Domain age, registrar, IANA ID, abuse contact, expiry date, lock status (clientTransferProhibited, etc.), DNSSEC posture, WHOIS privacy state. Pulled live from the authoritative registry.
Domain Trust Score — is any domain safe, legitimate, and well-configured? Free, in one scan.
Domain Trust Score aggregates WHOIS/RDAP, DNS records, SSL/TLS posture, blacklist status across 10 reputation databases, SPF and DMARC parsing, port scan, IP/ASN intelligence, geolocation, traffic analytics, and an AI-driven risk review — in one API call. Returns a composite Trust Score, reputation score, phishing risk, and prioritised recommendations. Fourteen data sources, median response under 3 seconds.
What gets checked
A single scan runs six categories of checks in parallel, then layers AI analysis on top. Each category is independently scored, and each can be drilled into via its dedicated standalone tool.
A, AAAA, CNAME, MX, NS, and TXT records resolved against authoritative nameservers. TXT parsing extracts dozens of domain-verification tokens (Google, MS, Atlassian, OpenAI, Anthropic, etc.) — a strong signal of which SaaS platforms the domain is connected to.
Full SPF record parse — mechanisms, includes, qualifier (-all, ~all, ?all). Full DMARC parse — policy (p=reject/quarantine/none), percentage, aggregate and forensic report URIs, failure-reporting flags.
Certificate subject and issuer, validity window, serial number, SHA-1 and SHA-256 fingerprints. Protocol support across TLS 1.3, 1.2, 1.1, and 1.0 — flags deprecated versions still enabled.
Resolved IP, ISP, ASN, network range, country, region, timezone. VPN/proxy/Tor/hosting-provider detection. Port scan across the common server-side ports (80, 443, 22, 25, 53, etc.) with service identification.
Blacklist check across Spamhaus, Barracuda, SpamCop, abuseat.org, SORBS, and 5 more. Traffic analytics — estimated monthly visits, top countries, top organic keywords, traffic-source breakdown, category rank.
Why one signal is never enough
A scammer can register a domain, issue a free Let's Encrypt cert, publish SPF/DMARC, and put up a believable landing page in under an hour. Individual signals are easy to defeat. The signal lives in the combination — that's exactly what a Trust Score aggregates:
- Domain age is gameable but slow. Anything under 90 days old warrants scrutiny regardless of how polished the site looks. Most phishing and malware infrastructure has a registration date in the last quarter.
- SSL is no longer a trust signal on its own. Let's Encrypt issues certificates in seconds, for free. The presence of HTTPS tells you nothing about legitimacy — only that someone bothered to run certbot.
- Working SPF/DMARC isn't proof of anything. It just means the sender configured email authentication. Phishers do this routinely — DMARC alignment improves their inbox placement rate.
- Real organic traffic is hard to fake. So is a clean blacklist history across ten independent providers. So is a long registration with a Tier-1 registrar (MarkMonitor, Network Solutions, GoDaddy Corporate Services). The combined signal is what separates legitimate from synthetic — and that's what the Trust Score composites into one number.
Fourteen parallel calls, two analysis layers
A single request fans out to fourteen upstream sources — RDAP, recursive DNS, SSL handshake, port scanner, ten blacklist DNS queries, GeoIP, ASN, and traffic analytics — concurrently. Total response time is bounded by the slowest single call, not the sum. The collected data then runs through two analysers: a deterministic rules engine and an AI reviewer.
- Stage 1 — Fan-out (parallel) All fourteen upstream calls dispatched concurrently. SSL handshake, port scan, and traffic API are typically the longest legs.
- Stage 2 — Normalise Each source's response mapped to a canonical schema. Missing fields surface as null, not as errors — a partial scan is still useful.
- Stage 3 — Local rules engine Deterministic checks: domain age buckets, expiry runway, WHOIS privacy state, DNSSEC presence, deprecated TLS, blacklist hits. Produces the LocalAnalysis block — uniform, strict, repeatable.
- Stage 4 — AI review Full structured record passed to the AI analyser. Produces the composite Trust Score, reputation, and phishing risk scores plus prioritised security recommendations and any suspicious patterns detected.
