Domain Submission Classification
The following table defines the Domain Trust Platform Taxonomy, which standardizes the data fields and classifications used for domain submissions.
Each entry lists the field title, its possible values, and a description of those values.
| Field Title | Field Value | Field Value Description |
|---|---|---|
| Activity | active | Domain is active |
| blocked | Domain is blocked | |
| non-existent | Domain does not exist | |
| suspended | Domain has been suspended | |
| taken-down | Domain has been taken down | |
| Abuse Type | botnets | Domain involved in botnet operations |
| malware | Domain hosting or distributing malware | |
| pharming | Domain redirecting users to malicious sites | |
| phishing | Domain used for phishing attacks | |
| spam | Domain used for spam activities | |
| Classification | definitely-clean | Definitely not malicious; designed to allow loading of allowed lists, negative false positives, or investigations underway |
| definitely-malicious | Definitely malicious (in the provider’s opinion) | |
| possibly-malicious | Possibly malicious | |
| probably-malicious | Probably malicious (in the provider’s opinion) | |
| Provider Rating | high-confidence | High confidence provider such as police officer or judge |
| med-confidence | Medium confidence provider with high-scale SOC such as CERTs/CSIRTs, ISPs, and TELCOs | |
| low-confidence | Low confidence provider such as anti-spam and anti-scam contributors | |
| predictive | Predictive intelligence provider such as artificial intelligence contributors | |
| trial | Trial or evaluation provider | |
| Provider Role | ICANN | Internet Corporation for Assigned Names and Numbers |
| other | Other type of provider | |
| registrar | Domain registrar | |
| registry | Domain registry operator | |
| reseller | Domain reseller | |
| Source | external-reported | Reported by external source |
| self-reported | Self-reported by the provider | |
| Type (optional) | brand-spoof | Domain spoofing legitimate brands |
| fraud | Domain used for fraudulent activities | |
| Static Fields | Comments | Additional comments or notes |
| Date Identified | Date the domain was found to be malicious or suspicious | |
| Domain | Full domain name being reported | |
| Is Blocked | Whether the domain is blocked by Quad9 | |
| Provider | Name of the information provider | |
| Registration Date | Date the domain was registered with a registrar | |
| Root Domain | Root domain (e.g., example.com) | |
| SLD | Second-level domain (e.g., example in example.com) | |
| Source Name | Name of the reporting source | |
| Subdomain | Subdomain portion (e.g., www in www.example.com) | |
| TLD | Top-level domain (e.g., .com, .org) | |
| URLs | Associated URLs with malicious activity |
✅ Note: This taxonomy defines the standardized field values accepted and returned by Domain Trust’s APIs and the web interface.