Skip to main content
When URL Risk is on, you don’t have to pass URLs separately. Anything that looks like a link in the submitted text gets pulled out and scored. Each URL goes through threat-intel feeds and a model that’s seen a lot of phishing infrastructure. The response gives you a risk score and a handful of reason codes per URL. This page documents those fields and how to interpret them.

Fields

Signals

Observable properties of the URL. The shape is consistent on every request. Fields that aren’t applicable or weren’t checked come back as null.
Not every URL is analyzed in full depth. URLs that are clearly clean or clearly malicious from the string alone get a fast verdict, and the network-level signals (domain_age_days, has_email_setup, redirect_count, final_url, bot_protection) come back null. Treat null as “not checked,” not “not present.”

How signals describe redirect chains

When a URL redirects across domains (e.g. a shortener resolving to a landing page), signals are assembled from both the submitted URL and the final URL:
  • Describe the destination (where the user ends up): brand_impersonation, domain_age_days, has_email_setup, bot_protection
  • Describe the submitted URL (what was sent): redirect_count, final_url, is_reported
  • Either URL exhibiting the trait: is_link_shortener, has_suspicious_characters
Same-domain redirects (http://https://, trailing-slash canonicalization) don’t trigger re-analysis.

Reason codes

reasons is an ordered list of stable codes explaining why the URL looks risky. Codes only appear when a signal or rule actually attributed risk to this URL. A field being present is not enough; it has to have driven the score. Benign URLs return reasons: []. Reasons only describe what increased risk. You will not see has_email_setup as a reason. It’s the absence of email setup that’s concerning, and that surfaces as missing_email_setup.

Allowlists and blocklists

You can configure per-tenant allowlists and blocklists in the dashboard. These are applied before the risk model runs:
  • A blocklist hit returns risk_score: 1 and reasons: ["blocklisted"]. No signals are returned. The verdict comes from your configuration, not from analysis of the URL.
  • An allowlist hit returns risk_score: 0 and reasons: ["allowlisted"]. Also no signals.
  • Everything else flows through the risk model.
If a domain is on both lists, the blocklist wins.

Domain-level matching

Entries match at the registered domain level. Subdomains are not matched automatically. To allow every subdomain of your service, add each one explicitly. Given an allowlist entry of example.com: Matching is case-insensitive. Enter plain domain strings: no scheme, no path, no wildcards. Internationalized domains should be entered in their punycode form (xn--...).

FAQ

Risk is a moving target. Several inputs change between requests:
  • Domains age. A freshly registered domain looks risky today and less risky in six months. domain_age_days grows naturally.
  • Email infrastructure gets added. Legitimate businesses set up MX, SPF, and DMARC records as they grow up; throwaway domains rarely do. has_email_setup can flip from false to true as a domain matures.
  • Threat-intelligence feeds update constantly. A URL not on any feed today may be reported tomorrow.
  • Redirect destinations change. Shorteners and redirectors can be repointed at any time. The destination is re-resolved on every request.
  • The model is updated as the threat landscape shifts.
If you’re caching scores, cache them briefly. Re-evaluate any URL still in active circulation rather than relying on a result that’s hours or days old.
risk_score >= 0.5 is the default cutoff for “treat as malicious,” and it’s tuned so the rate of false positives at that threshold is low across typical user-generated content. Tighten it (e.g. 0.7) if your audience is unusually tolerant of risky links, or loosen it (e.g. 0.3) if you’d rather over-block. The reasons array gives you the why in either direction.
Add it to your allowlist. Allowlist entries override the risk model. This is the right tool for your own product domains, trusted partners, and URLs you’ve manually verified as safe.If you think the score is wrong in a way that would also affect other customers (for example, a brand-impersonation false positive on a legitimate brand variant), let us know and we’ll look at the model.