Trust Score: a beginner's guide
Evaluate domain trustworthiness from 7 signals
The single trust score (and what goes into it)
A trust score is a single composite number — usually 0 to 100, sometimes A-to-F — that summarizes how trustworthy a domain or IP address looks across every threat-intelligence dimension at once. Instead of asking a fraud analyst to mentally combine "this IP is on Spamhaus, the domain is two days old, the WHOIS is privacy-protected, and there's a typosquat alert," the trust score does the combining for you and gives you one number to put in a rule or a dashboard. The point is to make threat intelligence usable by people who are not full-time threat analysts.
You should care because threat intelligence is only valuable if the people making decisions actually use it, and the biggest barrier to use is interpretation. A signup-form rule that says "block if Spamhaus = bad AND domain age < 7 days AND IP is on a Tor exit node" requires the rule author to know what each of those means. A rule that says "block if trust score < 40" is the same decision in a form that a marketing analyst, a junior product manager, or an automated workflow can use without specialized training.
The five categories every trust score rolls up:
IP reputation. Public blocklists, historical abuse signals, hosting category.
Domain reputation. Public threat feeds, registration data, recent suspicious activity.
Domain age and history. A domain registered yesterday gets a lower score than one in continuous use for ten years.
WHOIS quality. Privacy-protected, missing, or anonymized WHOIS lowers the score; complete WHOIS with verifiable contact info raises it.
Network type. Residential and corporate score higher than datacenter, VPN, and Tor.
Each category gets weighted (IP reputation and domain reputation usually carry the most weight; WHOIS quality is usually a tiebreaker) and the weighted average becomes the overall score.
Three questions a single trust score answers:
Should my signup form, payment flow, or comment system block this visitor entirely, ask them to verify, or let them through?
For an abuse alert, how serious does this look at a glance?
Across my whole user base, what is the trust-score distribution and is it shifting over time?
The cost of not having a single score is the slow accumulation of complex multi-rule fraud logic that becomes impossible to maintain. The fix is to roll up the existing detail into one number, computed the same way every time, and let the rules use that number as their primary input. This is the difference between threat intelligence being a black box and threat intelligence being a measurable, accountable input to product decisions.
The Trust Score endpoint, in plain language
In one sentence: Evaluate domain trustworthiness from 7 signals
Calculates a composite trust score (0-100) from 7 weighted signals: domain age (20%), Tranco global popularity ranking (20%), WHOIS (who is) transparency (15%), certificate quality — EV/OV/DV type and validity period (15%), registrar reputation (15%), DNSSEC (Domain Name System Security Extensions) adoption (10%), and typosquat risk analysis (5%). Returns a risk level (low/medium/high/critical), individual trust factor scores, and specific red flags identified. Methodology draws on DomainTools risk scoring, Google Safe Browsing threat indicators, and Certificate Transparency (the official internet standard) data.
Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.
What is actually happening when you call it
Here's what's actually happening behind the scenes when you call this endpoint:
Analyzes 7 trust dimensions in parallel. Domain age scoring (max 20 pts) awards full marks for domains registered 5+ years ago, scaling down to 0 pts for newly registered domains — over 40% of newly registered domains are associated with fraud. Tranco ranking scoring (max 20 pts) gives 20 pts for top 1K sites, 18 pts for top 10K, 15 pts for top 100K, and 10 pts for top 1M. WHOIS (who is) transparency scoring (max 15 pts) awards 15 pts for visible registrant details, 12 pts when privacy protection is used. Certificate quality scoring (max 15 pts) differentiates EV (12 pts), OV (10 pts), and DV (7 pts) certificates with bonus points for long validity periods. Registrar reputation scoring (max 15 pts) awards 15 pts for premium registrars, 12 pts for ICANN-accredited, and 5 pts for standard registrars. DNSSEC (Domain Name System Security Extensions) scoring (10 pts) validates chain presence. Typosquat risk scoring (max 5 pts) detects if the domain itself appears to be a typosquat of a known brand, deducting points for similar-domain patterns.
If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.
Why this specific tool matters
Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the Trust Score tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.
Trust scoring is critical for phishing detection, fraud prevention, and brand protection. Over 70% of newly registered domains are malicious or suspicious according to Palo Alto Unit 42 research. A composite trust score enables automated triage of suspicious domains, real-time fraud scoring for payment transactions, and proactive brand impersonation detection. The multi-signal approach avoids false positives — a single weak signal (like privacy-protected WHOIS (who is)) does not unfairly penalize legitimate domains when other trust factors are strong.
Picture this in real life. Imagine an SOC analyst / threat intelligence. Here's the situation they're walking into: Score domains reported in phishing emails or extracted from threat feeds to prioritize investigation. Low-trust domains (score <30) with recent registration dates, no DNSSEC (Domain Name System Security Extensions), and DV certificates are strong phishing indicators. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the Trust Score tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.
Three questions this tool answers in plain English. If any of these have ever crossed your mind, the Trust Score tool is built for you:
Is this domain or IP address known for fraud, phishing, or abuse?
Should my signup form, payment flow, or comment system trust this visitor?
Is someone out there registering lookalike domains targeting my brand?
You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.
Who gets the most out of this. Trust and safety teams, fraud analysts, brand-protection managers, security operations engineers, and product teams running open signup flows. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.
What happens if you skip this entirely. Skip it and you find out a domain or IP was malicious only after it has already cost you money or trust. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.
