Tutorial
Written By Qasim, WhoisFreaks Team Published: July 14, 2026, Last Updated: July 14, 2026
When a domain appears in your logs, inbox, or threat feed, you need to know instantly whether it is safe, suspicious, or malicious. Visiting the site manually is risky. Checking static blocklists misses new threats. Running four separate lookups for WHOIS, DNS, SSL, and threat intel is slow.
The WhoisFreaks Domain Reputation API solves this with a single call. It runs six checks simultaneously, including live threat database lookup, DNS analysis, WHOIS registration data, SSL certificate inspection, page content analysis, and DGA scoring, and returns a unified verdict, a 0 to 100 trust score, and a plain-English explanation of exactly why a domain was flagged.
This tutorial shows you how to use it, how to read the response, and how to integrate it into your workflow.
Every domain reputation check returns the following top-level objects:
| Object | What It Contains |
|---|---|
| risk_category | The verdict (safe, suspicious, malicious, etc.), confidence, severity, and threat feed matches. |
| dga_score | Whether the domain name looks algorithmically generated. |
| trust_signals | Trust score (0–100), positive and negative signals, and boolean indicators. |
| intelligence | Related IOCs, STIX 2.1 pattern, recommended action, and feed tags. |
| evidence_summary | Plain-English list of exactly why the domain was flagged. |
| errors | Any lookups that failed (empty array if all succeeded). |
Type the domain you want to check into the search field:
suspicious-site.topResults are returned in under 2 seconds. The tool runs all six checks in parallel and displays the verdict, trust score, and evidence summary immediately.
The verdict is the first thing to look at:
| Object | What It Contains |
|---|---|
| dns | DNS records including A, AAAA, MX, NS, TXT, CNAME, SOA, DNSSEC, TTL, ASN, hosting provider, and geo information. |
| whois | WHOIS registration details such as registrar, creation date, expiry date, registrant organization, status, and name servers. |
| ssl | SSL/TLS certificate information including issuer, subject, validity period, SANs, fingerprint, key size, signature algorithm, and certificate transparency logs. |
| reputation | Reputation results from multiple threat intelligence sources, blacklist status, detections, and confidence score. |
| web | Website metadata including HTTP status, title, redirects, technologies, server, security headers, favicon hash, and screenshot availability. |
| email_security | Email authentication records including SPF, DKIM, DMARC, BIMI, and MTA-STS. |
| risk_analysis | Overall risk assessment, threat indicators, suspicious behaviors, phishing likelihood, and recommended action. |
| errors | Any lookup failures or unavailable services (empty array if all checks succeeded). |
The trust score is a number from 0 to 100 calculated from a base of 50 with signals adding or subtracting points. It falls into one of three bands:
| Band | Score Range | Meaning |
|---|---|---|
low |
0 to 39 | Significant trust concerns |
medium |
40 to 69 | Moderate trust indicators |
high |
70 to 100 | Strong trust indicators |
The evidence_summary.why_flagged field gives you plain-English reasons for the verdict. For example:
If the domain is clean, this array is empty.

For programmatic access, SIEM enrichment, or integrating reputation checks into your own application, use the Domain Reputation API.
