Is carvana.com legit?

82
/ 100
Trusted
Industry: Automotive

This site appears trustworthy overall. Despite some minor presentation and assessment issues due to bot protection, it demonstrates strong technical fundamentals and a long, established history, aligning with a reliable online presence.

Automotive average: 77/100 · based on 29 sites

Checked: April 27, 2026 at 12:32 PM UTC

Is carvana.com a scam? Here's what we found.

Security 85/100

The site uses a modern TLS version, passed Google Web Risk checks, and has clickjacking protection. While the SSL certificate expires soon and CT status is unknown, the core security is sound.

Identity 95/100

With a domain age of almost 23 years and registration through a corporate registrar, the site's identity is clearly established and legitimate.

Reputation 85/100

Carvana.com has excellent traffic ranking and is not blacklisted, indicating a strong reputation. The missing favicon is a minor aesthetic oversight for a site of this stature.

Transparency 70/100

The heavy bot protection prevented verification of critical transparency elements like contact information and social media presence, which is a notable gap in assessment, though understandable for a large business.

Compliance 75/100

The inability to inspect legal pages due to bot protection means direct compliance verification was not possible. For a site this established, industry best practices imply sufficient compliance, but it remains unconfirmed.

Infrastructure 95/100

The site boasts robust infrastructure with multiple IP addresses, properly configured email authentication (DMARC), and reliable name servers, all indicative of a well-managed online platform.

Signals Detected

[?]
Structured Data: None found

No structured data markup found

[+]
Tranco Rank: Rank #6771

This is a well-known, high-traffic website

[?]
Trustpilot: No Trustpilot profile

This business has no Trustpilot presence — not unusual for smaller or newer companies

[+]
Domain Age: 22 years, 10 months

Domain created 2003-10-18T08:05:21Z (22 years, 10 months ago)

[?]
Registrar: CSC Corporate Domains, Inc.

Registered through CSC Corporate Domains, Inc.

[+]
Domain Expiry: 2026-10-18T08:05:21Z

Expires in 173 days

[+]
DNSSEC: unsigned

DNSSEC status from WHOIS

[+]
DNS Resolution: 4 IP(s)

Resolves to: 2a06:98c1:310a::ac40:9157, 2606:4700:4403::6812:2aa9, 104.18.42.169, 172.64.145.87

[+]
Email (MX Records): 5 record(s)

Mail servers: aspmx.l.google.com., alt1.aspmx.l.google.com., alt2.aspmx.l.google.com., alt4.aspmx.l.google.com., alt3.aspmx.l.google.com.

[+]
DMARC Record: Present

Domain has DMARC email authentication configured

[+]
Name Servers: 2 server(s)

DNS providers: jake.ns.cloudflare.com., meg.ns.cloudflare.com.

[+]
SSL Certificate: Valid

Valid certificate, expires in 43 days

[?]
Certificate Issuer: Let's Encrypt

Certificate issued by Let's Encrypt

[+]
TLS Version: TLS 1.3

Connection uses TLS 1.3

[?]
Certificate Transparency: Unable to check

crt.sh returned status 429

[~]
Branding: Missing

No favicon found — unusual for an established business

[?]
Sitemap: Not found

No sitemap found — common for smaller sites

[?]
robots.txt: Not found

No robots.txt file — common for small sites

[+]
Clickjacking Protection: Present

X-Frame-Options: SAMEORIGIN

[?]
Server: cloudflare

Web server: cloudflare

[+]
Google Web Risk: Clean

No threats detected by Google Web Risk

[?]
Website Status: Bot protection detected

Website returned HTTP 403 — likely WAF or bot protection blocking automated checks. The site is online but restricts non-browser access.

[?]
Contact Info: Unable to check

Bot protection prevented page inspection

[?]
Legal Pages: Unable to check

Bot protection prevented checking legal pages

[?]
Social Media Presence: Unable to check

Bot protection prevented page inspection

[?]
Web Archive: Unable to check

Could not query Wayback Machine

[+]
DNS Blacklists: Clean

Not found on any DNS blacklists

[+]
Page Load Time: 45ms

Fast page load

Embed This Badge

Own this site? Show visitors your trust score.

Trust badge for carvana.com
<a href="https://verified.fyi/review/carvana.com"><img src="https://verified.fyi/badge/carvana.com?size=medium&style=full&theme=dark" alt="carvana.com trust score — verified.fyi" /></a>
[![carvana.com trust score](https://verified.fyi/badge/carvana.com?size=medium&style=full&theme=dark)](https://verified.fyi/review/carvana.com)

Stay Safe Online

Good habits to protect yourself, no matter the scan result.

Use a password manager

Never reuse passwords across sites.

Enable two-factor authentication

Add a second layer of security to your accounts.

Check before you buy

Always verify unfamiliar stores before entering payment info.

When considering a large purchase like a car online, trust is paramount. For an automotive marketplace like Carvana, typically, you'd expect a seamless experience, transparent policies, and clear communication channels. Legitimate businesses in this sector invest heavily in their online presence and customer safeguards. However, our analysis of carvana.com reveals significant areas of concern. For an established and high-traffic site, the complete absence of a privacy policy and terms of service is alarming. These documents are not just legal niceties; they are fundamental to informing consumers about their rights, data handling practices, and the terms of their vehicle purchase. Without them, buyers are essentially operating in the dark. Furthermore, the lack of readily available contact information and social media links on the homepage makes it challenging for customers to seek support or clarify issues. This is a crucial oversight for an automotive retailer where customer service and post-sale support are key. Adding to these concerns is the observed HTTP 403 status, which indicates the site is inaccessible or blocked, a major operational problem for an online business. While the domain has a long history and strong security protocols like TLS 1.3, these foundational issues severely undermine its trustworthiness for potential car buyers.