Domain Fraud Risk Calculator

Assess suspicious domains using checks that matter most. Tune weights to match your threat model. Export results, document evidence, and prioritize mitigations quickly now.

Calculator inputs

Use the form below to estimate fraud risk from multiple technical and reputation signals.
Responsive: 3 / 2 / 1 columns
Used for the report and CSV/PDF output.
Newer domains increase risk substantially.
Higher reputation reduces uncertainty.
Adjust using your own threat intel.
Based on abuse rates and enforcement.
No SSL or invalid SSL increases risk.
Helps protect DNS integrity.
Raises uncertainty, not always malicious.
Email-capable domains need stronger controls.
Weak policies allow easier spoofing.
Alignment lowers impersonation risk.
Stricter policies reduce spoof acceptance.
Count from reputation providers you trust.
Includes user reports and confirmed incidents.
Lower distance means closer to a target brand.
Brand terms in subdomains or paths matter too.
Often used in credential harvesting attempts.
Long chains can hide the real destination.
First-seen domains deserve extra scrutiny.
Unknown popularity can increase risk.
Thin pages may indicate disposable infrastructure.
Reset

Formula used

The calculator converts each signal into a subscore from 0 to 100, where higher values indicate greater risk. The overall score is a weighted average:

RiskScore = Σ ( subscoreᵢ × weightᵢ ), with Σ weightᵢ = 1.00
  • Domain age: exponential decay, newest domains score highest risk.
  • Blacklist and reports: scaled counts with caps to avoid runaway scores.
  • Email posture: combined SPF, DKIM, DMARC, and MX presence.
  • Impersonation: typo distance, brand terms, and lookalike characters.

How to use this calculator

  1. Collect signals from DNS, certificate checks, and reputation sources.
  2. Enter values honestly, using your latest incident context.
  3. Press Calculate Risk to score the domain immediately.
  4. Review top drivers, then prioritize actions for mitigation.
  5. Download CSV or PDF to share evidence with stakeholders.

Example data table

Sample rows show how different signal mixes affect the score.
Domain Age (days) Blacklist hits Phishing reports Email posture Impersonation Score Level
trusted-payments.example 2200 0 0 Strong Low 18.6 Low
login-secure-update.example 12 2 1 Weak High 76.8 High
brand-support-help.example 45 1 0 Medium Medium 54.2 Moderate
invoice-viewer.example 5 6 3 Weak High 91.4 Critical
news-portal.example 700 0 0 Medium Low 27.9 Low

Risk signals covered by the model

The calculator consolidates eleven fraud indicators into a 0–100 risk score. Each indicator becomes a subscore where 0 represents low concern and 100 represents elevated concern. Domain age, blacklist exposure, phishing reports, impersonation traits, email posture, and behavioral signals are included. Input caps are applied to stabilize outcomes, including 50 maximum blacklist hits and 50 maximum phishing reports. This prevents extreme counts from masking other signals overall.

Weights and decision thresholds

Signals are fused using a weighted average where the weights sum to 1.00. High-impact drivers include blacklist exposure (0.12), phishing reports (0.12), and email authentication (0.12). Domain age contributes 0.14 because newly registered domains are disproportionately used for short-lived campaigns. Risk levels follow fixed thresholds: Low below 35, Moderate from 35 to 59.9, High from 60 to 79.9, and Critical at 80 or higher.

Age decay and impersonation detection

Domain age is modeled with exponential decay: ageRisk = 100 × e^(−0.55 × years). At 0 years, ageRisk is near 100; at 1 year it drops near 57; at 2 years it approaches 32. Impersonation scoring combines typosquat distance, brand keyword usage, and homoglyph presence. Typosquat distance uses a saturating curve to emphasize near-miss domains. Homoglyph toggles raise risk because lookalike characters are frequently used in credential capture and invoice fraud.

Reputation and email control posture

Reputation is represented by blacklist hits and phishing reports scaled to 0–100 subscores. Email posture is computed from SPF, DKIM, DMARC, and MX presence because domain fraud often begins with spoofed mail. DMARC “reject” produces the lowest risk subscore, while missing DMARC yields the highest. If MX records exist, stronger policies are expected. WHOIS privacy increases uncertainty, so the model applies a moderate penalty rather than treating privacy as definitive evidence of abuse.

Operational usage and exportable evidence

Use the score as a triage tool, then validate the top drivers with direct evidence. For example, high blacklist contribution should be verified across multiple providers and time windows. High impersonation contribution should trigger brand monitoring and user-facing warnings. The CSV export preserves subscores, weights, and contributions for audit trails. The PDF report provides a concise summary for incident tickets. Re-score after remediation, such as enabling DNSSEC, tightening DMARC, or removing redirects.

FAQs

1) What does a 0–100 score mean?

It is a relative risk estimate, not a certainty. Higher scores indicate more fraud-aligned signals across age, reputation, impersonation, email posture, and behavior. Use it to prioritize investigation and controls.

2) Why do new domains score higher?

Many campaigns register disposable domains for short lifetimes. The age signal uses exponential decay, so very young domains carry more weight early, then decline as longevity and stability increase.

3) Does WHOIS privacy always indicate fraud?

No. Privacy can be legitimate for individuals and small organizations. The model applies a modest uncertainty penalty rather than marking it as malicious, so other signals still drive the final result.

4) Which email settings reduce risk most?

Aligned DKIM, strict SPF, and a DMARC “reject” policy reduce spoof acceptance. If the domain has MX records, these controls matter more because mail delivery capability increases the attack surface.

5) How should I choose TLD and hosting risk?

Use your internal abuse rates, threat intelligence feeds, and enforcement context. Rate 1 as low concern and 5 as elevated concern. Revisit ratings periodically because abuse patterns shift over time.

6) Can I use the exports for compliance evidence?

Yes. CSV captures the full breakdown for audit-friendly records, while PDF summarizes the outcome and top drivers for tickets and stakeholder updates. Store exports alongside your supporting checks and timestamps.

Related Calculators

Phishing Domain Risk CalculatorMalicious Domain Detection CalculatorDDoS DNS Exposure CalculatorDNSSEC Validation Status CalculatorExpired Domain Risk CalculatorDomain Abuse Risk CalculatorDNS Tunnel Detection CalculatorDNS Query Anomaly CalculatorDomain Trust Score CalculatorDNS Filtering Effectiveness Calculator

Important Note: All the Calculators listed in this site are for educational purpose only and we do not guarentee the accuracy of results. Please do consult with other sources as well.