Why are ESP customer domains getting listed in Spamhaus, and what can be done about it?
Matthew Whittaker
Co-founder & CTO, Suped
Published 3 Aug 2025
Updated 16 Aug 2025
9 min read
Email service providers (ESPs) often encounter challenges with deliverability, and one particularly perplexing issue is when their customers' domains, particularly tracking domains, start appearing on widely used blocklists (or blacklists) like Spamhaus. This can happen even when the ESP's own core domain remains unlisted. It’s a nuanced problem, as a CNAME record itself isn't a redirection, but it points to an underlying infrastructure that might be redirecting or hosting malicious content. This scenario points to potential vulnerabilities in how tracking domains are managed and protected, leading to broader deliverability issues for legitimate senders.
When customer domains are consistently listed, it suggests a systemic problem rather than isolated incidents of abuse by individual customers. I often see this when thousands of distinct customer domains, spread across different industries and geographies, suddenly find themselves on a blacklist (or blocklist). The ESP's main domain might remain clean, but their customers face significant email deliverability issues. This situation requires a deep dive into the tracking mechanisms and security protocols of the ESP.
Understanding why this happens is crucial for both ESPs and their customers. It's not just about getting delisted, but about implementing preventative measures to maintain a healthy sending reputation. The goal is to ensure emails reach the inbox consistently, avoiding the spam folder or outright rejection by recipient mail servers.
Tracking domains are critical for email marketing, allowing ESPs and their clients to monitor link clicks, open rates, and other engagement metrics. They typically involve a CNAME record that points a customer's subdomain (e.g., track.customerdomain.com) to the ESP's tracking server (e.g., tracking.espdomain.com). This setup personalizes tracking links, making them appear to originate from the customer’s domain, which can build trust with recipients.
The issue arises when customerdomain.com gets blacklisted, specifically on Spamhaus's Domain Block List (DBL). The DBL is designed to list domains found in spam messages, whether they are sending domains, URL domains in the email body, or tracking domains. Even if the customer's actual website appears benign or is blank, the issue is often with what the tracking URL ultimately points to, or how it is being used in spam or phishing campaigns. This is a common characteristic of domains listed in the Combined Spam Sources (CSS) list or the DBL.
A crucial point here is that a CNAME is a DNS record, not a web redirection. The problem lies with the content or behavior behind the tracking URL, not the CNAME itself. If an ESP's tracking domain infrastructure allows for open redirects, malicious actors can exploit this. They can use the legitimate tracking domain to redirect users to phishing sites or malware downloads, even if those malicious pages are hosted on a different server or under a long, obscure path.
Why customer domains get blacklisted
The primary reason customer tracking domains end up on Spamhaus's DBL is often related to abuse, specifically phishing or hosting malicious content, even if inadvertently. While an ESP's core domain might be clean, its customer's tracking domains, which resolve to the ESP’s infrastructure, can become tainted.
One significant cause is an ESP’s tracking system being vulnerable to open redirect abuse. If an ESP's click-tracking mechanism allows any arbitrary URL to be passed as a redirect destination, spammers and phishers will exploit this. They embed legitimate-looking tracking links in their malicious emails that, when clicked, redirect to a compromised website. This behavior gets the customer's domain, acting as the initial redirector, listed on a blocklist. Sometimes, these malicious sites are even hosted on compromised systems like WordPress installs or other vulnerable web platforms, often deep within the site's directory structure.
Another factor could be the customer's own sending practices. Even if the tracking domain is clean, if the customer is sending spammy content or has poor list hygiene, mailbox providers will flag their emails. If enough recipients report these emails as spam, or if the links within them trigger spam traps, this can lead to the domain being listed. Spamhaus considers the entire context of email sending behavior, not just the content of a landing page.
Finally, the age of the domain can play a role. New domains, especially those that quickly start sending high volumes of email or have suspicious link activity, are often subject to stricter scrutiny by blocklists. The Spamhaus DBL is particularly quick to list very new domains if they exhibit characteristics associated with spam or malicious activity.
Common causes of Spamhaus DBL listings
Open redirect vulnerability: ESP tracking domains exploited to redirect to malicious sites.
Compromised websites: Malicious content hosted on a customer's site (even if not the root domain).
Spam content or practices: Customer sending poor quality emails, leading to high spam complaints.
New domains: Rapid listing of recently registered domains for suspicious activity.
How ESPs can prevent blocklistings
ESPs play a crucial role in preventing their customers' domains from landing on blacklists. The focus needs to be on robust security measures and strict customer vetting processes.
Firstly, ESPs must eliminate any potential for open redirects in their tracking infrastructure. This means carefully validating all redirect URLs to ensure they point only to approved, legitimate destinations. Implementing strict URL validation, parameter sanitization, and real-time monitoring of tracking links for suspicious activity can prevent exploitation. If an ESP's system is frequently abused, it reflects poorly on the ESP's overall reputation, even if their main sending IPs aren't directly listed.
Secondly, proactive monitoring of customer sending behavior and content is essential. This includes analyzing bounce rates, spam complaint rates, and engagement metrics for each customer. ESPs should also implement automated systems to detect and suspend accounts that show patterns of spamming or phishing. Vetting new customers thoroughly, especially those with large or old lists, can mitigate risks associated with spam traps and poor list hygiene. Some ESPs even use domain reputation data to assess risk before onboarding.
Proactive measures
Secure tracking domains: Close open redirect vulnerabilities and validate redirect URLs rigorously.
Customer vetting: Assess risk for new customers, especially with old or large lists.
Reactive strategies
Automated detection: Implement systems to identify and delist tracking domains quickly.
