Analyze Domain Details

The domains icon in an investigation shows how many domains were found in a message header.

The domains icon shows how many domains were found in an investigation.
The domains icon shows how many domains were found in an investigation.

An investigation with one or more domains considered malicious will display a count of both the total number of domains found to be malicious and the total number of domains found, and the domains icon will have a red background:

The domains icon has a red background when one ore more domains are considered malicious.
The domains icon has a red background when one ore more domains are considered malicious.

If you hover over a domains icon with a red background, you will see a summary of the first two malicious issues found:

If you hover over the domains icon when it has a red background, a pop-up appears listing the basic details of the first two malicious domains found in the investigation.
If you hover over the domains icon when it has a red background, a pop-up appears listing the basic details of the first two malicious domains found in the investigation.

If you hover over a domains icon with a red background in a selected investigation, it will turn a darker red, and you can click on the darker red domains icon to view details of the domains found in the investigation:

When the domains icon has a darker red background when you hover over it, the investigation is selected, and you can click on the domains icon to get further details of the domains in an investigation..
When the domains icon has a darker red background when you hover over it, the investigation is selected, and you can click on the domains icon to get further details of the domains in an investigation.

A domain is considered malicious when its domain reputation score is too low. The domain reputation score is a determination of the riskiness of a domain found in message headers. It is generated by a combination of an evaluation by Domain Tools and scoring by the Agari Email Trust Platform. Each domain is evaluated by Domain Tools on a scale of 0 to 100 on blacklist existence, known threat profile, whitelist existence, known malware, and known spam, and by the Agari Identity Intelligence component of Agari Secure Email Cloud on a scale from 0-10. The result is a single reputation score for each domain on a scale from 0 to 10.

To analyze domain details

  1. Click on an investigation to select it.
  2. Click on the domain icon in the selected investigation. You will see the investigation details page with the Domains tab selected. (If it is not selected, click the Domains tab.) The Domains tab lists all domains found in all the messages in an investigation.
  3. Click Details (or the domain itself) to view more information about a specific domain. The details panel for a selected domain shows:
    • The full domain that you can select and copy.
    • The score components and the tool that determined the score.
    • The date and time that the domain was scored.
    • The WHOIS record for the domain.