Follow this step-by-step tutorial to create your account and get your API key in under two minutes:
How to Sign Up and Get Your API Key
GET https://api.whoisfreaks.com/v1/domain/security?domainName=example.com&apiKey=YOUR_API_KEY| Parameter | Required | Description |
|---|---|---|
domainName |
Yes | The domain to assess (e.g., example.com) |
apiKey |
Yes | Your WhoisFreaks API key |
curl -s "https://api.whoisfreaks.com/v1/domain/security?domainName=example.com&apiKey=YOUR_API_KEY"A clean domain returns a response like this:
{
"input": { "domain": "whoisfreaks.com" },
"assessed_at": "2026-07-07T12:00:00Z",
"processing_time_ms": 1250,
"risk_category": {
"verdict": "safe",
"confidence": 0.8,
"primary_threat": null,
"severity": "none",
"threat_types": [],
"sources": [],
"pivot_matches": []
},
"trust_signals": {
"trust_score": 73,
"trust_band": "high"
},
"evidence_summary": {
"why_flagged": []
},
"errors": []
}A malicious domain returns a response like this:
{
"input": { "domain": "evil-phishing-site.top" },
"assessed_at": "2026-07-07T12:01:00Z",
"processing_time_ms": 890,
"risk_category": {
"verdict": "malicious",
"confidence": 0.95,
"primary_threat": "phishing",
"severity": "high",
"sources": [
{
"source": "seed_threat_data",
"indicator": "evil-phishing-site.top",
"threat_type": "phishing",
"confidence": 0.95,
"first_seen": "2026-06-15T00:00:00Z",
"last_seen": "2026-07-05T00:00:00Z"
}
],
"pivot_matches": [
{
"pivot": "[email protected]",
"pivot_type": "email",
"total_related_threats": 134,
"confidence": 0.7
}
]
},
"trust_signals": {
"trust_score": 0,
"trust_band": "low"
},
"evidence_summary": {
"why_flagged": [
"Direct match in threat feeds as phishing",
"Pivot [email protected] (email) linked to 134 malicious domains",
"Low trust score (0/100)"
]
},
"errors": []
}
This is the core verdict block. The key fields are:
| Field | Type | Description |
|---|---|---|
| verdict | string | safe, low_risk, suspicious, malicious, or unknown |
| confidence | float (0-1) | How confident the system is in the verdict |
| primary_threat | string or null | The dominant threat type if any (phishing, malware, c2, botnet, spam) |
| severity | string | none, low, medium, high, or critical |
| sources | array | Direct threat feed matches with source name, threat type, and timestamps |
| pivot_matches | array | Indirect associations via shared WHOIS or DNS attributes |
How pivot matches work: If a domain's registrant email is also used to register 47 known phishing domains, that connection appears in pivot_matches with total_related_threats: 47. This is how the API catches new malicious domains before they appear in any threat feed.
The trust score starts at 50, and signals add or subtract points. Here are all the signals that affect the score:
| Signal | Direction | Points |
|---|---|---|
| SPF record present | Positive | +5 |
| SPF strict policy (-all) | Positive | +3 |
| DMARC record present | Positive | +5 |
| DMARC enforced (p=reject) | Positive | +5 |
| Domain age over 5 years | Positive | +15 |
| Domain age over 2 years | Positive | +10 |
| Paid SSL certificate | Positive | +5 |
| Valid SSL certificate | Positive | +3 |
| SPF missing | Negative | -5 |
| DMARC missing | Negative | -5 |
| Domain registered under 30 days | Negative | -15 |
| Expired SSL certificate | Negative | -15 |
| No SSL certificate | Negative | -10 |
| WHOIS privacy enabled | Negative | -5 |
| Free SSL certificate | Negative | -3 |
| Redirects to external domain | Negative | -10 |
| Obfuscated JavaScript on page | Negative | -10 |
| Direct threat feed match | Negative | -30 |
| Pivot association with threats | Negative | -15 |
| High DGA score (0.5 or above) | Negative | -10 |
The final score is capped between 0 and 100.
DGA stands for Domain Generation Algorithm. Malware families use DGA to generate hundreds of random-looking domain names programmatically, making them hard to block.
| Feature | Description |
|---|---|
| shannon_entropy | Higher entropy means more random-looking character distribution |
| ngram_perplexity | How unlike normal English character pairs the domain is |
| vowel_consonant_ratio | DGA domains tend to have very few vowels |
| consonant_streak_max | Long consonant runs are rare in natural language |
| digit_letter_ratio | High digit ratios are unusual in legitimate domains |
| domain_length | Very long domain labels are a DGA signal |
| tld_in_known_dga_set | TLDs like .top, .xyz, .click are favored by DGA malware |
| Interpretation | Score Range | Meaning |
|---|---|---|
| human_readable | Below 0.3 | Normal human-chosen domain name |
| indeterminate | 0.3 to 0.49 | Ambiguous, could be either |
| likely_dga | 0.5 and above | Algorithmically generated |

This object contains threat intelligence output in formats ready for SIEM and SOAR integration.
