Why Is My Domain Health Score Low?
A low health score means one or more critical signals are failing. This diagnostic guide covers every possible cause and exactly how to fix each one.
Why Is My Domain Health Score Low?
The domain health score is a composite 0-100 number calculated from six dimensions. A low score means one or more of these dimensions is failing or degraded. This guide walks through each possible cause and how to fix it.
Check the Domain Detail Page First
Open the domain detail page and look at the health score breakdown. Each dimension shows a sub-score — this immediately narrows down which area is causing the low overall score.
SSL Issues (High Weight)
Certificate expired
Symptom: SSL sub-score is 0 or very low. Fix: Renew the certificate immediately. For Let's Encrypt, check that certbot is running and has write access to the webroot or is configured with the correct challenge method.
Certificate expiring soon
Symptom: SSL sub-score is reduced. Days remaining under 30. Fix: Trigger renewal now. Don't wait until the 7-day automated window — if automation fails, you want time to fix it manually.
Broken certificate chain
Symptom: SSL tab shows "Chain valid: No". Fix: Your server is not sending intermediate certificates. Download the full chain from your CA (usually a file named chain.pem or fullchain.pem) and configure your web server to use it. For Nginx: ssl_certificate should point to fullchain.pem, not just cert.pem.
HSTS missing
Symptom: Minor health deduction. Fix: Add the header: Strict-Transport-Security: max-age=31536000; includeSubDomains
Domain Expiry Issues (High Weight)
Domain expiring soon
Symptom: WHOIS sub-score is low. Days until expiry under 60. Fix: Log in to your registrar and renew. Enable auto-renewal while you are there.
Domain status codes show issues
Symptom: WHOIS tab shows serverHold, pendingDelete, or redemptionPeriod. Fix: Contact your registrar immediately. serverHold means the domain is suspended. pendingDelete means it is being deleted — time is critical.
Blacklist Issues (High Weight)
Domain or IP on a blacklist
Symptom: Security sub-score is very low. Blacklist tab shows one or more hits. Fix:
- Identify which blacklist(s) you are on (shown in the Security tab).
- Find the cause: check server mail logs for unauthorized outbound email, scan for malware, check for open relays.
- Fix the underlying issue before requesting delisting.
- Submit delisting request to each blacklist (Spamhaus, Barracuda, etc. each have their own process).
- Re-scan after 24-48 hours to confirm removal.
DNS Issues (Medium Weight)
DNS records changed unexpectedly
Symptom: DNS sub-score reduced. Activity feed shows DNS change detected. Fix: Review the DNS tab change history. If the change was unauthorized, revert it in your DNS provider immediately and investigate how it happened (check DNS provider access logs, rotate credentials).
Missing expected records
Symptom: MX records missing on a domain that sends email. Fix: Add the missing records. Check your email provider's required DNS settings.
Security Headers Missing (Medium Weight)
Missing CSP, HSTS, X-Frame-Options, or other headers
Symptom: Security sub-score is partially reduced. Fix: Add the missing headers in your web server config or CDN:
For Nginx: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always;
For Cloudflare: Add headers via Transform Rules → Modify Response Header.
Uptime Issues (Medium Weight)
Domain unreachable
Symptom: Uptime sub-score is 0. Fix: Check your hosting provider status page, verify your server is running, confirm DNS A records point to the correct IP, and check firewall rules blocking port 80/443.
Slow response time
Symptom: Uptime sub-score partially reduced. Fix: Investigate server performance, add a CDN, optimize your application, or upgrade hosting.
Quick Diagnostic Checklist
- SSL certificate valid and not expiring within 30 days?
- Domain expiry more than 60 days away?
- Not listed on any blacklist?
- DNS records haven't changed unexpectedly?
- Security headers present (HSTS minimum)?
- Domain responding with HTTP 200?
If all six are green, your health score should be 80+.