Is carvana.com legit?
You should use extreme caution when considering carvana.com. The complete lack of legal pages, contact information, and the website's inaccessible status are significant red flags for any reputable online business. While some technical aspects are strong, these fundamental issues make trusting the site very difficult.
Automotive average: 73/100 · based on 29 sites
Checked: April 18, 2026 at 7:58 AM UTC · Refresh
Is carvana.com a scam? Here's what we found.
The site uses a modern TLS 1.3 protocol and has a valid SSL certificate, issued by Let's Encrypt, ensuring encrypted communication. No threats were detected by Google Web Risk, which is a strong positive indicator.
With a domain age of over 22 years, this website has a long-established online presence. It's registered through a reputable corporate registrar, CSC Corporate Domains, Inc., suggesting professional domain management.
The website holds a good Tranco rank, indicating high traffic and visibility. It's also clean on all DNS blacklists, which is a positive sign for its reputation regarding spam or malicious activity.
This is a major weak point. The absence of clear contact information and social media links on the homepage makes it very difficult to engage with the company or address any concerns, which is critical for an e-commerce site.
The complete lack of legal pages, specifically a privacy policy and terms of service, is a critical compliance failure for any business operating online, especially one involved in high-value transactions like vehicle sales. This raises serious concerns about data handling and customer rights.
While DNS and email authentication records (SPF, DMARC) are well-configured, the critical issue of the website returning an HTTP 403 error means the site is currently inaccessible in some capacity, which severely impacts its functional trust.
Signals Detected
This is a well-known, high-traffic website
No structured data markup found
This business has no Trustpilot presence — not unusual for smaller or newer companies
No favicon found — unusual for an established business
Valid certificate, expires in 53 days
Certificate issued by Let's Encrypt
Connection uses TLS 1.3
Domain created 2003-10-18T08:05:21Z (22 years, 9 months ago)
Registered through CSC Corporate Domains, Inc.
Expires in 183 days
DNSSEC status from WHOIS
crt.sh returned status 429
X-Frame-Options: SAMEORIGIN
Web server: cloudflare
No threats detected by Google Web Risk
No sitemap found — common for smaller sites
No robots.txt file — common for small sites
Resolves to: 2a06:98c1:310a::ac40:9157, 2606:4700:4403::6812:2aa9, 104.18.42.169, 172.64.145.87
Mail servers: aspmx.l.google.com., alt2.aspmx.l.google.com., alt1.aspmx.l.google.com., alt3.aspmx.l.google.com., alt4.aspmx.l.google.com.
Domain has SPF email authentication configured
Domain has DMARC email authentication configured
DNS providers: meg.ns.cloudflare.com., jake.ns.cloudflare.com.
Website returned status 403
No obvious contact information found on homepage
No privacy policy or terms of service found
No social media links found on homepage
Not found on any DNS blacklists
Could not query Wayback Machine
Fast page load
Embed This Badge
Stay Safe Online
Good habits to protect yourself, no matter the scan result.
Never reuse passwords across sites.
Add a second layer of security to your accounts.
Always verify unfamiliar stores before entering payment info.