---
title: "Free Domain Reputation Check: Risk & Trust Score Tool"
slug: "/resources/tutorial/free-domain-reputation-check-risk-and-trust-score-tool"
description: "Learn how to check a domain's reputation in seconds using the WhoisFreaks Domain Reputation tool and API, with trust scores and verdicts."
---

# Free Domain Reputation Check: Risk & Trust Score Tool

Written By [Qasim](https://pk.linkedin.com/in/qasimleoo), WhoisFreaks Team Published: July 14, 2026, Last Updated: July 14, 2026

When a domain appears in your logs, inbox, or threat feed, you need to know instantly whether it is safe, suspicious, or malicious. Visiting the site manually is risky. Checking static blocklists misses new threats. Running four separate lookups for WHOIS, DNS, SSL, and threat intel is slow.

The [WhoisFreaks Domain Reputation API](https://whoisfreaks.com/products/domain-reputation-api) solves this with a single call. It runs six checks simultaneously, including live threat database lookup, DNS analysis, WHOIS registration data, SSL certificate inspection, page content analysis, and DGA scoring, and returns a unified verdict, a 0 to 100 trust score, and a plain-English explanation of exactly why a domain was flagged.

This tutorial shows you how to use it, how to read the response, and how to integrate it into your workflow.

## What the Domain Reputation Check Returns

Every domain reputation check returns the following top-level objects:

| Object | What It Contains |
| --- | --- |
| risk_category | The verdict (safe, suspicious, malicious, etc.), confidence, severity, and threat feed matches. |
| dga_score | Whether the domain name looks algorithmically generated. |
| trust_signals | Trust score (0–100), positive and negative signals, and boolean indicators. |
| intelligence | Related IOCs, STIX 2.1 pattern, recommended action, and feed tags. |
| evidence_summary | Plain-English list of exactly why the domain was flagged. |
| errors | Any lookups that failed (empty array if all succeeded). |

## Method 1: Free Domain Reputation Tool (No Account Needed)

### Step 1 - Go to the Tool

*   Visit [Domain reputation tool](https://whoisfreaks.com/tools/domain/reputation)
*   No account or credit card is required for basic free lookups.

### Step 2 - Enter the Domain Name

Type the domain you want to check into the search field:

```
suspicious-site.top
```

### Step 3 - Click Check

Results are returned in under 2 seconds. The tool runs all six checks in parallel and displays the verdict, trust score, and evidence summary immediately.

### Step 4 - Read the Verdict

The verdict is the first thing to look at:

| Object | What It Contains |
| --- | --- |
| dns | DNS records including A, AAAA, MX, NS, TXT, CNAME, SOA, DNSSEC, TTL, ASN, hosting provider, and geo information. |
| whois | WHOIS registration details such as registrar, creation date, expiry date, registrant organization, status, and name servers. |
| ssl | SSL/TLS certificate information including issuer, subject, validity period, SANs, fingerprint, key size, signature algorithm, and certificate transparency logs. |
| reputation | Reputation results from multiple threat intelligence sources, blacklist status, detections, and confidence score. |
| web | Website metadata including HTTP status, title, redirects, technologies, server, security headers, favicon hash, and screenshot availability. |
| email_security | Email authentication records including SPF, DKIM, DMARC, BIMI, and MTA-STS. |
| risk_analysis | Overall risk assessment, threat indicators, suspicious behaviors, phishing likelihood, and recommended action. |
| errors | Any lookup failures or unavailable services (empty array if all checks succeeded). |

### Step 5 - Read the Trust Score

The trust score is a number from 0 to 100 calculated from a base of 50 with signals adding or subtracting points. It falls into one of three bands:

| Band | Score Range | Meaning |
| --- | --- | --- |
| `low` | 0 to 39 | Significant trust concerns |
| `medium` | 40 to 69 | Moderate trust indicators |
| `high` | 70 to 100 | Strong trust indicators |

### Step 6 - Read the Evidence Summary

The `evidence_summary.why_flagged` field gives you plain-English reasons for the verdict. For example:

*   "Direct match in threat feeds as phishing"
*   "Pivot [scammer@fakemail.com](mailto:scammer@fakemail.com) (email) linked to 134 malicious domains"
*   "High DGA score (0.82) suggests algorithmically generated domain"
*   "Low trust score (12/100)"

If the domain is clean, this array is empty.

## Method 2: Domain Reputation API

For programmatic access, SIEM enrichment, or integrating reputation checks into your own application, use the Domain Reputation API.

