resources background

Tutorial

Free Domain Reputation Check: Risk & Trust Score Tool

Written By Qasim, WhoisFreaks Team Published: July 14, 2026, Last Updated: July 14, 2026

When a domain appears in your logs, inbox, or threat feed, you need to know instantly whether it is safe, suspicious, or malicious. Visiting the site manually is risky. Checking static blocklists misses new threats. Running four separate lookups for WHOIS, DNS, SSL, and threat intel is slow.

The WhoisFreaks Domain Reputation API solves this with a single call. It runs six checks simultaneously, including live threat database lookup, DNS analysis, WHOIS registration data, SSL certificate inspection, page content analysis, and DGA scoring, and returns a unified verdict, a 0 to 100 trust score, and a plain-English explanation of exactly why a domain was flagged.

This tutorial shows you how to use it, how to read the response, and how to integrate it into your workflow.

What the Domain Reputation Check Returns

Every domain reputation check returns the following top-level objects:

Object What It Contains
risk_category The verdict (safe, suspicious, malicious, etc.), confidence, severity, and threat feed matches.
dga_score Whether the domain name looks algorithmically generated.
trust_signals Trust score (0–100), positive and negative signals, and boolean indicators.
intelligence Related IOCs, STIX 2.1 pattern, recommended action, and feed tags.
evidence_summary Plain-English list of exactly why the domain was flagged.
errors Any lookups that failed (empty array if all succeeded).
Diagram showing the six parallel checks (Threat DB, DNS, WHOIS, SSL, Content, DGA) feeding into a single unified response object.

Method 1: Free Domain Reputation Tool (No Account Needed)

Step 1 - Go to the Tool

Step 2 - Enter the Domain Name

Type the domain you want to check into the search field:

suspicious-site.top

Step 3 - Click Check

Results are returned in under 2 seconds. The tool runs all six checks in parallel and displays the verdict, trust score, and evidence summary immediately.

Step 4 - Read the Verdict

The verdict is the first thing to look at:

Object What It Contains
dns DNS records including A, AAAA, MX, NS, TXT, CNAME, SOA, DNSSEC, TTL, ASN, hosting provider, and geo information.
whois WHOIS registration details such as registrar, creation date, expiry date, registrant organization, status, and name servers.
ssl SSL/TLS certificate information including issuer, subject, validity period, SANs, fingerprint, key size, signature algorithm, and certificate transparency logs.
reputation Reputation results from multiple threat intelligence sources, blacklist status, detections, and confidence score.
web Website metadata including HTTP status, title, redirects, technologies, server, security headers, favicon hash, and screenshot availability.
email_security Email authentication records including SPF, DKIM, DMARC, BIMI, and MTA-STS.
risk_analysis Overall risk assessment, threat indicators, suspicious behaviors, phishing likelihood, and recommended action.
errors Any lookup failures or unavailable services (empty array if all checks succeeded).

Step 5 - Read the Trust Score

The trust score is a number from 0 to 100 calculated from a base of 50 with signals adding or subtracting points. It falls into one of three bands:

Band Score Range Meaning
low 0 to 39 Significant trust concerns
medium 40 to 69 Moderate trust indicators
high 70 to 100 Strong trust indicators

Step 6 - Read the Evidence Summary

The evidence_summary.why_flagged field gives you plain-English reasons for the verdict. For example:

  • "Direct match in threat feeds as phishing"
  • "Pivot [email protected] (email) linked to 134 malicious domains"
  • "High DGA score (0.82) suggests algorithmically generated domain"
  • "Low trust score (12/100)"

If the domain is clean, this array is empty.

WhoisFreaks Domain Reputation tool showing a malicious domain result with trust score and evidence summary

Method 2: Domain Reputation API

For programmatic access, SIEM enrichment, or integrating reputation checks into your own application, use the Domain Reputation API.

