Domain Age Checker
Check how old any domain is. Get the registration date, age, and a fraud-risk read in one click.
REST API
All of UserCheck's email and domain intelligence in a fast and simple API.
$ curl https://api.usercheck.com/domain/github.com
{
"domain_age_in_days": 6189
}1,000 free credits each month · no credit card required.
Domain age as a risk signal
Most established businesses run on domains registered years ago. Phishing campaigns, disposable email services, and one-off scams typically use domains registered shortly before they're put to work, then abandoned. That difference is what makes domain age useful at signup: a domain registered last week carries more risk than one registered in 2014.
How much weight to give it depends on the number. Domains under a month old are where phishing and throwaway services concentrate. A few months is worth a closer look. Past a year or two, the signal fades, since most legitimate businesses are in that range too. UserCheck returns the exact age in days, so you set your own thresholds.
Where the date comes from, and its limits
Age is the WHOIS or RDAP creation date: when the domain was first registered, which renewals and transfers don't reset. Two caveats. Some attackers register domains and let them age before use, so an old domain isn't proof of legitimacy. And some TLDs, including .de, .eu, and several country codes, don't publish a creation date, so the age can come back unknown. Pair it with other signals rather than relying on it alone.
Checking it from your code
Every /domain and /email lookup includes domain_age_in_days. Branch on your own threshold during signup or any risk check. See the API documentation for examples.
Common questions
How is domain age calculated?
From the domain's WHOIS or RDAP creation date, the day it was first registered. Renewing the domain or transferring it to a new owner doesn't reset it.
What age threshold should I use for flagging signups?
There's no universal cutoff. Under 30 days is the most common flag threshold, since that's where phishing and disposable domains concentrate; stricter flows step up verification for anything under 90. The API returns the exact age in days rather than a bucket, so you choose the threshold and can adjust it as you learn what your own signups look like.
Why do fraud teams care about domain age?
Newly registered domains are heavily over-represented in phishing, account fraud, and disposable email. A domain registered in the last 30 days is a strong risk signal, though not a conviction on its own, so it's best combined with checks like MX records and disposable detection.
Can domain age be faked?
The creation date itself can't be: the registrar sets it at first registration and it can't be edited. But sophisticated attackers do buy domains and sit on them to age them before an attack, which is why age should back up other signals rather than stand alone.
Why is the age "Unknown" for some domains?
Some TLDs, notably .de, .eu, and several country codes, don't publish registration dates, and some registrars rate-limit WHOIS. When the date isn't available, we return unknown rather than guess.
Can I check domain age from my code?
Yes. Both /domain/{domain} and /email/{email} include domain_age_in_days, alongside the disposable, MX, and relay fields. The API documentation has examples.