The 90-Second Domain Triage: A SOC Analyst's Reputation Workflow
This is a purely operational playbook for Level 1 analysts on how to triage a suspicious domain and escalate or close alerts with confidence.

It’s 3:00 AM, and an automated alert fires. A high-priority user reported an email as phishing. The message is from `corp-billing.net` and contains a PDF invoice. Everything about it feels slightly off, but there are no obvious malware signatures or URL blocklist hits. Is this a legitimate, but clumsy, vendor? Or is it the start of a business email compromise (BEC) incident?
Your next two minutes will determine whether this ticket is closed as benign or escalated into a full-blown incident. The cost of getting it wrong is high in either direction: escalate a false alarm and you burn L2/L3 analyst time; close a real threat and you risk a breach. The difference is made by a fast, repeatable, and defensible domain triage workflow.
This isn't about becoming a world-class domain forensics expert. This is about making a smart call, right now, with the data at hand. It's about turning ambiguity into a risk score you can act on.
Alert Fatigue Is the Job, Not the Problem
Let's be clear: the endless stream of alerts from your security tools isn't a sign of failure. It's the opposite. Your EDR, your secure email gateway, your cloud security posture manager—they are all designed to be sensitive. Their job is to surface potential anomalies, and the vast majority of those will be benign deviations, not malicious attacks. Your job as a Level 1 analyst is to be the human filter that separates the two.
The operational drag isn't the volume of alerts, but the 'mean time to investigate' for each one. If every suspicious domain requires you to open five browser tabs—WHOIS, a few blocklist checkers, a DNS record viewer—you're spending ten minutes on a task that should take less than two. Scale that across a team of five analysts handling dozens of alerts per shift, and you're losing hundreds of hours a month to manual data correlation. That's time you're not spending on confirmed threats.
The goal of a domain triage workflow is to shrink that investigation window without sacrificing accuracy. It's about front-loading the most impactful signals to make a quick, defensible judgment: escalate or close.
The 90-Second Playbook
This is a clock-driven process. The goal is speed and consistency. You're not writing a dissertation; you're deciding if the building is on fire.
First 30 Seconds: Age, Registrar, and Infrastructure
Before you even look at the email's content, look at the sender's container. A domain registered yesterday has no history and therefore no reputation to lose. It is inherently suspect. A domain registered ten years ago has baggage, good or bad, that you can analyze. Use an aggregated reputation tool that pulls WHOIS data instantly.
Is the domain registered through a service known for lax abuse policies? Does it have active MX (Mail eXchanger) records, or is it a parked domain that shouldn't be sending email at all? A domain with `A` records pointing to residential broadband is a massive red flag. These are foundational questions that take seconds to answer with the right tooling.
Next 60 Seconds: Email Authentication Posture
Now, check the sender’s commitment to email security. This isn't just about pass/fail verdicts; it’s about intent. Look at the `Authentication-Results` header in the raw email source. What does it tell you?
First, SPF (RFC 7208). Does the record exist? Is it a weak `~all` (softfail) or a strict `-all` (fail)? A softfail is a suggestion; a hardfail is a command. Second, DKIM (RFC 6376). Is there a valid signature? A passing DKIM signature proves the message body wasn't tampered with in transit, which is a powerful signal, especially if SPF fails due to a forwarder. Finally, DMARC (RFC 7489). Does a policy exist? A `p=none` policy is just for monitoring and offers no protection. A `p=quarantine` or `p=reject` policy shows the domain owner is actively defending their brand against impersonation. A domain with no DMARC record in 2024 is either negligent or brand new—both are suspicious.
Interpreting Mixed Signals
Rarely will all signals point in one direction. Your real skill is in weighing contradictory evidence. A domain might be old but recently compromised. It might be new but part of a legitimate product launch. This is where you move from data collector to analyst.
Blacklists and Sinkholes
Being on one or two minor blocklists is often just noise. Being on five, including major ones, is a pattern. Pay attention to *which* lists have flagged the domain. A hit on a spam-focused list for a marketing email is less concerning than a hit on a malware or phishing-focused list. Also, check if the domain's IP address resolves to a known sinkhole. If it does, the domain is unequivocally malicious and has likely been taken over by a security organization.
