Domain Age & Registration Risk

Domain Age & Registration Risk pulls registration data from RDAP (the modern WHOIS replacement) and scores two signals. Domain age, because most internet abuse comes from very young domains: phishing kits, malware C2, and disposable scam sites typically register a domain, run their campaign for days to weeks, and abandon. Mail filters and security products use age as a default-suspicious signal. Expiry proximity, because a domain about to lapse can be picked up by parking services, registrar holdbacks, or attackers in the registration aftermarket.

Honest framing: a legitimate brand-new domain will score low here regardless of how clean it is, and time is the only fix for the age signal. The check is not penalizing your hygiene; it is reporting a statistical risk signal that downstream filters use. Expiry, on the other hand, is fully under your control.

How the check works

Per scan, RedScore calls RDAP for the domain and reads creation_date and expiry_date events. From those: age_days and expires_in_days. The score combines two ladders.

Age ladder (base score)

• Under 30 days: 0.1. Very new; aligns with abuse-domain pattern.
• 30 to 90 days: 0.35. Recent.
• 90 to 365 days: 0.75. Under a year, but past the highest-risk window.
• 365+ days: 1.0. Mature.
• RDAP data unavailable: 0.7 (reason: domain_registration_data_unavailable). Conservative middle ground.

Expiry cap (over the age score)

• Under 15 days to expiry: cap at 0.45. Reason: domain_expiring_soon.
• 15 to 45 days: cap at 0.7. Reason: domain_expiring_soon.
• 45+ days: no cap.

Final score = min(age_score, expiry_cap). Verdict via the standard CT composite mapping.

How the verdict maps to evidence

• Pass: domain at least 365 days old AND at least 45 days to expiry.
• Warn: recent registration, or expiry under 45 days, or RDAP-unavailable.
• Fail: very new (under 30 days) registration, or imminent expiry under 15 days.

Evidence shows age_days, expires_in_days, profile_source (which RDAP server answered), and a sample of RDAP events.

Fix paths

domain_recently_registered (under 365 days)

Time is the only direct fix. The check moves up automatically as your domain ages: 30 → 90 → 365 → mature. While you wait, mitigate the downstream impact:

• Maintain transparent, accurate registration data. Many filters trust domains with public, contact-able owners more than privacy-shielded registrations. If your registrar offers privacy and you do not need it, consider opting out for the first year.
• Run a real, indexable site with substantive content. Empty or parked-looking pages on a young domain hit multiple flags simultaneously (this check, Web Presence Quality, sometimes Safe Browsing). See Web Presence Quality for content thresholds.
• Publish full email authentication early (SPF, DKIM, DMARC). Recipients give legitimate authentication weight; new-domain spam typically does not bother. See the Email Security category.
• Get listed in CT logs early. The first cert issuance for a new domain happens automatically when you turn on HTTPS; the public CT record establishes your domain's existence to security tools that use CT as a baseline.
• Avoid free, throwaway-looking gTLDs if you have a choice. .tk, .ml, and similar free TLDs are statistically associated with abuse and many filters apply additional scrutiny regardless of age. Mainstream TLDs (.com, .net, .org, country-code TLDs) face less default suspicion.

domain_expiring_soon (under 45 days)

Renew immediately. Most registrars allow renewal up to 9 years out; renewing for multiple years also slightly improves filter signals (longer registrations are statistically less abuse-prone). Steps:

• Log in to your registrar. Renew for at least 1 year, ideally longer.
• Verify the renewal is reflected in WHOIS / RDAP. Some registrars take 24-48 hours to update RDAP after payment.
• Set auto-renew on. Most registrars have it disabled by default.
• Update the registrant contact email to a monitored address that will receive renewal warnings.
• Multi-year renewal: registering for 5+ years signals stability and is treated favorably by some reputation providers (and is rarely much more expensive than year-by-year).

domain_registration_data_unavailable

RDAP did not return parseable registration data. Common causes:

• Country-code TLD without RDAP support yet. Some ccTLDs (less common ones) still only support legacy WHOIS, not RDAP. Limited fix; the score is stuck at 0.7 mid-credit.
• Registrar-side issue. Try the same domain in https://rdap.org/domain/yourdomain.tld manually to see if RDAP returns anything.
• Privacy or redaction over-applied. Some registrars redact creation date as part of GDPR responses; the score cannot use what is not returned.
• Internal-only or reserved domain. Domains in special registries may not have public RDAP.

Verify

• Manual RDAP lookup: https://rdap.org/domain/yourdomain.tld returns the registration JSON; look for events with eventAction "registration" and "expiration".
• WHOIS via terminal: whois yourdomain.tld (legacy, less reliable).
• Verify in the registrar dashboard. The expiry date there should match RDAP.
• Re-run the RedScore lookup. Renewal updates RDAP within hours; the next scan after RDAP refresh shows the new score.

Common pitfalls

• Treating recent_registered as a hygiene problem. It is not a fix; the check accurately reflects a population-level abuse signal. The actionable mitigations above are about reducing collateral impact while you wait for time to fix the age side.
• Renewing for short periods only. 1-year renewals work for the score but auto-renew lapses leave you back at expiring-soon every year. Multi-year renewals reduce churn.
• Not setting auto-renew, then forgetting. Auto-renew is the cheapest insurance against expiring_soon; turn it on and forget.
• Trusting the registrar's renewal email reaching you. Registrars regularly send renewal emails to old addresses, addresses that fail spam filters, or addresses that get archived. Add expiry to your own monitoring (calendar reminder, monitoring tool, or any uptime/cert-monitoring tool that also tracks domain expiry).
• Privacy services hiding contact data and dropping age signal. WHOIS/RDAP privacy services sometimes return placeholder dates or omit registration events. The check downgrades to 0.7 (data unavailable) rather than 1.0 (mature). Disable privacy if it removes too much; or accept the partial score.
• TLD migrations: registering a new TLD for an existing brand. The new TLD registration is genuinely new and will be flagged. Plan brand expansions to give the new TLD time to age, or accept the temporary flag.