Step 1 - Sign Up and Get Your API Key

Follow this step-by-step tutorial to create your account and get your API key in under two minutes:

How to Sign Up and Get Your API Key

Step 2 - Make the Request

Endpoint:
GET https://api.whoisfreaks.com/v1/domain/security?domainName=example.com&apiKey=YOUR_API_KEY

Parameters:

Parameter Required Description
domainName Yes The domain to assess (e.g., example.com)
apiKey Yes Your WhoisFreaks API key

cURL Example:

curl -s "https://api.whoisfreaks.com/v1/domain/security?domainName=example.com&apiKey=YOUR_API_KEY"

Step 3 - Handle the Response

A clean domain returns a response like this:

{
  "input": { "domain": "whoisfreaks.com" },
  "assessed_at": "2026-07-07T12:00:00Z",
  "processing_time_ms": 1250,
  "risk_category": {
    "verdict": "safe",
    "confidence": 0.8,
    "primary_threat": null,
    "severity": "none",
    "threat_types": [],
    "sources": [],
    "pivot_matches": []
  },
  "trust_signals": {
    "trust_score": 73,
    "trust_band": "high"
  },
  "evidence_summary": {
    "why_flagged": []
  },
  "errors": []
}

A malicious domain returns a response like this:

{
  "input": { "domain": "evil-phishing-site.top" },
  "assessed_at": "2026-07-07T12:01:00Z",
  "processing_time_ms": 890,
  "risk_category": {
    "verdict": "malicious",
    "confidence": 0.95,
    "primary_threat": "phishing",
    "severity": "high",
    "sources": [
      {
        "source": "seed_threat_data",
        "indicator": "evil-phishing-site.top",
        "threat_type": "phishing",
        "confidence": 0.95,
        "first_seen": "2026-06-15T00:00:00Z",
        "last_seen": "2026-07-05T00:00:00Z"
      }
    ],
    "pivot_matches": [
      {
        "pivot": "[email protected]",
        "pivot_type": "email",
        "total_related_threats": 134,
        "confidence": 0.7
      }
    ]
  },
  "trust_signals": {
    "trust_score": 0,
    "trust_band": "low"
  },
  "evidence_summary": {
    "why_flagged": [
      "Direct match in threat feeds as phishing",
      "Pivot [email protected] (email) linked to 134 malicious domains",
      "Low trust score (0/100)"
    ]
  },
  "errors": []
}
Side-by-side code block showing a clean domain response vs. a malicious domain response with key fields highlighted

Understanding the Full Response

risk_category

This is the core verdict block. The key fields are:

Field Type Description
verdict string safe, low_risk, suspicious, malicious, or unknown
confidence float (0-1) How confident the system is in the verdict
primary_threat string or null The dominant threat type if any (phishing, malware, c2, botnet, spam)
severity string none, low, medium, high, or critical
sources array Direct threat feed matches with source name, threat type, and timestamps
pivot_matches array Indirect associations via shared WHOIS or DNS attributes

How pivot matches work: If a domain's registrant email is also used to register 47 known phishing domains, that connection appears in pivot_matches with total_related_threats: 47. This is how the API catches new malicious domains before they appear in any threat feed.

trust_signals

The trust score starts at 50, and signals add or subtract points. Here are all the signals that affect the score:

Signal Direction Points
SPF record present Positive +5
SPF strict policy (-all) Positive +3
DMARC record present Positive +5
DMARC enforced (p=reject) Positive +5
Domain age over 5 years Positive +15
Domain age over 2 years Positive +10
Paid SSL certificate Positive +5
Valid SSL certificate Positive +3
SPF missing Negative -5
DMARC missing Negative -5
Domain registered under 30 days Negative -15
Expired SSL certificate Negative -15
No SSL certificate Negative -10
WHOIS privacy enabled Negative -5
Free SSL certificate Negative -3
Redirects to external domain Negative -10
Obfuscated JavaScript on page Negative -10
Direct threat feed match Negative -30
Pivot association with threats Negative -15
High DGA score (0.5 or above) Negative -10

The final score is capped between 0 and 100.

dga_score

DGA stands for Domain Generation Algorithm. Malware families use DGA to generate hundreds of random-looking domain names programmatically, making them hard to block.

The API scores each domain for DGA likelihood using seven features:

Feature Description
shannon_entropy Higher entropy means more random-looking character distribution
ngram_perplexity How unlike normal English character pairs the domain is
vowel_consonant_ratio DGA domains tend to have very few vowels
consonant_streak_max Long consonant runs are rare in natural language
digit_letter_ratio High digit ratios are unusual in legitimate domains
domain_length Very long domain labels are a DGA signal
tld_in_known_dga_set TLDs like .top, .xyz, .click are favored by DGA malware

The result is interpreted as:

Interpretation Score Range Meaning
human_readable Below 0.3 Normal human-chosen domain name
indeterminate 0.3 to 0.49 Ambiguous, could be either
likely_dga 0.5 and above Algorithmically generated
 Visual breakdown of the DGA scoring algorithm showing the seven features and their contribution weights.

intelligence

This object contains threat intelligence output in formats ready for SIEM and SOAR integration.

