Is epa.gov legit?

75
/ 100
Mostly Safe
Industry: Government

epa.gov appears to be a legitimate and largely trustworthy government website, scoring 'Mostly Safe'. However, a concerning number of external scripts and an SSL certificate expiring imminently flag areas that need immediate attention to maintain its strong security posture and public trust.

Government average: 80/100 · based on 33 sites

Checked: April 18, 2026 at 8:04 AM UTC · Refresh

Is epa.gov a scam? Here's what we found.

Security 70/100

While the site uses strong encryption (TLS 1.3) and robust security headers like HSTS and CSP, the expiring SSL certificate is a critical oversight. The high number of external scripts also introduces potential security risks, even if no threats were detected by Google Web Risk.

Identity 95/100

With a domain nearly 29 years old and registered through get.gov, the identity of epa.gov is unequivocally established as a long-standing government entity. The custom branding reinforces its official status.

Reputation 90/100

Ranked among the most visited websites globally and clean on all DNS blacklists, epa.gov holds a strong and undisputed reputation. Its extensive history further solidifies its standing as an authoritative source.

Transparency 85/100

The site provides clear contact information and a visible presence on multiple social media platforms, indicating a commitment to public engagement and accessibility. This is expected from a government body.

Compliance 75/100

While the site functions as a government portal, the absence of a complete set of legal pages (privacy policy or terms of service) is a notable gap for a public-facing organization managing extensive data and interactions.

Infrastructure 95/100

The site benefits from a well-configured infrastructure with DNSSEC enabled, proper email authentication (SPF, DMARC), and a fast-loading server. This robust setup ensures reliable access and communication.

Signals Detected

[+]
Tranco Rank: Rank #940

This is one of the most visited websites globally

[?]
Structured Data: None found

No structured data markup found

[?]
Trustpilot: No Trustpilot profile

This business has no Trustpilot presence — not unusual for smaller or newer companies

[~]
External Scripts: 30 scripts

Excessive number of external scripts — may indicate malicious injection

[+]
robots.txt: Present

robots.txt has 56 directives

[+]
DNS Blacklists: Clean

Not found on any DNS blacklists

[+]
HSTS Header: Present

Site enforces HTTPS via HSTS

[+]
Content Security Policy: Present

Site has Content Security Policy configured

[+]
Clickjacking Protection: Present

X-Frame-Options: SAMEORIGIN

[?]
Server: nginx

Web server: nginx

[+]
Google Web Risk: Clean

No threats detected by Google Web Risk

[+]
Sitemap: 38 pages

Site maintains a proper sitemap with 38 indexed pages

[-]
SSL Certificate: Valid

Valid certificate, expires in 6 days

[?]
Certificate Issuer: DigiCert Inc

Certificate issued by DigiCert Inc

[+]
TLS Version: TLS 1.3

Connection uses TLS 1.3

[+]
DNS Resolution: 2 IP(s)

Resolves to: 2620:117:506f:15::f022, 134.67.21.34

[+]
Email (MX Records): 1 record(s)

Mail servers: usepa.mail.protection.outlook.com.

[+]
SPF Record: Present

Domain has SPF email authentication configured

[+]
DMARC Record: Present

Domain has DMARC email authentication configured

[?]
Name Servers: 4 server(s)

DNS providers: dcns2.epa.gov., nccns1.epa.gov., dcns1.epa.gov., nccns2.epa.gov.

[+]
Branding: Complete

Site has custom branding and social media metadata

[+]
Domain Age: 28 years, 11 months

Domain created 1997-10-02T01:29:23Z (28 years, 11 months ago)

[?]
Registrar: get.gov

Registered through get.gov

[+]
Domain Expiry: 2026-08-04T10:28:49Z

Expires in 108 days

[+]
DNSSEC: signedDelegation

DNSSEC status from WHOIS

[+]
Website Status: Online

Website is live and responding

[+]
Contact Info: Found

Website appears to have contact information

[~]
Legal Pages: Partial

Website is missing either privacy policy or terms of service

[+]
Social Media Presence: 4 platforms

Website links to multiple social media platforms

[?]
Web Archive: Unable to check

Could not query Wayback Machine

[?]
Certificate Transparency: Unable to check

Could not query certificate transparency logs

[+]
Page Load Time: 685ms

Fast page load

Embed This Badge

Own this site? Show visitors your trust score.

Trust badge for epa.gov
<a href="https://verified.fyi/review/epa.gov"><img src="https://verified.fyi/badge/epa.gov?size=medium&style=full&theme=dark" alt="epa.gov trust score — verified.fyi" /></a>
[![epa.gov trust score](https://verified.fyi/badge/epa.gov?size=medium&style=full&theme=dark)](https://verified.fyi/review/epa.gov)

Stay Safe Online

Good habits to protect yourself, no matter the scan result.

Use a password manager

Never reuse passwords across sites.

Enable two-factor authentication

Add a second layer of security to your accounts.

Check before you buy

Always verify unfamiliar stores before entering payment info.

When evaluating a government website like epa.gov, trust is paramount, as these sites often contain critical public information and services. For a site to be truly trustworthy, it should demonstrate robust security, clear identity, and transparent operations, much like any institution handling public trust. epa.gov, as the official site for the U.S. Environmental Protection Agency, largely meets these expectations. Its nearly three-decade-old domain and high global traffic rank are powerful indicators of its established and authoritative presence. Most government sites invest heavily in branding and public-facing contact information, which epa.gov successfully demonstrates with its comprehensive branding and easily accessible contact details. However, a crucial area for concern on epa.gov is its SSL certificate, which is set to expire in just six days. While the site currently uses modern encryption (TLS 1.3), an expired certificate would trigger security warnings for users, potentially disrupting access and eroding trust. Additionally, the presence of 30 external scripts is unusually high for a government site; while not inherently malicious, it increases the attack surface and can impact performance or introduce vulnerabilities if any of those third-party scripts are compromised. Users should always be vigilant for unexpected behavior even on seemingly official sites, especially if encountering certificate warnings. These issues, while solvable, are significant for a site of this stature and should be addressed promptly to maintain its 'Mostly Safe' rating and public confidence.