Send one domain and get back a risk verdict, a 0 to 100 trust score, and the evidence behind every call. The API runs five live lookups plus WhoisFreaks threat intelligence in a single request, usually in four to five seconds.
Features
WhoisFreaks scores a domain's reputation from six checks that run in parallel on a single request. Five are live lookups across DNS, WHOIS, SSL, and page content, plus a match against WhoisFreaks threat intelligence. Together they produce one verdict, backed by a 0 to 100 trust score and a full evidence trail.
Direct matches in threat feeds for malware, phishing, C2, botnet, and spam, plus domains that share a registrant email, name server, or host with known threats.
Reads the creation date, registrar, expiry, and status codes, calculates domain age, flags domains under 30 days old, and detects privacy-masked registrant ownership.
Queries A, AAAA, NS, MX, and TXT records to map hosting and mail infrastructure, reads the SPF qualifier, and checks the DMARC enforcement level from none to reject.
Fetches the certificate chain, checks whether the end-user certificate is valid or expired, records its age and issuer, and flags certificates issued by free CAs.
Fetches the landing page and follows redirects up to five hops, flagging pages that jump to another domain or serve inline JavaScript with heavy obfuscation.
Scores the domain name for algorithmic generation using entropy, letter patterns, and digit ratio, then labels it human-readable, indeterminate, or likely generated.
Detection Flow
The API flags malicious domains two ways: a direct match against known threat indicators, and a pivot match when a domain shares infrastructure or contact details with confirmed malicious domains. Every verdict includes a recommended action and the evidence behind it.
The API checks each domain against WhoisFreaks threat intelligence for a direct match in curated malware, phishing, C2, botnet, and spam feeds. A direct match sets the verdict to malicious, with severity scaling up when several feeds confirm the same domain.
When a domain shares a registrant email, name server, organization, or hosting attribute with confirmed malicious domains, the API flags a pivot match. It catches new domains before they reach public blocklists, and reports how many known threats share the pivot.
Every domain returns a verdict of safe, low risk, suspicious, or malicious, with a severity level and a confidence score. Direct feed matches carry the highest confidence, while pivot associations and risky signals return suspicious for analyst triage.
Each response includes a recommended action of block, monitor, or allow, plus an evidence list naming every signal and the matching feed entries with first-seen and last-seen dates. Systems can key off the verdict or recommended_action field directly.
Risk Scoring
Every domain gets a trust score from 0 to 100, split into three bands: low (0 to 39), medium (40 to 69), and high (70 to 100). The score starts at 50 and moves up or down as the API checks email authentication, domain age, SSL quality, WHOIS privacy, redirect behavior, and threat matches.
A brand-new domain with no SPF or DMARC, a free SSL certificate, and a redirect to another host will score low even when it appears in no threat feed yet.
This API detects phishing at the domain level rather than scanning individual URLs or email bodies. It weighs the signals phishing domains tend to share: recent registration, missing email authentication, free certificates, privacy-masked ownership, and links to other phishing infrastructure through shared attributes.
The IP Whois Lookup API provides detailed information about IP addresses, including registration data, contact details, routes, and network information. This API helps in identifying the ownership and allocation of IP addresses, which can be useful for network administration, cybersecurity, geolocation services, and fraud prevention.
Use Cases
See how security and platform teams use domain reputation to flag malicious domains and act on each verdict.
Vet suspicious domains from alerts and logs, then push the STIX pattern from each verdict straight into your detection rules.
Score sender and link domains before a message reaches the inbox, so your gateway can quarantine or block risky senders early.
Add a live domain risk score to gateway and content-filter policies, and let the verdict decide what to block at the DNS layer.
Check domains users submit at sign-up or listing, and flag high-risk ones as an anti-fraud step before they reach your platform.
Screen new registrations at signup and monitor existing portfolios for abuse, acting on malicious domains before they are reported.
Enrich existing IOCs with live reputation data, then expand coverage through pivot associations to related malicious domains.
Add the Domain Reputation API to your stack to score any domain in real time, catch malicious infrastructure before it spreads, and drive block or monitor decisions from one call.
Email Deliverability
Every assessment now grades a domain's email setup from 0 to 100, from poor to excellent. The API reads SPF, DKIM, and DMARC in one pass, maps the mail infrastructure, and returns a fixable issue list with a recommendation for each finding.
Reads the SPF record and its policy from -all to +all, checks the DMARC enforcement level from none to reject.
Probes around 200 common DKIM selectors covering Google Workspace, Microsoft 365, SendGrid, and Amazon SES.
Lists every MX record, detects null-MX domains that cannot receive mail, and classifies the provider type.
Returns a coded issue list with a severity and a plain recommendation for each finding detected.
The deliverability score is computed separately from the trust score, so email hygiene never double-counts in the risk verdict.
The score rewards a strict SPF policy, an enforced DMARC record with reporting configured, and DKIM keys discovered on the domain. It penalizes missing or permissive authentication, domains listed in spam feeds, and domains registered less than 30 days ago. A domain with no MX records, or a null-MX record, is capped at 25 and flagged as unable to receive email.
1{2 "email_deliverability": {3 "score": 95,4 "grade": "excellent",5 "can_receive_email": true,6 "authentication": {7 "spf": { "present": true, "policy": "-all" },8 "dkim": { "found": true, "providers_detected": ["Google Workspace"] },9 "dmarc": { "present": true, "policy": "reject", "reporting_configured": true }10 },11 "infrastructure": {12 "mx_provider": "google_workspace",13 "mx_count": 2, "null_mx": false14 },15 "issues": []16 }17}Integrations
The Domain Reputation API is a single REST endpoint that returns JSON, so it fits into any system that can send an HTTP request. Send a GET request with a domain and your API key, read the fields you need, and act on the result.
It uses the same authentication and request pattern as the WhoisFreaks WHOIS, DNS, and SSL APIs, so a team already calling those can add domain reputation with one new request and the same key.
You can also wire it into workflow automation tools like Zapier and n8n using their HTTP request steps, so domain checks run inside an automation without custom code.
Get an API key and send your first domain, or read the full API reference for every field and response code.