---
title: "Domain Reputation API for Real-Time Threat Assessment"
slug: "/products/domain-reputation-api"
description: "Send a domain and get a risk verdict, 0–100 trust score, and evidence from five live checks plus WhoisFreaks threat intelligence in seconds."
---

# Domain Reputation API for Real-Time Threat Assessment

Send one domain and get back a risk verdict, a 0 to 100 trust score, and the evidence behind every call. The API runs five live lookups plus WhoisFreaks threat intelligence in a single request, usually in four to five seconds.

[Contact Sales](https://whoisfreaks.com/contact)

[Get Started](https://billing.whoisfreaks.com/)

[More Details](https://whoisfreaks.com/tools/domain-reputation/lookup/amazon.com)

```
curl --location 'https://api.whoisfreaks.com/v1/domain/security?domainName=amazon.com&apiKey=API_KEY'
```

```
[
  {
    "input": {
      "domain": "amazon.com"
    },
    "assessed_at": "2026-07-08T08:12:29Z",
    "version": "1.0.0",
    "processing_time_ms": 742,
    "risk_category": {
      "verdict": "suspicious",
      "confidence": 0.94,
      "primary_threat": "phishing",
      "severity": "high",
      "threat_types": [
        "phishing",
        "spam"
      ],
      "sources": [
        {
          "source": "Spamhaus",
          "indicator": "example.com",
          "threat_type": "phishing",
          "confidence": 0.97,
          "first_seen": "2026-07-01T10:22:00Z",
          "last_seen": "2026-07-08T05:00:00Z"
        },
        {
          "source": "AbuseIPDB",
          "indicator": "93.184.216.34",
          "threat_type": "spam",
          "confidence": 0.83,
          "first_seen": "2026-06-30T13:11:00Z",
          "last_seen": "2026-07-07T20:11:00Z"
        }
      ],
      "pivot_matches": [
        {
          "pivot": "ns1.exampledns.com",
          "pivot_type": "ns",
          "total_related_threats": 34,
          "confidence": 0.92
        },
        {
          "pivot": "support@example.com",
          "pivot_type": "email",
          "total_related_threats": 5,
          "confidence": 0.72
        }
      ]
    },
    "dga_score": {
      "score": 0.81,
      "is_dga": true,
      "model": "deterministic_features_v1",
      "features": {
        "domain_length": 17,
        "vowel_consonant_ratio": 0.18,
        "ngram_perplexity": 3.91,
        "shannon_entropy": 4.72,
        "digit_letter_ratio": 0.23,
        "consonant_streak_max": 6,
        "tld_in_known_dga_set": false
      },
      "interpretation": "likely_dga"
    },
    "trust_signals": {
      "trust_score": 12,
      "trust_band": "low",
      "signals": {
        "positive": [
          {
            "code": "valid_ssl",
            "weight": 8,
            "polarity": "positive",
            "category": "ssl_certificate",
            "evidence": "TLS certificate issued by DigiCert",
            "confidence": 1
          }
        ],
        "negative": [
          {
            "code": "dmarc_missing",
            "weight": 5,
            "polarity": "negative",
            "category": "email_security",
            "evidence": "No DMARC record",
            "confidence": 1
          },
          {
            "code": "javascript_obfuscated",
            "weight": 20,
            "polarity": "negative",
            "category": "content_analysis",
            "evidence": "Highly obfuscated inline JavaScript detected",
            "confidence": 0.99
          }
        ],
        "neutral": [
          {
            "code": "content_unavailable",
            "weight": 0,
            "polarity": "neutral",
            "category": "content_analysis",
            "evidence": "Website did not respond",
            "confidence": 1
          }
        ]
      },
      "indicators": {
        "is_newly_registered": true,
        "uses_free_extension": false,
        "uses_free_ssl": true,
        "has_privacy_whois": true,
        "ssl_age_days": 18,
        "has_dmarc": false,
        "has_spf": true,
        "redirects_externally": true,
        "javascript_obfuscated": true,
        "domain_age_days": 24,
        "registrar": "Namecheap"
      }
    },
    "intelligence": {
      "ioc_type": "domain",
      "ioc_value": "example.com",
      "related_iocs": [
        {
          "type": "ipv4",
          "value": "93.184.216.34",
          "confidence": 0.91
        },
        {
          "type": "email",
          "value": "admin@example.com",
          "confidence": 0.84
        }
      ],
      "feed_tags": [
        "verdict:suspicious",
        "severity:high",
        "campaign:phishing"
      ],
      "stix_pattern": "[domain-name:value='example.com']",
      "recommended_action": "block",
      "first_seen": "2026-07-01T10:22:00Z",
      "last_seen": "2026-07-08T05:00:00Z"
    },
    "evidence_summary": {
      "why_flagged": [
        "Detected in multiple phishing feeds",
        "Newly registered domain",
        "Obfuscated JavaScript detected",
        "External redirect observed",
        "No DMARC record"
      ]
    },
    "errors": [
      ""
    ]
  }
]
```

