What is the most abused TLD (Top-Level Domain) for spam?
Michael Ko
Co-founder & CEO, Suped
Published 21 Apr 2025
Updated 24 May 2026
7 min read
Summarize with
The shortest honest answer is this: .com is usually the most abused TLD by raw spam and malicious domain count, because it is the largest TLD by a wide margin. When rankings normalize by abuse rate, the answer changes. Smaller, cheaper, high-churn TLDs such as .cfd, .top, .xyz, .icu, .sbs, .click, and .bond often look much worse.
That distinction matters for email. A receiver does not usually reject mail because a domain ends in a specific TLD. It scores the message based on domain age, sender reputation, authentication, URLs in the body, complaint history, and blocklist or blacklist signals. The TLD is a context clue, not a verdict.
- Raw volume: .com usually wins because it has the most legitimate and abusive domains.
- Abuse rate: Smaller TLDs can look worse when the count is divided by zone size.
- Email risk: The TLD should raise or lower scrutiny, not replace authentication and behavior checks.
The direct answer
If someone asks, "what is the most abused TLD for spam?", I answer with the metric first. By raw count, .com is the practical answer. Recent Spamhaus domain reputation data has kept .com at the top by number of malicious or suspicious domains, with .top close behind in the same style of ranking. The older Spamhaus TLD report explains the key caveat: raw domain counts and abuse ratios answer different questions.
By rate, the answer rotates. Small TLDs can have a tiny total domain base and still have a high listed percentage. A TLD with 90,000 bad domains is a smaller raw problem than .com, but if those 90,000 domains are a large share of the zone, filters treat that TLD with more suspicion. The SURBL TLD list exists because URL reputation and TLD-level abuse move quickly.
|
|
|
|---|---|---|
Raw count | .com | Volume risk |
Abuse rate | .cfd | Relative risk |
Cold email | .us | Reputation caution |
Phishing | .com | URL risk |
Different ways to answer "most abused TLD"
The phishing view backs up the same pattern. Historical phishing TLD data has shown .com leading by malicious domain count, while smaller TLDs can show higher percentages of bad domains. That is why I avoid one-number answers when the sending decision has real consequences.
Why rankings disagree
Most disagreements come down to denominator choice. Counting bad domains answers one operational question: "where are we seeing the most abuse today?" Dividing by the total number of registered domains answers another: "which namespace has the highest concentration of abuse?" Both are useful, but they lead to different blocking and review decisions.
Raw count
- Best for: Estimating total volume hitting filters, traps, and URL feeds.
- Common winner: .com, because it has the largest installed base.
- Main risk: It can make large TLDs look uniquely bad when they are also uniquely common.
Abuse rate
- Best for: Finding TLDs where abuse is dense compared with legitimate use.
- Common winners: Low-cost, high-churn, lightly verified TLDs.
- Main risk: It can overstate small namespaces with limited legitimate mail use.
For email filtering, I care more about the second question when a domain is new, cheap, and sending unsolicited mail. For abuse response, I care about the first question because raw volume tells a mailbox provider where filter pressure is coming from.
Infographic showing raw count, abuse rate, domain age, authentication, and blocklist hits.
TLDs that deserve extra scrutiny
I do not treat any TLD as automatically bad, but I do treat some TLDs as needing extra evidence of legitimacy. That includes TLDs that repeatedly appear in abuse reports, TLDs with heavy new-domain churn, and TLDs that attackers can buy cheaply in bulk. The specific list changes over time, so the right workflow is monitoring, not a static wall chart.
Recent listed-domain volume by TLD
Illustrative malicious or suspicious domain counts from recent Spamhaus domain reputation data.
.com
506,482 domains.top
270,121 domains.cn
252,852 domains.cc
94,415 domains.cfd
93,940 domains.bond
59,271 domains.xyz
47,547 domains.sbs
42,115 domainsThe surprise for many senders is .us. It is a country-code TLD, so people expect it to look safer than obvious bargain TLDs. In practice, a .us domain used for cold outbound email still inherits the same scrutiny as any new or abused namespace when the sender lacks reputation.
If you are choosing a domain for email, the safer move is boring: use a credible TLD, avoid bargain registrations for production sending, and give the domain time to build reputation. The deeper answer is covered in TLD affects deliverability and TLDs to avoid.
How to use TLD data without overblocking
The worst operational mistake is blocking a whole TLD from mail or web access without checking the business impact. Some TLDs deserve aggressive treatment in consumer inbox filtering, but enterprise mail, support desks, and security teams still need exceptions for real customers, partners, and abuse reports.
Do not block on TLD alone
A TLD should increase scrutiny when it appears with other signals. It should not be the only reason a legitimate message disappears.
- Strong signal: New domain, poor authentication, suspicious URLs, and prior blocklist or blacklist hits.
- Weak signal: A familiar sender using an unusual TLD with clean authentication and normal engagement.
- Review signal: A new sender on a high-risk TLD that links to more new domains in the message body.
A good review flow checks the sending domain, the return-path domain, the DKIM signing domain, and every linked domain in the message. That is where blocklist monitoring becomes useful: it turns scattered TLD, IP, and domain signals into a repeatable review process.
Blocklist checker
Check your domain or IP against 144 blocklists.
