How we score website trust
Every SiteReviewChecker report produces a trust score from 0 to 100, built from publicly available signals and weighted toward the factors that most reliably distinguish legitimate websites from scams. We use no paid third-party reputation APIs — every signal is independently verifiable.
The four scoring categories
Domain Reputation carries the most weight because domain age is the single strongest statistical predictor of fraud — most scam sites are only days or weeks old.
Domain Reputation
35 pts- Domain age (up to 18 pts) — via RDAP registration date
- TLD reputation (8 pts) — established vs. abuse-prone extensions
- Typosquatting (6 pts) — Levenshtein distance to major brands
- Registrar transparency (3 pts)
Connection Security
25 pts- Valid HTTPS connection (10 pts)
- Trusted, unexpired TLS certificate (6 pts)
- HTTPS enforcement (4 pts)
- HSTS and security headers (5 pts)
Email & DNS
20 pts- DNS resolution (5 pts)
- MX records (6 pts)
- SPF policy (3 pts)
- DMARC policy (3 pts)
- DKIM signing (3 pts)
Transparency & Content
20 pts- Live, substantive content (7 pts)
- Contact information (4 pts)
- Privacy, terms & about pages (6 pts)
- Structured data & metadata (3 pts)
Verdict bands
| Score | Verdict |
|---|---|
| 86–100 | Highly Trusted |
| 71–85 | Probably Legitimate |
| 51–70 | Exercise Caution |
| 31–50 | Suspicious |
| 0–30 | Likely Scam |
Safeguards against false signals
Scammers can trivially obtain free HTTPS certificates and publish realistic-looking content, so those signals alone never produce a high score. We apply hard ceilings: a domain less than 30 days old cannot exceed a "Suspicious" rating; a newly registered domain on an abuse-prone TLD is capped in the "Likely Scam" range; and a name that closely imitates a major brand (typosquatting) is capped regardless of its other signals.
Conversely, a domain that does not resolve in DNS and returns no HTTP response receives no score at all — it is reported as "Could Not Analyze" rather than being given a misleading number.
This report is automated and provided for educational purposes. It is not a professional security audit and does not guarantee the safety or legitimacy of any website.
Research & standards behind each check
Every signal we score is defined by a public standard or grounded in published fraud research, so any report can be reproduced with open tools.
- Domain registration data — retrieved via RDAP, the IETF-standardized successor to WHOIS (RFC 9083).
- TLS certificates — validated with a live handshake against TLS 1.2/1.3 (RFC 8446); HSTS per RFC 6797.
- Email authentication — SPF (RFC 7208), DKIM (RFC 6376) and DMARC (RFC 7489).
- Domain-age weighting — phishing-landscape research (e.g. the APWG Phishing Activity Trends Reports) consistently finds maliciously registered domains are used within days of registration, which is why age carries the largest single weight.
- Fraud-loss context — FTC consumer fraud data and the FBI IC3 Internet Crime Report.
- Structured-data signals — vocabulary per schema.org; citation-confidence research per Aggarwal et al., KDD 2024.
Read more in our guides on how trust scores work and how AI systems rate websites, or start with the complete website safety guide.