- 694,675: Seed Indicators
- 11.2M+: Extrapolated Data
- 2,888: Email Pivots
- 3,251: Org Pivots
- 75,817: Mx Pivots
- 58,960: Ns Pivots

## How we calculate a domain's reputation

WhoisFreaks scores a domain's reputation from six checks that run in parallel on a single request. Five are live lookups across DNS, WHOIS, SSL, and page content, plus a match against WhoisFreaks threat intelligence. Together they produce one verdict, backed by a 0 to 100 trust score and a full evidence trail.

### Threat intelligence database

Direct matches in threat feeds for malware, phishing, C2, botnet, and spam, plus domains that share a registrant email, name server, or host with known threats.

### Live WHOIS

Reads the creation date, registrar, expiry, and status codes, calculates domain age, flags domains under 30 days old, and detects privacy-masked registrant ownership.

### Live DNS

Queries A, AAAA, NS, MX, and TXT records to map hosting and mail infrastructure, reads the SPF qualifier, and checks the DMARC enforcement level from none to reject.

### Live SSL

Fetches the certificate chain, checks whether the end-user certificate is valid or expired, records its age and issuer, and flags certificates issued by free CAs.

### Live content check

Fetches the landing page and follows redirects up to five hops, flagging pages that jump to another domain or serve inline JavaScript with heavy obfuscation.

### DGA analysis

Scores the domain name for algorithmic generation using entropy, letter patterns, and digit ratio, then labels it human-readable, indeterminate, or likely generated.

## Malicious Domain Detection

The API flags malicious domains two ways: a direct match against known threat indicators, and a pivot match when a domain shares infrastructure or contact details with confirmed malicious domains. Every verdict includes a recommended action and the evidence behind it.

### Direct Threat Match

The API checks each domain against WhoisFreaks threat intelligence for a direct match in curated malware, phishing, C2, botnet, and spam feeds. A direct match sets the verdict to malicious, with severity scaling up when several feeds confirm the same domain.

### Pivot Discovery

When a domain shares a registrant email, name server, organization, or hosting attribute with confirmed malicious domains, the API flags a pivot match. It catches new domains before they reach public blocklists, and reports how many known threats share the pivot.

### Verdict and Confidence

Every domain returns a verdict of safe, low risk, suspicious, or malicious, with a severity level and a confidence score. Direct feed matches carry the highest confidence, while pivot associations and risky signals return suspicious for analyst triage.

### Action and Evidence

Each response includes a recommended action of block, monitor, or allow, plus an evidence list naming every signal and the matching feed entries with first-seen and last-seen dates. Systems can key off the verdict or recommended_action field directly.

## Domain Risk Scoring

Every domain gets a trust score from 0 to 100, split into three bands: low (0 to 39), medium (40 to 69), and high (70 to 100). The score starts at 50 and moves up or down as the API checks email authentication, domain age, SSL quality, WHOIS privacy, redirect behavior, and threat matches.

15MALICIOUS

LOW (0-39)MEDIUM (40-69)HIGH (70-100)

A brand-new domain with no SPF or DMARC, a free SSL certificate, and a redirect to another host will score low even when it appears in no threat feed yet.

### Phishing domain detection

This API detects phishing at the domain level rather than scanning individual URLs or email bodies. It weighs the signals phishing domains tend to share: recent registration, missing email authentication, free certificates, privacy-masked ownership, and links to other phishing infrastructure through shared attributes.

Recent RegistrationMissing SPF/DMARCFree SSLHidden WHOIS

### DGA detection built in

The IP Whois Lookup API provides detailed information about IP addresses, including registration data, contact details, routes, and network information. This API helps in identifying the ownership and allocation of IP addresses, which can be useful for network administration, cybersecurity, geolocation services, and fraud prevention.

Shannon EntropyBigram PerplexityConsonant RunVowel Ratio

## Domain Rep. in Action

See how security and platform teams use domain reputation to flag malicious domains and act on each verdict.

### SOC Teams

Vet suspicious domains from alerts and logs, then push the STIX pattern from each verdict straight into your detection rules.