Available on the pro plan. The technical details: `GET /v1/score/trust`.
When would I actually use this?
If you're still on the fence about whether the Trust Score tool belongs in your toolbox, this section is for you. Below you'll meet three real people — an SOC analyst / threat intelligence, a fraud analyst / payment security, a brand protection / digital risk, and a third-party risk analyst — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.
Story 1: Phishing Triage & Investigation
Imagine you're an SOC analyst / threat intelligence. Score domains reported in phishing emails or extracted from threat feeds to prioritize investigation. Low-trust domains (score <30) with recent registration dates, no DNSSEC (Domain Name System Security Extensions), and DV certificates are strong phishing indicators.
Why it matters: Reduce phishing investigation time by 60-80% with automated trust-based triage that surfaces the highest-risk domains first.
Story 2: Real-Time Fraud Prevention
Imagine you're a fraud analyst / payment security. Evaluate the trustworthiness of domains used in e-commerce transactions, referral URLs, or checkout redirects. Block or flag transactions involving domains with critical or high risk levels before payment processing.
Why it matters: Prevent payment fraud by blocking transactions routed through low-trust domains — catching infrastructure that traditional blocklists miss during the 24-48 hour gap.
Story 3: Brand Impersonation Detection
Imagine you're a brand protection / digital risk. Monitor for low-trust domains that incorporate your brand name, trademarks, or product names. Combine trust scoring with typosquat detection to identify domains registered specifically for brand abuse campaigns.
Why it matters: Identify brand impersonation domains before they launch phishing campaigns — the first 32 days after registration is the optimal detection window.
Story 4: Vendor & Partner Due Diligence
Imagine you're a third-party risk analyst. Score partner and vendor domains as part of onboarding due diligence. Flag vendors with trust scores below your organization threshold (e.g., <60) for manual review. Check domain age, registrar quality, and certificate type as baseline trust indicators.
Why it matters: Data-driven vendor trust assessment that catches domains with suspicious registration patterns or poor infrastructure hygiene.
Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the Trust Score tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:
Inside a signup form, payment flow, or comment system, to score risk in real time.
When investigating a customer complaint about a suspicious link or message.
On a recurring schedule, to monitor lookalike domains targeting your brand.
During incident response, to enrich an alert with reputation context.
If you can see yourself in even one of those bullets, the Trust Score tool will pay for itself the first time you use it.
Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the Trust Score tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.
The easiest way: just ask your AI assistant
If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:
"Use the Trust Score tool to check example.com and explain anything that looks wrong in plain language."
The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.
MCP (Model Context Protocol) access is free on every plan, including the free tier. One API key works for both REST and AI — you do not have to choose.
The technical way: call it from code
If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.
# Replace edns_live_YOUR_KEY with your real API key from the dashboard
curl -H "Authorization: Bearer edns_live_YOUR_KEY" \
"https://api.edgedns.dev/v1/score/trust?domain=example.com"What you need to provide
There's just one piece of information you need to provide. The table below explains exactly what it is and what a real value looks like.
| Field | Type | Required? | What it means | Example |
|---|---|---|---|---|
domain | string | Yes | The domain to evaluate trustworthiness for. Analyzed via WHOIS (who is), DNS (Domain Name System), CT logs (Certificate Transparency logs), and Tranco ranking. | example.com |
What you get back
When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.
| Field | Type | What you'll see in it |
|---|---|---|
domain | string | The evaluated domain |
score | number | Composite trust score 0-100 (weighted sum of 7 factors) |
grade | string | Letter grade: A+ (95-100), A (85-94), B (70-84), C (50-69), D (30-49), F (0-29) |
gradeDescription | string | Human-readable description of the grade meaning |
breakdown | object | Individual trust factor scores with score, max, and details |
breakdown.age | object | Domain registration age analysis (max 20 pts) |
breakdown.ranking | object | Tranco global popularity ranking (max 20 pts) |
breakdown.whoisPrivacy | object | WHOIS (who is) registrant transparency (max 15 pts) |
breakdown.certificate | object | Certificate type EV/OV/DV and validity (max 15 pts) |
breakdown.registrar | object | Registrar accreditation level (max 15 pts) |
breakdown.dnssec | object | DNSSEC (Domain Name System Security Extensions) chain validation (max 10 pts) |
breakdown.typosquat | object | Typosquat pattern detection (max 5 pts) |
recommendations | array | Actionable recommendations for improving trust score (e.g., enable DNSSEC (Domain Name System Security Extensions), upgrade to EV certificate (Extended Validation certificate)) |
componentCount | number | Number of trust factors evaluated (max 7, fewer if data unavailable) |
partialFailure | boolean | Whether any data sources failed during evaluation — score may be less reliable when true |
failedComponents | array | List of components that failed: whois, certificate, DNSSEC. Empty when all sources succeed |
Words you might be wondering about
If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.
DNSSEC (Domain Name System Security Extensions) — A way to digitally sign DNS records so attackers can't trick your computer into looking up the wrong server.
WHOIS (who is) — A public record that tells you who registered a domain name, when, and through which company. Modern WHOIS is now called RDAP but most people still say 'WHOIS'.
RFC (Request for Comments) — The official internet standards documents. When someone says 'RFC 8484' they mean a specific numbered standards document — in that case, the one defining DNS over HTTPS.
Need Programmatic Access?
Automate domain intelligence with 100+ API endpoints and a free MCP server for AI integration.