The Forwarder Problem: When 'Fail' Isn't Malicious
Email forwarding is the bane of SPF and DMARC alignment. Imagine a calendar invite from a vendor. They send it from their mail server, it's correctly signed with DKIM and passes SPF. Your user auto-forwards it to their personal Gmail. The Gmail mail server (`mx.google.com`) now sees a message *from* the vendor's domain, but it's arriving from your company's forwarding IP, which isn't in the vendor's SPF record. SPF fails. Because SPF failed, DMARC alignment also fails.
Authentication-Results: mx.google.com; dkim=pass header.i=@vendor-inc.com; spf=softfail (google.com: domain of transitioning user@my-company.com does not designate 1.2.3.4 as permitted sender) smtp.mailfrom=user@my-company.com; dmarc=fail (p=REJECT dis=FAIL) header.from=vendor-inc.com
This header looks scary—`spf=softfail`, `dmarc=fail`. But the key is `dkim=pass`. The DKIM signature is still valid, proving message integrity. This is a classic forwarding scenario, not a spoofing attempt. ARC (RFC 8617) was designed to fix this, but adoption is inconsistent. Recognizing this pattern is critical to avoiding false positives.
Escalation Criteria: When to Pull the Fire Alarm
A 'medium' risk score is where most analysts get stuck. The decision to escalate isn't just about the domain's reputation; it's about reputation *in the context of the email's payload and intent*.
A newly registered domain (high risk) sending a generic marketing newsletter (low risk intent) might average out to medium. You might add it to a local watchlist but close the initial alert. However, a newly registered domain sending a message with the subject 'Urgent: Action Required on Invoice' is a different story. The combination of a high-risk domain with high-risk intent is an immediate escalation.
Here are some combinations that should always trigger an escalation to L2:
One, any domain, regardless of age, impersonating your own brand or a key partner, especially if it's a lookalike (e.g., `my-c0mpany.com`). Two, any domain with a recent registration date (under 30 days) that is involved in a financial transaction, password reset, or requests for credentials. Three, a domain with a valid DMARC `p=reject` policy that suddenly starts failing DMARC checks from a non-forwarding source. This could indicate a compromise or a sophisticated spoofing attempt.
From Terminal to Ticket: Documenting the Verdict
How you document your findings is as important as the findings themselves. Nobody wants to read a raw WHOIS dump or a mess of `dig` commands pasted into a Jira ticket. Your documentation should be a clean, concise summary that justifies your decision.
A good finding reads like a police report: just the facts, leading to a conclusion. For a closed ticket: 'Domain `marketing-updates.biz` (age: 3 years, clean blocklists, DMARC p=none) sent a newsletter. Low risk. Closed.' For an escalated ticket: 'Domain `secure-portal-auth.com` (age: 2 days, registered via Namecheap, no MX/DMARC) sent a password reset link. High risk based on age and intent. Escalated to L2 for infrastructure analysis. Reputation report permalink: [URL].'
This structure gives the next analyst—or an auditor six months from now—everything they need to understand why you made the call you did. Using a tool that provides a permalink to a full reputation report is ideal, as it attaches the evidence to the ticket without cluttering it.
Integrating these reports into a SOAR platform is the next logical step. The moment a phishing alert is generated, an automation can enrich the ticket with the domain reputation report. This transforms the L1 analyst's role from data gatherer to decision-maker, allowing them to open a ticket and immediately have the core data needed to apply the escalation criteria we've discussed. This is how you scale security operations.
The takeaway
The 90-second domain triage isn't a magic bullet, but it's a force multiplier for a busy SOC. It imposes discipline on the investigative process, converting a chaotic series of checks into a linear workflow. It forces a decision based on a weighted risk score, replacing ambiguity with a defensible verdict.
Ultimately, your most finite resource is analyst focus. Wasting it on laborious, manual data collection for every low-grade alert is unsustainable. By standardizing and automating the initial domain reputation check with a platform like MailSleuth.AI, you allow your team to spend their time and energy where it truly counts: on the confirmed threats that pose a real risk to your organization.
We dissect phishing campaigns and email infrastructure so you don't have to.


