How do you detect phishing domains with an API?

Query WHOIS/RDAP for age, registrar, expiration and EPP status; query DNS for A, MX, TXT and DMARC records; query SSL for certificate presence and validity; then combine the signals into a risk score.

Is a newly registered domain always malicious?

No. Newly registered domains are a risk signal, not a verdict. They should be combined with other signals such as MX records, SSL activity, registrar, TLD, and brand similarity.

Can DNS records reveal phishing intent?

DNS records can raise or lower risk. MX records suggest email capability, A records suggest active hosting, and missing or weak DMARC can matter when a lookalike domain is configured for mail.

Phishing Detection

Detect Suspicious Domains Before They Become Incidents

Build domain risk scoring pipelines with current WHOIS, RDAP, DNS, SSL, and monitoring data. Identify newly registered domains, active mail infrastructure, fresh certificates, and risky EPP states.

Start Free Detection Guide

Example domain risk model

Newly registered+40

Active MX records+20

Fresh SSL certificate+20

Missing DMARC+10

Transfer/hold EPP status+10

Detection Strategy

Phishing detection works best as signal fusion

No single field proves a domain is malicious. A useful detection pipeline combines timing, infrastructure, email posture, certificate activity, and brand similarity.

Age

Domain creation date, newly registered flag, and expiration window.

DNS

A, AAAA, MX, TXT, DMARC, nameserver, and SOA records.

SSL

Certificate validity, issuer, subject, and expiration timing.

WHOIS

Registrar, EPP status, nameservers, registration and renewal dates.

Recommended detection flow

Normalize the domain

Remove protocol, lowercase, decode IDNs when needed, and extract root domain.

Query WHOIS/RDAP

Read creation date, registrar, status codes, nameservers, and expiration metadata.

Query DNS and email records

Prioritize domains with A records, MX records, weak TXT posture, or missing DMARC.

Check SSL activation

A fresh certificate often means a domain is moving toward active web use.

Score, route, monitor

Send high-risk domains to analysts, quarantine, or automated monitoring.

Node.js risk enrichment sketch

const headers = { Authorization: "TOKEN=YOUR_API_KEY" };
const base = "https://whoisjson.com/api/v1";

const [whois, dns, ssl] = await Promise.all([
  fetch(`${base}/whois?domain=${domain}`, { headers }),
  fetch(`${base}/nslookup?domain=${domain}`, { headers }),
  fetch(`${base}/ssl-cert-check?domain=${domain}`, { headers })
]);

// Combine age, MX, DMARC, SSL and status codes
// into your own risk score.

API Map

Which WhoisJSON endpoints should you use?

WHOIS API

Age, registrar, EPP status, expiration, nameservers.

DNS Lookup API

A, MX, TXT, DMARC, BIMI, MTA-STS and TLS-RPT.

SSL API

Certificate validity, issuer, subject, and expiry.

Monitoring

Track changes after first detection.

Practical Scoring

Domain age is useful, but it is not enough

A newly registered domain can be a startup, a campaign page, a parked asset, or a phishing domain. The value comes from combining age with infrastructure and intent signals.

Signal	Risk impact	Common false positive
Domain age under 30 days	High for threat triage and brand abuse watchlists.	New product launches, new companies, marketing campaigns.
Active MX records	Raises priority for phishing and impersonation workflows.	Legitimate mail setup for a new service.
Valid SSL certificate	Indicates web activation and user-facing readiness.	Any normal HTTPS website needs one.
Missing DMARC	Matters when the domain can send or receive email.	Parked domains or domains not used for mail.
Suspicious keywords	Login, verify, secure, support, billing, wallet, invoice can imply intent.	Legitimate support portals and campaign microsites.

Reducing false positives

Avoid blocking on a single signal. Use a score threshold, require multiple independent indicators, and route medium-risk domains to review rather than automatic enforcement.

For example: newly registered + MX + brand similarity is more urgent than newly registered alone. Newly registered + SSL + login keyword is more urgent than SSL alone.

SOC triage

Enrich suspicious domains from alerts, emails, SIEM events, user reports, or proxy logs. Add WHOIS age, DNS posture, SSL status, and EPP status before escalating.

Detection playbook

Threat intelligence feeds

Before adding a domain to an internal feed, record the evidence: creation date, resolver data, mail capability, certificate state, and monitoring history.

WHOIS enrichment

Abuse monitoring

Monitor high-risk domains after the first hit. DNS and SSL changes can reveal when dormant infrastructure becomes active.

Monitor domain changes

FAQ

Phishing Domain Detection Questions

Can an API prove a domain is phishing?

Not by itself. Domain intelligence produces evidence and risk signals. Final classification should consider content, reports, similarity to a protected brand, hosting behavior, and user impact.

Which signal is the strongest?

Domain age is one of the strongest early signals, but it creates false positives alone. It becomes much stronger when combined with MX records, suspicious terms, SSL activation, and brand similarity.

Should I query WHOIS or RDAP?

Use an API that normalizes both. WhoisJSON routes through RDAP where available and falls back when needed, giving your application a consistent response model.

How often should suspicious domains be rechecked?

Recheck high-risk domains daily or monitor them continuously. Many phishing domains are registered while dormant, then activate DNS, MX, or SSL shortly before use.

Add domain risk scoring to your security stack

WHOIS, DNS, SSL, availability, and monitoring under one API key.

Get Free API Key Read Docs