing on 'high risk' is the real warning.

Beyond scoring, the AI layer produces two structured output classes: prioritized security recommendations (what to fix and why) and suspicious-pattern alerts (what looks abnormal across the combined signal set). Both are returned as JSON, not free-form prose.

{
  "title":    "Disable Deprecated TLS/SSL Protocols",
  "value":    "TLS 1.0, TLS 1.1, & SSL 3.0 are enabled",
  "analysis": "Older protocols like TLS 1.0, TLS 1.1, and SSL 3.0 have known critical vulnerabilities (e.g., POODLE, BEAST) and are deprecated. To ensure secure communication and protect user data, the server should be configured to support only modern, secure protocols like TLS 1.2 and TLS 1.3."
}

Every category in Domain Health has a dedicated standalone tool with deeper analysis, more options, and exportable reports. Pick the one you need:

The full report is available as JSON in a single API call. The free tier is rate-limited per IP — adequate for spot checks. For continuous monitoring, bulk lookups, or CI gates, request an API key.

curl https://api.domainscan.in/v1/health?domain=microsoft.com

const res = await fetch(
  'https://api.domainscan.in/v1/health?domain=microsoft.com'
);
const report = await res.json();

const {
  overall_health_score,
  reputation_score,
  phishing_risk,
  risk_level
} = report.AiAnalysis;

console.log(risk_level, overall_health_score, phishing_risk);
// "Low" "92" "5"

{
  "domain":        { "input": "...", "tld": "...", "sld": "...", "subdomain": null },
  "domainRecord":  { /* full WHOIS/RDAP — see /domain/lookup */ },
  "DNSRecords":    [{ "type": "A | AAAA | MX | NS | CNAME | TXT", "result": [...], "time": "number" }],
  "sslData":       {
    "subject":   { "C": "...", "O": "...", "CN": "..." },
    "issuer":    { "C": "...", "O": "...", "CN": "..." },
    "valid_from": "ISO 8601",
    "valid_to":   "ISO 8601",
    "protocol":   { "TLS 1.3": { "status": "Enabled | Disabled" }, /* ... */ }
  },
  "spfData":   { "spf": "v=spf1 ...", "parsed": { /* mechanisms, qualifier */ } },
  "dmarc":     { "dmarc": "v=DMARC1 ...", "parsed": { /* policy, pct, rua, ruf */ } },
  "blackListData": {
    "checkedDatabases": ["zen.spamhaus.org", "b.barracudacentral.org", /* 8 more */],
    "results":          [{ "database": "...", "blacklisted": "boolean", "time": "number" }]
  },
  "ispData":        { "isp": "...", "asn": { "number": "...", "organization": "..." } },
  "locationData":   { "country": {}, "city": "...", "security": { "isVPN": "boolean", "isProxy": "boolean", "isTorExitNode": "boolean" } },
  "portScan":       { "results": [{ "port": "number", "status": "open | timeout", "service": {} }] },
  "analytics":      { "visits": "number", "trafficSources": {}, "topCountryShares": [], "topKeywords": [] },
  "LocalAnalysis":  {
    "domain":   { "maturity": {}, "expiry": {}, "privacy": {} },
    "overall":  { "healthScore": "0–100", "reputationScore": "0–100", "phishingRisk": "Low | Medium | High" }
  },
  "AiAnalysis": {
    "overall_health_score":     "0–100",
    "reputation_score":         "0–100",
    "phishing_risk":            "0–100",
    "risk_level":               "Low | Medium | High",
    "malware_detection":        "Clean | Suspicious | Confirmed",
    "security_recommendations": [{ "title": "...", "value": "...", "analysis": "..." }],
    "suspicious_patterns_detected": { "security_alerts": [], "pattern_alerts": [], "suspicious_patterns": [] }
  }
}

Six patterns we see most often:

• How is this different from a WHOIS lookup? WHOIS returns one slice — registration data. Domain Health combines fourteen slices (WHOIS, DNS, SSL, blacklist, ports, IP intelligence, traffic, email auth, plus an AI layer) into a single verdict. If you only need registration details, /domain/lookup is faster and cheaper. For a legitimacy/trust decision, you need the combined signal.
• What does the health score actually measure? Configuration quality, not intent. A score of 92 means the domain is well-managed — current TLS, valid SPF/DMARC, sensible DNS, recent renewal, registrar locks. It does not certify the operator's behavior. Pair the health score with the reputation score (which weighs history and traffic) and phishing risk (which weighs combined signal) for a complete picture.
• Why does my legitimate domain show phishing risk "High" in LocalAnalysis? The local rules engine is deliberately strict. A single missing signal (unsigned DNSSEC, deprecated TLS, redacted WHOIS without an abuse contact) can push the rule-based phishing risk to High. Check the AiAnalysis phishing_risk score and risk_level — those are context-aware. Disagreement between the two engines is informative, not a contradiction: it usually means the domain is structurally improvable but not actually being abused.
• How fresh is the data? WHOIS/RDAP, DNS, SSL, port scan, and blacklist queries are issued in real time on every request — no caching. Traffic analytics and category rank are refreshed monthly from the upstream provider. The `lastRDAPUpdate` timestamp in the response tells you when the registry last touched its own record.
• Can I bulk-check domains via API? Yes. The single-domain endpoint is rate-limited per IP. For batch use (portfolio monitoring, KYB pipelines, threat-intel enrichment), request an API key with a higher quota. A dedicated bulk endpoint accepts up to 100 domains per request.
• What does the AI layer catch that the rules don't? Combinations. The rules engine evaluates each signal independently. The AI engine looks at the full vector — domain age + traffic shape + registrar tier + cert issuer + DNS configuration — and catches patterns like reputation laundering (technically clean domain with no real audience), recently-aged domains (registered years ago but never used until last week), and infrastructure recycling (new domain on an IP previously associated with abuse).
• Is my domain data stored or shared? Anonymous scans are cached for 24 hours to reduce upstream load. They aren't tied to your IP or identity. Signed-in users get persistent scan history under their account. We never share scan data with third parties or sell aggregate datasets.
• How do I monitor a domain's health over time? Three options. (1) Re-run the scan manually whenever you want a fresh report. (2) Sign in and enable scheduled scans — daily, weekly, or monthly — with email alerts on score regression. (3) Use the API from your own monitoring stack and store the time series in your tool of choice.