Domain Reputation API v1 Code samples

Evaluate a domain's reputation based on numerous security data sources as well as on an instant host's audit procedure. For a given domain name or IPv4 address, collect and evaluate over 120 parameters and calculate the resulting reputation score.

GEThttps://api.threatintelligenceplatform.com/v1/reputation?domainName=threatintelligenceplatform.com&mode=fast&apiKey=YOUR_API_KEY

Input parameters

---

Parameter	Type	What it means
domainName (required)	string	The target domain name or IPv4 address.
apiKey (required)	string	Get your personal API KEY on My subscriptions page.
mode (optional)	string	TIP can check the domain specified in two modes: "fast" (default). Only select test codes will run — i.e., 62 WHOIS Domain status, 82 Malware Databases check, 87 SSL certificate validity, and 93 WHOIS Domain check—while other tests and data collectors will be disabled. "full". All tests will be performed, similar to what the TIP GUI displays.

Sample output

---

{
    "mode": "fast",
    "reputationScore": 97.51,
    "testResults": [
        {
            "test": "Name servers configuration meets best practices",
            "testCode": 76,
            "warnings": [
                "Some name servers are located on a single ASN: ns68.domaincontrol.com - AS26496, ns67.domaincontrol.com - AS26496"
            ],
            "warningCodes":[
                1013
            ]
        },
        {
            "test": "SOA record configuration check",
            "testCode": 84,
            "warnings": [
                "The minimum TTL is 600. Recommended range is [3600 .. 86400]"
            ],
            "warningCodes":[
                1020
            ]
        },
        ...
}

The data returned

---

Field	Type	What it means
mode	string	Selected mode
reputationScore	integer	Composite safety score based on numerous security data sources. 0 is dangerous, and 100 is safe.
testResults[0].test	string	The test name which reduced the final score. See available tests.
testResults[0].testCode	integer	Unique numeric test identifier. See available test codes.
testResults[0].warnings	string[]	The list of warnings detected during the test execution. See available warnings.
testResults[0].warningCodes	integer[]	List of unique numeric warning codes. See available warning codes.

Test codes

---

CSV format: domain-reputation-api-test-codes.csv

---

Code	Test name
26	Mail servers Reverse IP addresses match
32	Mail servers Real-time blackhole check
61	WHOIS and DNS name servers match
62	WHOIS Domain status
71	Open ports and services
74	Name servers configuration check
75	Name servers response
76	Name servers configuration meets best practices
80	Mail servers configuration check
81	Mail servers response
82	Malware databases check
84	SOA record configuration check
87	SSL certificate validity
88	SSL vulnerabilities
91	Potentially dangerous content
92	Host configuration issues
93	WHOIS Domain check

Warning codes

---

CSV format: domain-reputation-api-warning-codes.csv

---

Code	Warning
1001	Name servers with private IPs found.
1002	Some name servers don’t respond.
1003	Some name servers allow recursive queries.
1004	Some name servers don’t provide A record for target domain name.
1005	Some name servers are listed by authoritative servers but not by parent ones.
1006	Some name servers are not listed by authoritative name servers.
1007	Name servers with invalid domain names found.
1008	NS records with CNAME found.
1009	Glue is required but not provided. No IPv4/IPv6 glue found on some authoritative or parent name servers.
1010	NS records are different on different name servers.
1011	Name servers not allowing TCP connections to be found.
1012	Domain’s name servers number doesn’t meet recommendations. It’s recommended to have 2-7 name servers.
1013	Some name servers are located on a single ASN.
1014	Some name servers are located in the same network.
1015	Versions are exposed for some name servers.
1016	Name servers without A records found. Those servers are not reachable via IPv4.
1017	Name servers without AAAA record found. Those servers are not reachable via IPv6.
1018	SOA serial number is valid but not following general convention.
1019	SOA expire interval doesn’t meet recommended range. It should be [604800 .. 1209600].
1020	SOA minimum TTL doesn’t meet recommended range. It should be [3600 .. 86400].
1022	Some name servers have different serial numbers.
1023	SOA refresh interval doesn’t meet recommended range. It should be [1200 .. 43200].
1024	SOA retry interval doesn’t meet recommended range. It should be [120 .. 7200].
1025	SOA zone's administrative contact email is not set.
1026	Unable to fetch domain's NS records.
2001	Recently registered domain.
2002	Domain name’s registration expired.
2003	Domain name’s registration expires soon.
2004	Domain name’s WHOIS status isn’t safe.
2005	Domain name is registered in a free zone.
2006	Domain’s name servers not found in the WHOIS record.
2007	WHOIS record's Name Servers don't match ones returned by the parent NS.
2008	Domain is registered in a country considered to be offshore.
2009	Domain name’s owner details are publicly available.
3001	Directory listing is allowed on website.
3002	IFrames found on the website.
3003	Links to .apk files found on the website.
3004	Links to .exe files found on the website.
3005	Opened .git directory in the document root found.
3006	There are open ports on the target server.
3007	Redirects found on website.
3008	Scripts opening new windows found.
4001	Target domain name or URL listed on some malware blocklists.
4002	Target domain name or URL listed on some phishing blocklists.
4003	Target domain name or URL listed on some spam blocklists.
4004	Target domain name or URL listed on some reputation blocklists.
4005	Target domain name or URL listed on some denial of service attack data blocklists.
5000	Some mail servers' domain names received through Reverse DNS are resolving to different IP addresses than the ones provided in the initial A records. Emails sent from servers configured this way may be rejected.
5001	Some mail servers are found with real-time blocklist check.
5002	Can't connect to some mail servers.
5003	For some mail servers, greeting response doesn't contain the mail server's domain name.
5004	Some mail servers don't allow setting postmaster@%host% as recipient.
5005	Some mail servers don't allow setting abuse@%host% as recipient.
5006	A records are not configured for some mail servers.
5007	AAAA records are not configured for some mail servers.
5008	CNAME in MX records found.
5009	Some MX records contain invalid domain names.
5010	Private IPs usage in MX records detected.
5011	IP addresses found in MX records.
5012	Non-identical MX records on name servers found.
5013	Some MX records defined more than once.
5014	Some mail servers use the same IPv4 address.
5015	SPF record is not configured.
5016	DMARC record is not configured.
5017	Non-identical SPF/DMARC records on name servers found.
5018	Google mail servers are configured with a wrong TTL.
5019	Google mail servers are configured with an incorrect Top server.
5020	The following mail servers use the same IPv6 address.
6023	No SSL certificates found.
6001	Recently obtained SSL certificate detected.
6002	SSL certificate is not valid yet.
6003	SSL certificate expires soon.
6004	SSL certificate expired.
6005	CRL check failed.
6006	OCSP check failed.
6007	Target hostname isn’t present in SSL certificate.
6008	SSL certificate is self-signed.
6009	TLSv1.2 not supported but should be.
6010	SSLv2 is supported but shouldn’t be.
6011	SSLv3 is supported but shouldn’t be.
6012	Suboptimal cipher suites supported.
6013	SSL compression enabled on server.
6014	HPKP headers set.
6015	HTTP Strict Transport Security not set.
6017	Heartbleed vulnerability detected.
6018	TLS_FALLBACK_SCSV not supported.
6019	TLSA record not set.
6020	TLSA record configured incorrectly.
6021	OCSP stapling not configured.
6022	Public key listed on Debian’s blocklist.