Field Description
recommended_action block, monitor, or allow based on the verdict
stix_pattern A STIX 2.1 pattern combining the domain and all resolved IPs, ready to import into Splunk, Microsoft Sentinel, QRadar, MISP, and other compatible platforms
related_iocs IPs, emails, nameservers, and mail servers associated with the domain
feed_tags Machine-readable tags like verdict:malicious and severity:high
first_seen Earliest threat observation across matched feeds
last_seen Most recent threat observation

Example STIX pattern:

[domain-name:value = 'evil-phishing-site.top' OR ipv4-addr:value = '45.33.32.156']

indicators

A set of quick boolean and integer checks for common risk signals:

Indicator Type Description
is_newly_registered boolean True if domain is under 30 days old
uses_free_extension boolean True if TLD is a known free extension (.tk, .ml, .ga, .cf, .gq)
uses_free_ssl boolean True if using Let's Encrypt, ZeroSSL, or similar free CA
has_privacy_whois boolean True if WHOIS data is privacy-protected
has_spf boolean True if SPF record exists
has_dmarc boolean True if DMARC record exists
redirects_externally boolean True if page redirects to a different domain
javascript_obfuscated boolean True if heavily obfuscated JS is detected on the landing page
domain_age_days integer Days since the domain was first registered
ssl_age_days integer Days since the SSL certificate was issued
registrar string Domain registrar name

Note: Fields that depend on a lookup show null if that lookup failed. For example, is_newly_registered is null if the WHOIS lookup did not return data.

errors

If any individual lookup fails, the rest of the response still completes. Failed components are reported as strings in the errors array:

"errors": ["SSL lookup failed"]

An empty array means all six checks completed successfully.

Annotated full API response with each section color-coded and labeled (risk_category, trust_signals, dga_score, intelligence, evidence_summary)

Frequently Asked Questions

Is the domain reputation check free?

Yes. The free tool at whoisfreaks.com requires no account or credit card. For API access, sign up for a free account and receive 500 credits with no credit card required.

How long does a domain reputation check take?

Typically, under 2 seconds. All six checks (threat database, DNS, WHOIS, SSL, content analysis, and DGA scoring) run in parallel. The maximum timeout is 10 seconds per request.

What is the difference between verdict and trust score?

The verdict is a categorical classification (safe, suspicious, malicious etc.) determined by a priority chain of conditions. The trust score is a 0 to 100 numerical score calculated by adding and subtracting weighted signal points from a base of 50. Both are included in every response and complement each other.

What is a pivot match?

A pivot match is an indirect threat association discovered through shared WHOIS or DNS attributes. For example, if the domain being assessed uses the same registrant email as 47 known phishing domains, that shared email is the pivot and total_related_threats is 47. This catches new malicious domains before they appear in any threat feed directly.

What is DGA detection?

DGA stands for Domain Generation Algorithm. Malware families generate random-looking domain names programmatically to avoid blocklists. The API scores every domain for DGA likelihood using seven features including Shannon entropy, character bigram perplexity, vowel ratios, consonant streaks, digit ratios, domain length, and TLD patterns. No external API call is needed as this runs locally in microseconds.

What does the STIX pattern field do?

The stix_pattern field in the intelligence object contains a STIX 2.1 compliant pattern combining the assessed domain and all resolved IP addresses. This pattern can be imported directly into Splunk, Microsoft Sentinel, IBM QRadar, MISP, OpenCTI, Palo Alto XSOAR, and any other STIX 2.1 compatible platform.

What happens if one of the lookups fails?

The response still completes with data from the remaining lookups. If the SSL lookup fails, for example, the verdict and trust score are still calculated using the threat database, DNS, WHOIS, and content analysis results. The failed lookup is reported in the errors array.

What threat types does the API detect?

The API detects malware, phishing, command and control (c2), botnet, and spam domains through its threat intelligence database.

Conclusion

The WhoisFreaks Domain Reputation API runs six checks in parallel and returns a single, explainable verdict in under 2 seconds. The trust score, pivot associations, DGA analysis, and STIX pattern make it suitable for everything from a quick manual check on one domain to fully automated SIEM enrichment across thousands of alerts.