| Field | Description |
|---|---|
| recommended_action | block, monitor, or allow based on the verdict |
| stix_pattern | A STIX 2.1 pattern combining the domain and all resolved IPs, ready to import into Splunk, Microsoft Sentinel, QRadar, MISP, and other compatible platforms |
| related_iocs | IPs, emails, nameservers, and mail servers associated with the domain |
| feed_tags | Machine-readable tags like verdict:malicious and severity:high |
| first_seen | Earliest threat observation across matched feeds |
| last_seen | Most recent threat observation |
[domain-name:value = 'evil-phishing-site.top' OR ipv4-addr:value = '45.33.32.156']A set of quick boolean and integer checks for common risk signals:
| Indicator | Type | Description |
|---|---|---|
| is_newly_registered | boolean | True if domain is under 30 days old |
| uses_free_extension | boolean | True if TLD is a known free extension (.tk, .ml, .ga, .cf, .gq) |
| uses_free_ssl | boolean | True if using Let's Encrypt, ZeroSSL, or similar free CA |
| has_privacy_whois | boolean | True if WHOIS data is privacy-protected |
| has_spf | boolean | True if SPF record exists |
| has_dmarc | boolean | True if DMARC record exists |
| redirects_externally | boolean | True if page redirects to a different domain |
| javascript_obfuscated | boolean | True if heavily obfuscated JS is detected on the landing page |
| domain_age_days | integer | Days since the domain was first registered |
| ssl_age_days | integer | Days since the SSL certificate was issued |
| registrar | string | Domain registrar name |
Note: Fields that depend on a lookup show null if that lookup failed. For example, is_newly_registered is null if the WHOIS lookup did not return data.
If any individual lookup fails, the rest of the response still completes. Failed components are reported as strings in the errors array:
"errors": ["SSL lookup failed"]An empty array means all six checks completed successfully.

Yes. The free tool at whoisfreaks.com requires no account or credit card. For API access, sign up for a free account and receive 500 credits with no credit card required.
Typically, under 2 seconds. All six checks (threat database, DNS, WHOIS, SSL, content analysis, and DGA scoring) run in parallel. The maximum timeout is 10 seconds per request.
The verdict is a categorical classification (safe, suspicious, malicious etc.) determined by a priority chain of conditions. The trust score is a 0 to 100 numerical score calculated by adding and subtracting weighted signal points from a base of 50. Both are included in every response and complement each other.
A pivot match is an indirect threat association discovered through shared WHOIS or DNS attributes. For example, if the domain being assessed uses the same registrant email as 47 known phishing domains, that shared email is the pivot and total_related_threats is 47. This catches new malicious domains before they appear in any threat feed directly.
DGA stands for Domain Generation Algorithm. Malware families generate random-looking domain names programmatically to avoid blocklists. The API scores every domain for DGA likelihood using seven features including Shannon entropy, character bigram perplexity, vowel ratios, consonant streaks, digit ratios, domain length, and TLD patterns. No external API call is needed as this runs locally in microseconds.
The stix_pattern field in the intelligence object contains a STIX 2.1 compliant pattern combining the assessed domain and all resolved IP addresses. This pattern can be imported directly into Splunk, Microsoft Sentinel, IBM QRadar, MISP, OpenCTI, Palo Alto XSOAR, and any other STIX 2.1 compatible platform.
The response still completes with data from the remaining lookups. If the SSL lookup fails, for example, the verdict and trust score are still calculated using the threat database, DNS, WHOIS, and content analysis results. The failed lookup is reported in the errors array.
The API detects malware, phishing, command and control (c2), botnet, and spam domains through its threat intelligence database.
The WhoisFreaks Domain Reputation API runs six checks in parallel and returns a single, explainable verdict in under 2 seconds. The trust score, pivot associations, DGA analysis, and STIX pattern make it suitable for everything from a quick manual check on one domain to fully automated SIEM enrichment across thousands of alerts.
Track domains containing your brand name with WhoisFreaks brand monitoring. Step-by-step guide to setup and configuration.
6 min read
Learn how to monitor WHOIS record changes for your domains with WhoisFreaks domain monitoring tool. Step-by-step setup guide.
6 min read