- Stage 5 — Merge & return Both analyses returned alongside the raw data. Disagreement between LocalAnalysis and AiAnalysis is exposed deliberately — it's diagnostic, not a bug.
How to read the four scores
Domain Trust Score returns four scores from two complementary engines. LocalAnalysis is deterministic and strict. AiAnalysis is contextual. Disagreement between them is informative.
- Trust Score (0–100) Overall configuration and trustworthiness posture. Reflects DNS hygiene, SSL/TLS posture, email auth completeness, registrar quality, and lock status. A high score means the domain is well-managed; it does not certify the operator's intent.
- Reputation Score (0–100) Inferred from blacklist standing, age, traffic patterns, and registrar tier. Independent of the configuration score — a brand-new but well-configured domain will score low here until it accrues history.
- Phishing Risk (0–100, lower is better) An estimate of how likely the domain is to be used for phishing, based on the combination of all signals. Note: the LocalAnalysis variant is strict (unsigned DNSSEC alone is enough to push it to 'High'). The AiAnalysis variant is contextual.
- Trust Grade — Low / Medium / High risk Composite categorisation from the AI engine. Use this as the headline; use the four numeric scores to understand why.
- Maturity labels — New · Young · Established · Mature · Veteran LocalAnalysis bucketises domain age. Veteran is 10+ years (microsoft.com, in the sample, is 12,800 days old). Sub-90-day domains land in 'New' and are flagged regardless of other signals.
- Expiry labels — Critical · Warning · Healthy Critical: under 30 days to expiry. Warning: under 90 days. Healthy: 90+ days remaining. Useful for portfolio monitoring.
- Privacy labels — Public · Private · Privacy service WHOIS contacts are typically redacted under GDPR for individuals (Private). Some registrants use explicit privacy proxies (Privacy service). Public is rare since 2018.
// microsoft.com — LocalAnalysis vs AiAnalysis disagree
{
"LocalAnalysis": {
"overall": {
"trustScore": 90,
"reputationScore": 90,
"phishingRisk": "High" // ← strict rules: DNSSEC unsigned ⇒ High
}
},
"AiAnalysis": {
"trust_score": "92",
"reputation_score": "99",
"phishing_risk": "5", // ← context-aware: microsoft.com is not phishing
"trust_grade": "Low risk"
}
}
// Takeaway: disagreement means the domain has a structural weakness
// (unsigned DNSSEC, deprecated TLS) but isn't actually being abused.
// Both engines agreeing on 'high risk' is the real warning.What the AI layer adds
Beyond scoring, the AI layer produces two structured output classes: prioritised security recommendations (what to fix and why) and suspicious-pattern alerts (what looks abnormal across the combined signal set). Both are returned as JSON, not free-form prose.
Actionable items ranked by impact. Each carries a title, the underlying value (e.g., 'dnssec=unsigned'), and a plain-language analysis of the risk and the fix.
Catches combinations that the rules engine misses — e.g., a new domain with valid SPF but no MX record (suspicious), or a high-traffic site with an unsigned DNSSEC and a self-signed cert (likely misconfiguration).
Combines blacklist data, traffic patterns, registration history, and DNS configuration into a single malware verdict (Clean / Suspicious / Confirmed) and a phishing risk score (0–100).
Weighs domain age, traffic legitimacy (organic vs paid mix, geographic distribution), registrar tier, and historical blacklist standing. Catches reputation laundering — domains with strong technicals but no real audience.
{
"title": "Disable Deprecated TLS/SSL Protocols",
"value": "TLS 1.0, TLS 1.1, & SSL 3.0 are enabled",
"analysis": "Older protocols like TLS 1.0, TLS 1.1, and SSL 3.0 have known critical vulnerabilities (e.g., POODLE, BEAST) and are deprecated. To ensure secure communication and protect user data, the server should be configured to support only modern, secure protocols like TLS 1.2 and TLS 1.3."
}Run any sub-check on its own
Every category in the Trust Score has a dedicated standalone tool with deeper analysis, more options, and exportable reports. Pick the one you need:
Deep registration data, full EPP status code interpretation, DNSSEC algorithm details, abuse contact, registrar metadata.