### Step 1 - Sign Up and Get Your API Key

Follow this step-by-step tutorial to create your account and get your API key in under two minutes:

[How to Sign Up and Get Your API Key](https://whoisfreaks.com/resources/tutorial/getting-started-with-whoisfreaks-how-to-sign-up-and-get-your-api-key)

### Step 2 - Make the Request

##### Endpoint:

```
GET https://api.whoisfreaks.com/v1/domain/security?domainName=example.com&apiKey=YOUR_API_KEY
```

#### Parameters:

| Parameter | Required | Description |
| --- | --- | --- |
| `domainName` | Yes | The domain to assess (e.g., `example.com`) |
| `apiKey` | Yes | Your WhoisFreaks API key |

#### cURL Example:

```
curl -s "https://api.whoisfreaks.com/v1/domain/security?domainName=example.com&apiKey=YOUR_API_KEY"
```

### Step 3 - Handle the Response

A clean domain returns a response like this:

```
{
  "input": { "domain": "whoisfreaks.com" },
  "assessed_at": "2026-07-07T12:00:00Z",
  "processing_time_ms": 1250,
  "risk_category": {
    "verdict": "safe",
    "confidence": 0.8,
    "primary_threat": null,
    "severity": "none",
    "threat_types": [],
    "sources": [],
    "pivot_matches": []
  },
  "trust_signals": {
    "trust_score": 73,
    "trust_band": "high"
  },
  "evidence_summary": {
    "why_flagged": []
  },
  "errors": []
}
```

A malicious domain returns a response like this:

```
{
  "input": { "domain": "evil-phishing-site.top" },
  "assessed_at": "2026-07-07T12:01:00Z",
  "processing_time_ms": 890,
  "risk_category": {
    "verdict": "malicious",
    "confidence": 0.95,
    "primary_threat": "phishing",
    "severity": "high",
    "sources": [
      {
        "source": "seed_threat_data",
        "indicator": "evil-phishing-site.top",
        "threat_type": "phishing",
        "confidence": 0.95,
        "first_seen": "2026-06-15T00:00:00Z",
        "last_seen": "2026-07-05T00:00:00Z"
      }
    ],
    "pivot_matches": [
      {
        "pivot": "scammer@fakemail.com",
        "pivot_type": "email",
        "total_related_threats": 134,
        "confidence": 0.7
      }
    ]
  },
  "trust_signals": {
    "trust_score": 0,
    "trust_band": "low"
  },
  "evidence_summary": {
    "why_flagged": [
      "Direct match in threat feeds as phishing",
      "Pivot scammer@fakemail.com (email) linked to 134 malicious domains",
      "Low trust score (0/100)"
    ]
  },
  "errors": []
}
```

## Understanding the Full Response

### risk_category

This is the core verdict block. The key fields are:

| Field | Type | Description |
| --- | --- | --- |
| verdict | string | safe, low_risk, suspicious, malicious, or unknown |
| confidence | float (0-1) | How confident the system is in the verdict |
| primary_threat | string or null | The dominant threat type if any (phishing, malware, c2, botnet, spam) |
| severity | string | none, low, medium, high, or critical |
| sources | array | Direct threat feed matches with source name, threat type, and timestamps |
| pivot_matches | array | Indirect associations via shared WHOIS or DNS attributes |

**How pivot matches work:** If a domain's registrant email is also used to register 47 known phishing domains, that connection appears in `pivot_matches` with `total_related_threats: 47`. This is how the API catches new malicious domains before they appear in any threat feed.

### trust_signals

The trust score starts at 50, and signals add or subtract points. Here are all the signals that affect the score:

| Signal | Direction | Points |
| --- | --- | --- |
| SPF record present | Positive | +5  |
| SPF strict policy (-all) | Positive | +3  |
| DMARC record present | Positive | +5  |
| DMARC enforced (p=reject) | Positive | +5  |
| Domain age over 5 years | Positive | +15 |
| Domain age over 2 years | Positive | +10 |
| Paid SSL certificate | Positive | +5  |
| Valid SSL certificate | Positive | +3  |
| SPF missing | Negative | -5  |
| DMARC missing | Negative | -5  |
| Domain registered under 30 days | Negative | -15 |
| Expired SSL certificate | Negative | -15 |
| No SSL certificate | Negative | -10 |
| WHOIS privacy enabled | Negative | -5  |
| Free SSL certificate | Negative | -3  |
| Redirects to external domain | Negative | -10 |
| Obfuscated JavaScript on page | Negative | -10 |
| Direct threat feed match | Negative | -30 |
| Pivot association with threats | Negative | -15 |
| High DGA score (0.5 or above) | Negative | -10 |

The final score is capped between 0 and 100.

### dga_score

DGA stands for Domain Generation Algorithm. Malware families use DGA to generate hundreds of random-looking domain names programmatically, making them hard to block.

