Shadow Domains
developer/v1/domain/shadow-domainsEnumerates alt-TLD variants of a domain (e.g., example.com → example.net, example.co, example.io, ccTLDs) and probes each registered variant for email infrastructure and web presence. Unlike typosquat detection which focuses on character mutations of the brand name, shadow-domain discovery focuses on the same brand across different TLDs — catching look-alikes registered by squatters, competitors, or legitimate subsidiaries.
What It Does
Phase 1: For each of ~25 common TLDs (com, net, org, co, io, biz, info, me, us, uk, de, fr, it, es, eu, nl, ch, ca, au, jp, cn, in, br, ru, io) generates a variant and queries NS records via DoH to determine registration status. Phase 2: For each registered variant, probes A, MX, SPF, and DMARC records in parallel. Grades each variant by risk: critical (active mail infra pointing to a different operator), high (active web presence), medium (parked but registered), low (NS only, no active infrastructure). Returns the full variant matrix with per-variant risk grade and evidence.
Why It's Useful
Brand squatters register alt-TLD variants long before attacks — the domain is dormant until a phishing or impersonation campaign lights it up. Discovering these dormant variants before they activate gives legal teams time to pursue UDRP takedowns and email teams time to block deliveries from lookalike senders.
Use Cases
Brand Protection Proactive Sweep
Run a quarterly shadow-domain scan for every trademarked brand to catch speculative registrations before campaigns activate.
Early takedown notices cut phishing campaign lifespans before they reach employees or customers.
Email Impersonation Defense
Identify shadow domains with active MX records and add them to sender-reputation lists for inbound filtering.
Block lookalike-sender phishing at the MTA before it reaches user inboxes.
M&A Due Diligence
During acquisition, audit shadow TLDs to understand what brand assets the seller does and does not control.
Scope post-close brand-acquisition work with accurate shadow-domain inventory.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The brand domain whose alt-TLD variants should be discoveredExample: example.com |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried brand domain |
variants_checked | number | Total TLD variants probed |
registered_count | number | Number of registered variants |
variants | array | Per-variant analysis with NS, A, MX, SPF, DMARC, risk_level |
high_risk_variants | array | Variants graded critical or high |
findings | array | Aggregate findings with severity |
recommendations | array | Remediation steps (monitoring, takedown, defensive registration) |
Code Examples
curl "https://api.edgedns.dev/v1/domain/shadow-domains" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=example.com"const response = await fetch(
'https://api.edgedns.dev/v1/domain/shadow-domains?domain=example.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/domain/shadow-domains',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'example.com'
}
)
data = response.json()
print(data)Read the full Shadow Domains guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.
Try This Endpoint
Test the Shadow Domains endpoint live in the playground.