Full DNS dump with per-record TTL, propagation across global resolvers, change detection over time.
Full certificate chain validation, OCSP status, expiry runway, cipher suite enumeration, protocol matrix.
Resolves all include chains, counts DNS lookups (the 10-lookup limit catches most teams off guard), flags overly permissive qualifiers.
Parses the policy, validates report URI reachability, simulates alignment against the published SPF and DKIM.
Per-database query and result with response times. Useful for incident response and post-recovery delisting verification.
Open/closed/filtered status with service identification. Covers HTTP/S, SSH, SMTP, DNS, FTP, and the usual database ports.
Reverse IP, ASN/ISP, geolocation, VPN/proxy/Tor/hosting flags. Useful for log triage and abuse investigation.
Separate scoring for whether AI crawlers can reach, parse, and cite your domain. Complements the Trust Score.
Use this programmatically
The full Trust Score report is available as JSON in a single API call. The free tier is rate-limited per IP — adequate for spot checks. For continuous monitoring, bulk lookups, or CI gates, request an API key.
curl https://api.domainscan.in/v1/domain/trust?domain=microsoft.comconst res = await fetch(
'https://api.domainscan.in/v1/domain/trust?domain=microsoft.com'
);
const report = await res.json();
const {
trust_score,
reputation_score,
phishing_risk,
trust_grade
} = report.AiAnalysis;
console.log(trust_grade, trust_score, phishing_risk);
// "Low risk" "92" "5"{
"domain": { "input": "...", "tld": "...", "sld": "...", "subdomain": null },
"domainRecord": { /* full WHOIS/RDAP — see /domain/lookup */ },
"DNSRecords": [{ "type": "A | AAAA | MX | NS | CNAME | TXT", "result": [...], "time": "number" }],
"sslData": {
"subject": { "C": "...", "O": "...", "CN": "..." },
"issuer": { "C": "...", "O": "...", "CN": "..." },
"valid_from": "ISO 8601",
"valid_to": "ISO 8601",
"protocol": { "TLS 1.3": { "status": "Enabled | Disabled" }, /* ... */ }
},
"spfData": { "spf": "v=spf1 ...", "parsed": { /* mechanisms, qualifier */ } },
"dmarc": { "dmarc": "v=DMARC1 ...", "parsed": { /* policy, pct, rua, ruf */ } },
"blackListData": {
"checkedDatabases": ["zen.spamhaus.org", "b.barracudacentral.org", /* 8 more */],
"results": [{ "database": "...", "blacklisted": "boolean", "time": "number" }]
},
"ispData": { "isp": "...", "asn": { "number": "...", "organization": "..." } },
"locationData": { "country": {}, "city": "...", "security": { "isVPN": "boolean", "isProxy": "boolean", "isTorExitNode": "boolean" } },
"portScan": { "results": [{ "port": "number", "status": "open | timeout", "service": {} }] },
"analytics": { "visits": "number", "trafficSources": {}, "topCountryShares": [], "topKeywords": [] },
"LocalAnalysis": {
"domain": { "maturity": {}, "expiry": {}, "privacy": {} },
"overall": { "trustScore": "0–100", "reputationScore": "0–100", "phishingRisk": "Low | Medium | High" }
},
"AiAnalysis": {
"trust_score": "0–100",
"reputation_score": "0–100",
"phishing_risk": "0–100",
"trust_grade": "Low | Medium | High risk",
"malware_detection": "Clean | Suspicious | Confirmed",
"security_recommendations": [{ "title": "...", "value": "...", "analysis": "..." }],
"suspicious_patterns_detected": { "security_alerts": [], "pattern_alerts": [], "suspicious_patterns": [] }
}
}How teams use Domain Trust Score
Six patterns we see most often:
Before onboarding a new supplier, payment processor, or SaaS vendor: run a Trust Score. Old domain + locked + DNSSEC + clean blacklist across all 10 databases + real traffic = legitimate operator.
Your SOC receives a suspicious URL. One scan returns enough signal to decide whether to block, escalate, or close as benign — without leaving your incident queue.
Fintech, payments, and marketplaces use the API as part of merchant onboarding. The Trust Score and reputation scores feed directly into the underwriting decision.