#### The API scores each domain for DGA likelihood using seven features:

| Feature | Description |
| --- | --- |
| shannon_entropy | Higher entropy means more random-looking character distribution |
| ngram_perplexity | How unlike normal English character pairs the domain is |
| vowel_consonant_ratio | DGA domains tend to have very few vowels |
| consonant_streak_max | Long consonant runs are rare in natural language |
| digit_letter_ratio | High digit ratios are unusual in legitimate domains |
| domain_length | Very long domain labels are a DGA signal |
| tld_in_known_dga_set | TLDs like .top, .xyz, .click are favored by DGA malware |

#### The result is interpreted as:

| Interpretation | Score Range | Meaning |
| --- | --- | --- |
| human_readable | Below 0.3 | Normal human-chosen domain name |
| indeterminate | 0.3 to 0.49 | Ambiguous, could be either |
| likely_dga | 0.5 and above | Algorithmically generated |

### intelligence

This object contains threat intelligence output in formats ready for SIEM and SOAR integration.

| Field | Description |
| --- | --- |
| recommended_action | block, monitor, or allow based on the verdict |
| stix_pattern | A STIX 2.1 pattern combining the domain and all resolved IPs, ready to import into Splunk, Microsoft Sentinel, QRadar, MISP, and other compatible platforms |
| related_iocs | IPs, emails, nameservers, and mail servers associated with the domain |
| feed_tags | Machine-readable tags like verdict:malicious and severity:high |
| first_seen | Earliest threat observation across matched feeds |
| last_seen | Most recent threat observation |

#### Example STIX pattern:

```
[domain-name:value = 'evil-phishing-site.top' OR ipv4-addr:value = '45.33.32.156']
```

### indicators

A set of quick boolean and integer checks for common risk signals:

| Indicator | Type | Description |
| --- | --- | --- |
| is_newly_registered | boolean | True if domain is under 30 days old |
| uses_free_extension | boolean | True if TLD is a known free extension (.tk, .ml, .ga, .cf, .gq) |
| uses_free_ssl | boolean | True if using Let's Encrypt, ZeroSSL, or similar free CA |
| has_privacy_whois | boolean | True if WHOIS data is privacy-protected |
| has_spf | boolean | True if SPF record exists |
| has_dmarc | boolean | True if DMARC record exists |
| redirects_externally | boolean | True if page redirects to a different domain |
| javascript_obfuscated | boolean | True if heavily obfuscated JS is detected on the landing page |
| domain_age_days | integer | Days since the domain was first registered |
| ssl_age_days | integer | Days since the SSL certificate was issued |
| registrar | string | Domain registrar name |

Note: Fields that depend on a lookup show `null` if that lookup failed. For example, `is_newly_registered` is `null` if the WHOIS lookup did not return data.

### errors

If any individual lookup fails, the rest of the response still completes. Failed components are reported as strings in the `errors` array:

```
"errors": ["SSL lookup failed"]
```

An empty array means all six checks completed successfully.

## Frequently Asked Questions

### Is the domain reputation check free?

Yes. The free tool at whoisfreaks.com requires no account or credit card. For API access, sign up for a free account and receive 500 credits with no credit card required.

### How long does a domain reputation check take?

Typically, under 2 seconds. All six checks (threat database, DNS, WHOIS, SSL, content analysis, and DGA scoring) run in parallel. The maximum timeout is 10 seconds per request.

### What is the difference between verdict and trust score?

The verdict is a categorical classification (safe, suspicious, malicious etc.) determined by a priority chain of conditions. The trust score is a 0 to 100 numerical score calculated by adding and subtracting weighted signal points from a base of 50. Both are included in every response and complement each other.

### What is a pivot match?

A pivot match is an indirect threat association discovered through shared WHOIS or DNS attributes. For example, if the domain being assessed uses the same registrant email as 47 known phishing domains, that shared email is the pivot and `total_related_threats` is 47. This catches new malicious domains before they appear in any threat feed directly.

### What is DGA detection?

DGA stands for Domain Generation Algorithm. Malware families generate random-looking domain names programmatically to avoid blocklists. The API scores every domain for DGA likelihood using seven features including Shannon entropy, character bigram perplexity, vowel ratios, consonant streaks, digit ratios, domain length, and TLD patterns. No external API call is needed as this runs locally in microseconds.

### What does the STIX pattern field do?

The `stix_pattern` field in the intelligence object contains a STIX 2.1 compliant pattern combining the assessed domain and all resolved IP addresses. This pattern can be imported directly into Splunk, Microsoft Sentinel, IBM QRadar, MISP, OpenCTI, Palo Alto XSOAR, and any other STIX 2.1 compatible platform.

### What happens if one of the lookups fails?

The response still completes with data from the remaining lookups. If the SSL lookup fails, for example, the verdict and trust score are still calculated using the threat database, DNS, WHOIS, and content analysis results. The failed lookup is reported in the `errors` array.

### What threat types does the API detect?

The API detects malware, phishing, command and control (c2), botnet, and spam domains through its threat intelligence database.

## Conclusion

The WhoisFreaks Domain Reputation API runs six checks in parallel and returns a single, explainable verdict in under 2 seconds. The trust score, pivot associations, DGA analysis, and STIX pattern make it suitable for everything from a quick manual check on one domain to fully automated SIEM enrichment across thousands of alerts.

*   [Try the free Domain Reputation Check tool](https://whoisfreaks.com/tools/domain/reputation) 
*   [Read the full API documentation](https://whoisfreaks.com/products/domain-reputation-api)
