Assessment form
Fill the fields you know. Unknown values are scored moderately to avoid false certainty.
Example data table
These examples illustrate typical patterns. Your environment may differ.
| Domain | Age (days) | Similarity | Auth | TLS | Blacklist | Score | Band |
|---|---|---|---|---|---|---|---|
| secure-mail-update.com | 7 | 78 | Missing | None | Yes | 89.6 | Critical |
| billing-portal-support.net | 45 | 62 | Fail | Self | No | 66.4 | High |
| partner-login.example | 1200 | 15 | Pass | Valid | No | 18.2 | Low |
Assessment history
Latest 25 submissions are stored in your session for quick exporting.
| Timestamp | Domain | Brand | Score | Band | Age | Similarity | WHOIS | TLD | SPF | DKIM | DMARC | TLS | Redirects | Shortener | Typosquat | Blacklist | Notes |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| No submissions yet. Submit the form to generate results. | |||||||||||||||||
Formula used
The calculator converts each indicator into a subscore from 0–100, where 0 is low risk and 100 is high risk. It then computes a weighted average:
Risk Score = Σ(Subscoreᵢ × Weightᵢ) ÷ Σ(Weightᵢ)
Unknown values are assigned moderate subscores to avoid overstating certainty. Adjust weights to match your policies and incident learnings.
How to use this calculator
- Enter the domain and optionally the brand being impersonated.
- Provide age, similarity, and hygiene indicators from your tooling.
- Leave uncertain fields as “Unknown” rather than guessing.
- Submit to view the score and recommended response above the form.
- Export CSV for analysis, or PDF for ticket attachments.
Risk scoring inputs and why they matter
Domains used in phishing often mimic trusted brands and rely on weak registration hygiene. This calculator combines measurable indicators such as domain age, WHOIS privacy, DNS record quality, and certificate coverage. Short-lived domains, missing SPF/DKIM/DMARC, and newly issued certificates typically raise suspicion. By capturing these signals in one form, security teams can triage inbound links and email senders consistently, even when threat intelligence feeds are unavailable. Recording observations also improves analyst-to-analyst consistency across shifts worldwide daily.
Weighted model for consistent triage
A single indicator rarely proves abuse, so the model uses weights to reflect relative impact. For example, very young domains and high similarity to a known brand receive stronger emphasis than generic TLD choices. Each input is normalized to a 0–100 subscore, multiplied by its weight, then summed into a total risk score. This approach supports repeatable decisions and can be tuned to match your organization’s tolerance for false positives. Weight tuning should follow post-incident reviews and measured detection outcomes.
Interpreting the score bands
Scores are grouped into Low, Medium, High, and Critical bands to simplify action. Low scores suggest routine monitoring and user awareness messaging. Medium scores justify additional checks like URL sandboxing, reputation lookups, and content inspection. High scores should trigger blocking, quarantining, or manual review. Critical scores indicate a strong likelihood of active phishing and merit immediate containment, reporting, and targeted user notifications. Use the recommendation text to align responses with playbooks.
Exportable evidence for audits and handoffs
Security work often requires documentation. The CSV export captures each assessment with inputs, timestamps, and final classification for trend analysis in spreadsheets or SIEM enrichment. The PDF export supports incident tickets and audit trails where a static snapshot is required. Keeping exports standardized reduces back-and-forth between SOC analysts, IT admins, and compliance reviewers during investigations. Consistent exports also help justify controls during vendor and regulatory audits.
Operational use in email and web workflows
Use the calculator at first touchpoints: helpdesk submissions, suspicious email reports, and web proxy alerts. Start with the visible domain, then add DNS and authentication findings from your tooling. Adjust weights quarterly based on confirmed incidents and emerging tactics. Over time, the table history becomes a lightweight dataset to refine blocking rules and educate users with real examples. Pair results with user training to reduce repeat clicks.
FAQs
What inputs should I gather before scoring a domain?
Collect domain age, registration details, DNS records, and certificate status. Add brand similarity observations and authentication results from your email gateway. Better inputs produce steadier, more defensible scores.
Does a high score confirm the domain is malicious?
No. A high score indicates elevated risk based on indicators. Use it to prioritize deeper checks such as sandboxing, content inspection, reputation lookup, and user reporting confirmation.
How should I tune the weights for my organization?
Start with defaults, then review recent confirmed incidents. Increase weights for indicators that consistently preceded compromise attempts. Decrease weights that caused noisy alerts. Revisit tuning quarterly or after major campaigns.
Why include SPF, DKIM, and DMARC signals?
Authentication failures and missing policies often correlate with spoofing and low-effort phishing setups. These checks also align with common email security controls, making the score easier to operationalize.
Can I use this for internal domains and vendors?
Yes. Score new vendor domains and unfamiliar subdomains before granting allow-lists. For internal domains, low scores can validate hygiene, while unexpected increases can signal misconfigurations or takeover risk.
How do the exports help incident handling?
Exports provide a standardized record of inputs, scores, and recommendations. CSV supports trending and correlation. PDF supports tickets, audits, and handoffs where a static snapshot is required.