Methodology — How We Score Website Trust

Overview

Every trust report on verified.fyi is generated in real time. When you scan a domain, we run a series of parallel checks against authoritative data sources, collect the resulting signals, and pass them to an AI model that interprets the findings and produces a scored report.

Each signal is classified as good, warning, bad, or neutral depending on what it reveals about the domain.

What We Check

Below is a subset of the checks we run, in real time, against every domain. We do not publish all sources of information here to prevent gaming the system.

WHOIS & Domain Registration

Domain age, creation and expiry dates, registrar, DNSSEC status. Queried directly via authoritative WHOIS servers.

SSL/TLS Certificate

Certificate validity, expiration, issuer, TLS version, and self-signed certificate detection.

Security Headers

HSTS, Content-Security-Policy, X-Frame-Options, server header inspection, and suspicious redirect detection.

Google Web Risk

Checks for known malware, social engineering, and unwanted software flags via the Google Web Risk API.

VirusTotal

Cross-references the domain against VirusTotal's database of malware and phishing detections, including community reputation scores.

DNS & Mail Authentication

A records, MX records, nameserver providers, SPF, DMARC, and DNSBL blacklist checks against multiple blocklists.

Wayback Machine

Queries the Internet Archive for the earliest known snapshot to establish how long a site has been publicly accessible.

Trustpilot Reviews

Extracts rating and review count from Trustpilot where a profile exists for the domain.

Tranco Top 1M

Checks the domain's ranking in the Tranco top sites list, a research-grade popularity ranking based on aggregated traffic data.

Certificate Transparency

Queries crt.sh for historical SSL certificate issuance and unique subdomain count as indicators of domain activity.

Content Analysis

Detects contact information, legal pages (privacy policy, terms of service), and social media presence on the homepage.

Branding & Metadata

Checks for favicon, Open Graph tags, Twitter Cards, and structured data (Schema.org) as indicators of a professionally maintained site.

Suspicious Patterns

Scans for urgency tactics, unrealistic discounts, non-reversible payment methods, excessive external scripts, and hidden content.

SEO & Crawlability

Analyses robots.txt directives and sitemap presence to assess crawl management and indexing practices.

Page Performance

Measures homepage load time as a basic indicator of infrastructure quality and investment.

How We Score

Signals are collected and passed to an AI model that evaluates them in context. The model scores each domain across six trust categories:

Security

SSL/TLS configuration, Safe Browsing status, malware and phishing detections, VirusTotal results.

Identity

WHOIS visibility, domain age, registrar reputation, ownership clarity.

Reputation

Blacklist status, Wayback Machine history, external trust signals, web presence longevity.

Transparency

Contact information, about pages, social media presence, openness.

Compliance

Infrastructure

DNS configuration, DNSSEC, hosting quality, SPF/DKIM/DMARC mail authentication.

Each category receives a score from 0 to 100. Deductions are applied based on the severity of findings:

1–5 points: Minor issues (cosmetic gaps, missing sitemap on a personal blog)
5–15 points: Moderate concerns (domain under 1 year old, partial legal pages, no DNSSEC)
15–30 points: Serious issues (no SSL, hidden WHOIS on a business domain, blacklist presence)
30–50 points: Severe flags (Google Safe Browsing hit, VirusTotal detections, active phishing indicators)

The overall trust score (0–100) produces a verdict:

80–100: Trusted
60–79: Mostly Safe
40–59: Use Caution
20–39: Suspicious
0–19: Dangerous

AI Analysis

Raw signals alone don't tell the full story. A missing privacy policy means something different for a personal blog than for an e-commerce site. Our AI model interprets the signals in context — considering the type of site, its industry, and the relative severity of each finding.

Limitations

No automated system can guarantee that a website is safe. Our reports reflect what can be determined from publicly available signals at the time of the scan. Trust scores can change as sites update their configuration, and some forms of fraud are not detectable through external analysis alone.

verified.fyi is an informational tool, not a substitute for professional security advice.