### Email Security

Score sender and link domains before a message reaches the inbox, so your gateway can quarantine or block risky senders early.

### Web & DNS Filtering

Add a live domain risk score to gateway and content-filter policies, and let the verdict decide what to block at the DNS layer.

### SaaS Platforms

Check domains users submit at sign-up or listing, and flag high-risk ones as an anti-fraud step before they reach your platform.

### Hosting Providers

Screen new registrations at signup and monitor existing portfolios for abuse, acting on malicious domains before they are reported.

### Threat Intel Teams

Enrich existing IOCs with live reputation data, then expand coverage through pivot associations to related malicious domains.

Add the Domain Reputation API to your stack to score any domain in real time, catch malicious infrastructure before it spreads, and drive block or monitor decisions from one call.

[Request Demo](https://whoisfreaks.com/demo)

## Email Deliverability Scoring

Every assessment now grades a domain's email setup from 0 to 100, from poor to excellent. The API reads SPF, DKIM, and DMARC in one pass, maps the mail infrastructure, and returns a fixable issue list with a recommendation for each finding.

### SPF and DMARC analysis

Reads the SPF record and its policy from -all to +all, checks the DMARC enforcement level from none to reject.

### DKIM discovery

Probes around 200 common DKIM selectors covering Google Workspace, Microsoft 365, SendGrid, and Amazon SES.

### Mail infrastructure

Lists every MX record, detects null-MX domains that cannot receive mail, and classifies the provider type.

### Issues and recommendations

Returns a coded issue list with a severity and a plain recommendation for each finding detected.

### One score, four grades

The deliverability score is computed separately from the trust score, so email hygiene never double-counts in the risk verdict.

Overall Health95/100

PoorFairGoodExcellent

The score rewards a strict SPF policy, an enforced DMARC record with reporting configured, and DKIM keys discovered on the domain. It penalizes missing or permissive authentication, domains listed in spam feeds, and domains registered less than 30 days ago. A domain with no MX records, or a null-MX record, is capped at 25 and flagged as unable to receive email.

SPF policyDKIM selectorsMX providerDMARC enforcement

Response Preview

```
1{2  "email_deliverability": {3    "score": 95,4    "grade": "excellent",5    "can_receive_email": true,6    "authentication": {7      "spf": { "present": true, "policy": "-all" },8      "dkim": { "found": true, "providers_detected": ["Google Workspace"] },9      "dmarc": { "present": true, "policy": "reject", "reporting_configured": true }10    },11    "infrastructure": {12      "mx_provider": "google_workspace",13      "mx_count": 2, "null_mx": false14    },15    "issues": []16  }17}
```

## FAQs

FAQs about the Domain Reputation API: risk signals and reputation fields

### What is a domain reputation API?

A domain reputation API is a service that takes a domain name and returns a risk assessment programmatically. The WhoisFreaks Domain Reputation API returns a verdict (safe, suspicious, or malicious), a 0 to 100 trust score, a DGA analysis, and the evidence behind the result, all in one request.

### How does the API decide if a domain is malicious?

It checks the domain against known threat indicators for a direct match, and against shared registration and hosting attributes for a pivot match to known threats. It also scores email authentication, domain age, SSL, and other signals. A direct match returns a malicious verdict with a recommended action of block.

### What is DGA detection?

DGA detection identifies domains created by a domain generation algorithm, a technique malware uses to produce large numbers of random-looking domains. The API scores each domain name using entropy, letter patterns, digit ratio, and TLD, then labels it human_readable, indeterminate, or likely_dga.

### How is the domain trust score calculated?

The score starts at 50 and moves up or down based on signals like SPF and DMARC records, domain age, SSL certificate quality, WHOIS privacy, redirect behavior, and threat matches. The final value lands between 0 and 100 and maps to a low, medium, or high trust band.

### Can I import the results into a SIEM or SOAR?

Yes. Every response includes a STIX 2.1 pattern that combines the domain and its resolved IP addresses. It imports into Splunk, IBM QRadar, Microsoft Sentinel, Elastic Security, Palo Alto XSOAR, MISP, OpenCTI, and other STIX 2.1 tools.

### How fast is the API, and what happens if one check fails?

A full assessment usually returns in four to five seconds. The lookups run independently, so if DNS, WHOIS, SSL, or the threat database is slow or unavailable, the rest still return and the response lists what failed in an errors field.

### What domains can I check?

Any registered domain name, one per request. You do not need to run separate DNS, WHOIS, or SSL queries first, since the API performs those checks itself as part of the assessment.