Buying a domain, brand, or company? Pull a Trust Score report. A target with deprecated TLS, no DMARC, and three blacklist hits represents a real remediation cost.
Scheduled Trust Score scans across your owned domains. Watch for expiry creep, SSL drift, accidental blacklist hits after an email campaign, and DMARC policy regression.
Hit the API from your deployment pipeline. Fail the build if a config change introduces deprecated TLS, removes DMARC enforcement, or trips a blacklist.
Common questions
- How is this different from a WHOIS lookup? WHOIS returns one slice — registration data. Domain Trust Score combines fourteen slices (WHOIS, DNS, SSL, blacklist, ports, IP intelligence, traffic, email auth, plus an AI layer) into a single verdict. If you only need registration details, /domain/lookup is faster and cheaper. For a legitimacy/trust decision, you need the combined signal.
- What does the Trust Score actually measure? Configuration quality and reputation posture, not intent. A score of 92 means the domain is well-managed — current TLS, valid SPF/DMARC, sensible DNS, recent renewal, registrar locks. It does not certify the operator's behaviour. Pair the Trust Score with the reputation score (which weighs history and traffic) and phishing risk (which weighs combined signal) for a complete picture.
- Why does my legitimate domain show phishing risk "High" in LocalAnalysis? The local rules engine is deliberately strict. A single missing signal (unsigned DNSSEC, deprecated TLS, redacted WHOIS without an abuse contact) can push the rule-based phishing risk to High. Check the AiAnalysis phishing_risk score and trust_grade — those are context-aware. Disagreement between the two engines is informative, not a contradiction: it usually means the domain is structurally improvable but not actually being abused.
- How fresh is the data? WHOIS/RDAP, DNS, SSL, port scan, and blacklist queries are issued in real time on every request — no caching. Traffic analytics and category rank are refreshed monthly from the upstream provider. The `lastRDAPUpdate` timestamp in the response tells you when the registry last touched its own record.
- Can I bulk-check domains via API? Yes. The single-domain endpoint is rate-limited per IP. For batch use (portfolio monitoring, KYB pipelines, threat-intel enrichment), request an API key with a higher quota. A dedicated bulk endpoint accepts up to 100 domains per request.
- What does the AI layer catch that the rules don't? Combinations. The rules engine evaluates each signal independently. The AI engine looks at the full vector — domain age + traffic shape + registrar tier + cert issuer + DNS configuration — and catches patterns like reputation laundering (technically clean domain with no real audience), recently-aged domains (registered years ago but never used until last week), and infrastructure recycling (new domain on an IP previously associated with abuse).
- Is my domain data stored or shared? Anonymous scans are cached for 24 hours to reduce upstream load. They aren't tied to your IP or identity. Signed-in users get persistent scan history under their account. We never share scan data with third parties or sell aggregate datasets.
- How do I monitor a domain's Trust Score over time? Three options. (1) Re-run the scan manually whenever you want a fresh report. (2) Sign in and enable scheduled scans — daily, weekly, or monthly — with email alerts on score regression. (3) Use the API from your own monitoring stack and store the time series in your tool of choice.
- Was this tool previously called Domain Health? Yes. Domain Trust Score is the same tool with a name that better reflects what the score actually means. The `/domain/health` URL now permanently redirects here, and existing API responses are backward-compatible.
Related domain and security tools
Every category folded into the Trust Score also has a dedicated tool. Drill deeper wherever the composite flags an issue:
Registrar, age, expiry, DNSSEC, lock status — the identity slice of the Trust Score.
A, AAAA, MX, TXT, CNAME, NS, SOA, CAA records with plain-English explanations.
Chain validation, expiry countdown, protocol matrix — the SSL slice of the Trust Score.
Email-auth posture — the deliverability slice of the Trust Score.
~130 DNSBLs including Spamhaus and Barracuda — the reputation slice of the Trust Score.
Which TCP ports are open — the surface-exposure slice of the Trust Score.
HSTS, CSP, X-Frame-Options — hardening posture beyond the Trust Score defaults.
Is your site visible to ChatGPT, Claude, and Perplexity? Complements the Trust Score.