Submit a ticket My Tickets
Welcome
Login  Sign up
  1. PowerDMARC
  2. Solution home
  3. PowerDMARC Features User Guideline
  4. Lookalike Domain Checker

How Lookalike Domains Are Scored

PowerDMARC Support
Modified on: Mon, 30 Mar, 2026 at 3:00 PM

Overview

The PowerDMARC Lookalike Domain Checker assigns a risk score from 0 to 100% to every lookalike domain it detects. This score represents the overall likelihood that a domain poses a phishing, impersonation, or brand-abuse threat to your organization.

Each score maps to a clear risk label:

  • Low Risk: 0–29%

  • Medium Risk: 30–69%

  • High Risk: 70–100%

What Goes Into the Score?

The risk score is calculated from four attributes, each carrying a specific weight:

Attribute

Weight

What It Measures

Domain Status

20%

Whether the lookalike domain is registered, parked, or unregistered (available to purchase)

Attack Type

20%

The mutation technique used to generate the lookalike domain

DNS Records

35%

Which DNS records (A, MX, NS) are present for the domain

SSL Status

25%

The state of the domain's SSL certificate


How Each Attribute Is Evaluated

Domain Status (20%)

The registration state of a lookalike domain is a strong signal of intent. A domain that has been actively registered is more likely to be used for malicious purposes than one that simply could exist.

  • Registered — The domain has active DNS records and is owned by someone. This receives the full weight (100% of the 20%).

  • Parked — The domain is registered but shows no meaningful mail infrastructure (no MX record, and SPF is set to v=spf1 -all). This receives half the weight (50% of the 20%).

  • Not Registered — The domain does not resolve and has no DNS presence. This contributes nothing to the score (0%).

Attack Type (20%)

Different mutation techniques carry different levels of risk based on how deceptive they are and how commonly they appear in real-world phishing campaigns.

  • Homograph (IDN) — Uses visually identical Unicode characters (e.g., Cyrillic "а" instead of Latin "a"). This is the most deceptive attack type and receives the full weight (100% of the 20%).

  • Typosquatting — Exploits common keyboard-adjacent typing errors (e.g., "gogle.com"). Receives 70% of the weight.

  • All other types — Deletion, Insertion, Substitution, Transposition, Repetition, and TLD Variation each receive 50% of the weight. While still relevant threats, these techniques are generally easier for a trained eye to spot.

DNS Records (35%)

The presence of DNS records indicates that a domain is actively configured and potentially in use. This attribute carries the highest weight because a domain with mail and web infrastructure is far more likely to be used in an attack.

The DNS score is the sum of the individual record contributions:

  • A record present — Contributes 30% of the DNS weight (the domain resolves to an IP address and can host a website).

  • MX record present — Contributes 40% of the DNS weight (the domain can send and receive email — a critical signal for phishing risk).

  • NS record present — Contributes 30% of the DNS weight (the domain has nameservers assigned).

If all three record types are present, the domain receives the full 35% contribution. If none are present, this attribute contributes 0%.

SSL Status (25%)

An SSL certificate can indicate that someone has invested effort in making a domain appear legitimate. Browsers display a padlock icon for sites with valid certificates, which increases user trust — something attackers exploit.

  • Valid — A trusted certificate is in place, the domain matches, and the certificate is current. Full weight (100% of the 25%).

  • Expired, Invalid, or Untrusted — The certificate exists but has issues (expired, mismatched domain, self-signed, or broken trust chain). Each of these receives 80% of the weight, since the presence of any certificate still indicates deliberate setup.

  • Missing — No certificate is presented or HTTPS is unavailable. This contributes 0%, as it may simply indicate the domain is not actively maintained.

Scoring Examples

Example 1 — Low Risk (20%)

A parked domain with no DNS infrastructure and no SSL certificate:

  • Domain Status: Parked → 20% × 0.5 = 10

  • Attack Type: Repetition → 20% × 0.5 = 10

  • DNS Records: None → 35% × 0 = 0

  • SSL Status: Missing → 25% × 0 = 0

  • Total: 20% — Low Risk

Example 2 — Medium Risk (51%)

A registered domain with partial DNS records but no SSL:

  • Domain Status: Registered → 20% × 1.0 = 20

  • Attack Type: Repetition → 20% × 0.5 = 10

  • DNS Records: A + NS present, MX missing → 35% × 0.6 = 21

  • SSL Status: Missing → 25% × 0 = 0

  • Total: 51% — Medium Risk

Example 3 — High Risk (100%)

A registered domain using a homograph attack with full DNS records and a valid SSL certificate:

  • Domain Status: Registered → 20% × 1.0 = 20

  • Attack Type: Homograph → 20% × 1.0 = 20

  • DNS Records: A + MX + NS all present → 35% × 1.0 = 35

  • SSL Status: Valid → 25% × 1.0 = 25

  • Total: 100% — High Risk


P
PowerDMARC is the author of this solution article.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.