How is the ServiceAlert domain risk score calculated?

We sum eight weighted signals: phishing classifier (up to 50 points), threat intel feed hits (30 points with a floor of 75), domain age (up to 20 points), missing SSL (10 points), punycode homograph (25 points), parked status (5 points), weak email security (up to 10 points), and a non-resolving override. The raw total is clamped to 0-100 and mapped to an A-F grade.

How we score domain risk

Q: Why publish the full rubric?

Commercial domain risk scores from DomainTools, Recorded Future, and others are black-box ML models. Analysts can't audit why a domain scored what it did, and they can't fix false positives. We publish every weight so you can reproduce any score from the signals we show you.

Q: How often is a score recalculated?

Scores are computed on-demand every time you look up a domain via /tools/phish-check, the public API, or a Maltego transform. Nothing is cached — you always see the score from the signals we have at that moment.

Q: Can I dispute a score?

Yes. The score is a function of public signals — if a signal is wrong (domain age lookup failed, threat feed has a stale listing, SSL check missed a cert), email the domain and a one-line reason to abuse@servicealert.ai. We re-verify and, if the input was wrong, the score changes automatically on the next lookup.

Q: How does this compare to the DomainTools Risk Score?

DomainTools uses a proprietary ML model trained on private registration history, DNS infrastructure patterns, and historical abuse data — powerful, but opaque. Our rubric uses only public signals (threat feeds, domain age, SSL posture, email security, IDN detection) and publishes every weight. It's designed to be reproducible and explainable rather than maximally predictive.

Every weight, every signal, every grade band — published in full. This is what powers the 0–100 number you see on the free phishing scanner, the public phishing API, and our Maltego transforms. Nothing is hidden behind a proprietary model.

A0–9 Clean

B10–24 Low Risk

C25–49 Suspicious

D50–74 High Risk

F75–100 Malicious

The eight signals

We start at zero and add points for each signal we can confirm. The raw total is clamped to 0–100. A threat-intel hit from a trusted feed always floors the score at 75.

1. Phishing classifier

The PhishingDetector heuristics return a 0–100 score from URL shape, brand impersonation, lookalike characters, suspicious TLDs, and redirect chain anomalies. We multiply it by 0.5, so the classifier can contribute at most 50 points.

+ up to 50

2. Threat intel listing

If URLhaus, ThreatFox, or Google Safe Browsing has the domain listed, that's independent confirmation. We add 30 points and floor the final score at 75 — a listed domain is never graded better than Malicious.

+ 30 (min 75)

3. Domain age

Brand-new domains are the strongest phishing predictor. We add 20 points under 7 days, 12 points under 30 days, and 5 points under 90 days. Nothing after 90.

+ up to 20

4. Missing SSL

If DNS resolves but the domain serves no HTTPS in 2026, that's unusual for a legitimate site. We only count this when DNS actually resolves, to avoid double-penalizing dead domains.

+ 10

5. Punycode / IDN homograph

Internationalized characters in the hostname or anywhere in the redirect chain are almost always brand impersonation. This is one of the strongest single signals we have.

+ 25

6. Parked / placeholder

Parking-page signals are benign but worth noting — parked domains are sometimes weaponized overnight. A small nudge, not a penalty.

+ 5

7. Weak email security

If the domain has MX records but earns an F on SPF/DMARC/DKIM, we add 10 points — it's trivially spoofable. A D grade adds 5. Domains without MX records aren't penalized at all (they don't send mail).

+ up to 10

8. Non-resolving override

A domain with no DNS resolution cannot serve content, so it can't be actively phishing. Unless it's on a threat-intel feed, we floor the score to 0 rather than letting stale signals pile up on a dead domain.

floor to 0

Worked examples

Three real shapes of result, using the exact arithmetic above.

A — Clean

Phishing classifier: 12/100 → +6

Threat intel: clean

Age: 8 years (no contribution)

SSL: valid · MX+email: A

Total: 6/100

D — High Risk

Phishing classifier: 60/100 → +30

Age: 4 days → +20

Email grade: F → +10

SSL: valid · TI: clean

Total: 60 → 62/100

F — Malicious

Phishing classifier: 40/100 → +20

Threat intel: URLhaus hit → +30 (floor 75)

Age: 3 days → +20

Raw 70 → floored to 75

Total: 75/100

Frequently asked

Why publish the full rubric?

Commercial domain risk scores are black-box ML models. Analysts can't audit why a domain scored what it did, and they can't fix false positives without support tickets. We publish every weight so any score on this site is reproducible from the signals we show you.

How often is a score recalculated?

On-demand, every time you look up a domain. Nothing is cached. If a threat feed delisted the domain an hour ago, you'll see the new score on the next lookup.

Can I dispute a score?

Yes — scores are a function of public inputs. If a signal is wrong (domain age lookup failed, threat feed has a stale listing, SSL check missed a cert), email the domain and a one-line reason to abuse@servicealert.ai. If the input was wrong, the next lookup produces a different score automatically.

How does this compare to the DomainTools Risk Score?

DomainTools uses a proprietary model trained on private registration history, DNS infrastructure patterns, and historical abuse data — powerful, but opaque. Our rubric uses only public signals and publishes every weight. It's designed to be reproducible and explainable rather than maximally predictive. Different tool for a different job.

Will the rubric change?

Yes, as we add new signals (passive DNS history, certificate transparency anomalies, hosting reputation). Every change ships in our changelog with the old and new weights, so scores remain auditable across time.

Try it on a domain

Paste any URL into our free phishing scanner and see the full rubric applied line-by-line.

Open phishing scanner →