Rapid delisting protocols: Have a clear process for Spamhaus delisting and communication with affected customers.
Education and enforcement: Educate customers on best practices and enforce terms of service.
Steps for affected customers and ESPs
For customers whose domains are listed, the immediate action is to understand the cause and initiate the delisting process. First, determine which Spamhaus list the domain is on. The DBL is for domains found in spam, while the SBL (Spamhaus Block List) primarily lists IP addresses, though domains can be listed indirectly if they consistently point to problematic IPs.
If it's an open redirect issue, the customer needs to coordinate with their ESP to resolve the vulnerability. This might involve updating tracking settings or having the ESP implement a fix on their end. The ESP should be able to provide details on the specific malicious activity detected. If the listing is due to the customer's sending practices, they need to clean their email lists, remove any contacts without consent, and review their email content to ensure it complies with anti-spam regulations.
Once the underlying issue is resolved, the customer or ESP can submit a delisting request through the Spamhaus Blocklist Removal Center. Spamhaus generally requires evidence that the problem has been fixed. Delisting can sometimes be automated or may require manual review, depending on the listing type and severity. Patience and clear communication are key during this process.
It's important for ESPs to offer clear guidance and support to their customers facing these issues. Providing resources on best practices, monitoring tools, and direct assistance with the delisting process can significantly improve customer satisfaction and overall deliverability for everyone on the platform. The ESP should be knowledgeable about what causes Spamhaus listings and how to resolve them effectively.
Spamhaus list
What it lists
Common triggers
Resolution notes
DBL (Domain Block List)
Domains found in spam, including tracking domains or phishing links.
Open redirects, compromised websites, malicious URLs in emails.
Fix vulnerability, remove malicious content, then request delisting via Spamhaus removal center.
SBL (Spamhaus Block List)
IP addresses identified as spam sources or hosting spam operations.
Direct spamming from IP, hosting malware, bulletproof hosting, botnets.
Stop abusive behavior, clean up network, then request delisting. SBL delisting needs root cause fixed.
PBL (Policy Block List)
IP ranges that should not be sending unauthenticated email directly to the Internet.
Dynamic IP space, consumer broadband, non-MTA servers attempting direct sends.
Ensure emails are sent through an authenticated mail server. Delisting is often automated if compliance is met.
CSS (Combined Spam Sources)
IP addresses involved in sending low-reputation email (often dynamic IPs).
Botnet infections, compromised servers sending small amounts of spam.
Clean infections, secure systems. CSS delisting is often automated once the issue stops.
Views from the trenches
Best practices
Implement stringent security reviews for all tracking and redirect mechanisms to prevent open redirect vulnerabilities.
Regularly audit customer sending behavior, leveraging data on complaints, bounces, and engagement to identify potential abusers.
Provide clear, actionable guidelines and support to customers on maintaining good sending hygiene and resolving deliverability issues.
Utilize domain reputation data to proactively identify and mitigate risks from new or suspicious customer domains.
Ensure rapid response protocols are in place for detecting and addressing any domain blacklistings promptly.
Common pitfalls
Assuming a CNAME is merely a redirection and not realizing its potential for malicious exploitation if not properly secured.
Failing to monitor customer tracking domains, leading to widespread blocklistings before the problem is noticed.
Lacking clear policies or enforcement mechanisms for customers who consistently engage in spammy or phishing activities.
Not having a defined, quick process for delisting domains from major blacklists like Spamhaus DBL.
Overlooking the impact of old or poorly managed customer lists, which often contain spam traps or unengaged users.
Expert tips
For ESPs, it's vital to vet new customers using domain reputation metrics to pre-emptively identify high-risk accounts.
I recommend implementing automated systems that scan outbound links for suspicious patterns indicative of phishing or malware.
Review your tracking domain setup regularly. Ensure it provides adequate security against open redirects and other vulnerabilities.
Educate your customers about the importance of list hygiene and consent-based emailing. This is crucial for long-term deliverability.
Remember that domains can be listed for malicious redirects even if the root site is blank; Spamhaus focuses on the destination of the link.
Expert view
Expert from Email Geeks says a CNAME is not a redirection, and the problem often lies with the landing page behind the tracking URL, or open redirections being abused by phishers.
2021-12-10 - Email Geeks
Expert view
Expert from Email Geeks says the domain can be listed even if the content at its root doesn't matter, as phishing pages are typically found under a more complex path.
2021-12-11 - Email Geeks
Maintaining a healthy sending reputation
Dealing with ESP customer domains listed on Spamhaus requires a two-pronged approach. ESPs must prioritize the security and integrity of their tracking infrastructure, particularly guarding against open redirect vulnerabilities and ensuring robust monitoring of customer activity. This proactive stance protects their own reputation and, more importantly, ensures their customers' emails land in the inbox.
For customers, understanding the implications of poor sending practices and the mechanisms of blocklists is vital. Working closely with their ESP to identify and rectify the root cause of a listing is paramount. By taking these steps together, ESPs and their customers can collectively maintain a strong email sending reputation, ensuring reliable deliverability and safeguarding their brand image.
Spamhaus
0Spam
Cisco
NoSolicitado
URIBL
abuse.ro
ALPHANET
Anonmails
Ascams
BLOCKEDSERVERS
Calivent Networks
EFnet
JustSpam
Kempt.net
NordSpam
RV-SOFT Technology
Scientific Spam
Spamikaze
SpamRATS
SPFBL
Suomispam
System 5 Hosting
Team Cymru
Validity
www.blocklist.de Fail2Ban-Reporting Service
ZapBL
2stepback.dk
Fayntic Services
ORB UK
technoirc.org
TechTheft