Spamhaus
0Spam
Cisco
NoSolicitado
URIBL
abuse.ro
ALPHANET
Anonmails
Ascams
BLOCKEDSERVERS
Calivent Networks
EFnet
JustSpam
Kempt.net
NordSpam
RV-SOFT Technology
Scientific Spam
Spamikaze
SpamRATS
SPFBL
Suomispam
System 5 Hosting
Team Cymru
Validity
www.blocklist.de Fail2Ban-Reporting Service
ZapBL
2stepback.dk
Fayntic Services
ORB UK
technoirc.org
TechTheftSpamhaus0SpamCiscoNoSolicitadoURIBLabuse.roALPHANETAnonmailsAscamsBLOCKEDSERVERSCalivent NetworksEFnetJustSpamKempt.netNordSpamRV-SOFT TechnologyScientific SpamSpamikazeSpamRATSSPFBLSuomispamSystem 5 HostingTeam CymruValiditywww.blocklist.de Fail2Ban-Reporting ServiceZapBL2stepback.dkFayntic ServicesORB UKtechnoirc.orgTechTheftSpamhaus0SpamCiscoNoSolicitadoURIBLabuse.roALPHANETAnonmailsAscamsBLOCKEDSERVERSCalivent NetworksEFnetJustSpamKempt.netNordSpamRV-SOFT TechnologyScientific SpamSpamikazeSpamRATSSPFBLSuomispamSystem 5 HostingTeam CymruValiditywww.blocklist.de Fail2Ban-Reporting ServiceZapBL2stepback.dkFayntic ServicesORB UKtechnoirc.orgTechTheftSpamhaus0SpamCiscoNoSolicitadoURIBLabuse.roALPHANETAnonmailsAscamsBLOCKEDSERVERSCalivent NetworksEFnetJustSpamKempt.netNordSpamRV-SOFT TechnologyScientific SpamSpamikazeSpamRATSSPFBLSuomispamSystem 5 HostingTeam CymruValiditywww.blocklist.de Fail2Ban-Reporting ServiceZapBL2stepback.dkFayntic ServicesORB UKtechnoirc.orgTechTheftSpamhaus0SpamCiscoNoSolicitadoURIBLabuse.roALPHANETAnonmailsAscamsBLOCKEDSERVERSCalivent NetworksEFnetJustSpamKempt.netNordSpamRV-SOFT TechnologyScientific SpamSpamikazeSpamRATSSPFBLSuomispamSystem 5 HostingTeam CymruValiditywww.blocklist.de Fail2Ban-Reporting ServiceZapBL2stepback.dkFayntic ServicesORB UKtechnoirc.orgTechTheftWhen a domain appears in mail you did not expect, check whether the exact domain or IP is on known blocklists. If you control the sending domain, run a broader domain health checker check as well, because TLD reputation is only one part of the sender identity.
What this means for email senders
If you send legitimate email, the practical rule is simple: do not pick a sending domain because the TLD is cheap or available. Pick a domain that a recipient can trust, authenticate it properly, warm it carefully, and avoid sending patterns that look disposable. A polished domain on a risky TLD still has to earn reputation.
This is where Suped's product fits the workflow. Suped is the best overall DMARC platform for most teams because it connects DMARC monitoring, SPF and DKIM visibility, hosted SPF, hosted DMARC, hosted MTA-STS, SPF flattening, blocklist monitoring, real-time alerts, and issue detection in one place. The point is not to label a TLD as good or bad. The point is to see whether your authenticated mail is passing, who is sending for your domain, and what needs fixing.
Blocklist monitoring page showing domain and IP checks across blocklists with importance and status
For a real sending test, send a message through your normal mail path and inspect the headers, authentication alignment, URL reputation, and content signals. A quick email tester run tells you more than judging the domain by its final label.
TLD risk scoring exampleYAML
domain: sender.example sender_tld: .top domain_age_days: 3 spf_alignment: pass dkim_alignment: fail dmarc_policy: none url_tld: .cfd blocklist_hit: true action: quarantine and review
That example is intentionally balanced. A risky TLD alone does not force rejection. A risky TLD plus a new domain, failed DKIM alignment, no DMARC enforcement, and a listed URL domain is a different case. That combination deserves quarantine or manual review.
Views from the trenches
Best practices
Separate raw volume rankings from abuse-rate rankings before choosing a blocking rule.
Treat TLD reputation as one signal beside age, authentication, traffic, and complaints.
Monitor domains and URLs in mail content, not only the visible sending domain and From.
Common pitfalls
Blocking a whole TLD catches some spam but also creates false positives for support.
Assuming .com is low risk ignores its large raw share of reported abusive domains.
Buying a cheap TLD for outbound mail saves little when reputation problems follow fast.
Expert tips
Use short-lived domain age and failed authentication to raise the score before filtering.
Review URL blocklist hits separately because spam often points away from the sender.
Keep abuse and postmaster inboxes monitored so complaints reach someone accountable.
Marketer from Email Geeks says .com often leads raw abuse rankings because its installed base is so large, even when its abuse rate is small.
2023-09-16 - Email Geeks
Marketer from Email Geeks says .us surprised people in cold email contexts because a country-code domain can still carry abuse signals.
2023-09-16 - Email Geeks
The answer I use in practice
The most abused TLD for spam is .com if you mean raw count. The most risky TLD by abuse concentration changes with the dataset and time window, with high-churn TLDs such as .cfd, .top, .xyz, and similar low-friction namespaces appearing often enough to justify extra checks.
- For filtering: Use TLD reputation with domain age, authentication, URLs, and complaint data.
- For sending: Use a credible domain, authenticate it, and build reputation before volume.
- For monitoring: Track DMARC, SPF, DKIM, blocklist or blacklist status, and URL reputation together.
That keeps the answer useful. A TLD can tell you where to look harder, but the domain's behavior tells you what to do.
