Documentation

Domain and IP Reputation

What is domain and IP reputation?

Email and web traffic passes through a global ecosystem of reputation systems — databases maintained by security vendors, ISPs, and anti-spam organisations that track whether a domain or IP address has been associated with spam, malware, phishing, or other malicious activity.

When your domain or sending IP has a poor reputation:

  • Your outgoing emails land in spam folders or are rejected entirely
  • Your website may be flagged with a browser security warning
  • Security tools used by your customers and partners may block traffic to and from you
  • Deliverability of legitimate marketing and transactional email drops significantly

ExposureIndex checks your domain and associated IP addresses against the major reputation databases and blocklists.

How domains end up on blocklists

  • Compromised email account — A staff account is taken over and used to send spam or phishing at volume.
  • Compromised server — Malware on a hosted server uses it to send spam or participate in a botnet.
  • Misconfigured mail server — An open relay allows third parties to send email through your infrastructure.
  • Bulk email without proper opt-in — Sending to purchased or scraped lists generates spam complaints that feed into reputation systems.
  • No SPF / DKIM / DMARC — Without these, your domain is easily spoofed, and spoofed mail from your domain feeds into your reputation.
  • Shared IP history — If your email service provider assigned you an IP address previously used by a spam sender, you may inherit that IP's history.
  • Phishing page hosted on your domain — If an attacker compromises your website and hosts phishing content, your domain will be flagged.

What to do

Step 1 — Identify which blocklists you are on

ExposureIndex shows you the specific blocklists flagging your domain or IP. Common blocklists include:

  • Spamhaus (SBL, XBL, DBL) — the most widely used by ISPs
  • Barracuda Reputation Block List (BRBL)
  • Sorbs
  • SpamCop
  • Google Safe Browsing (for web/phishing flags)

You can also check manually at MXToolbox Blacklist Check.

Step 2 — Find the root cause

Before requesting removal from any blocklist, identify and fix the underlying cause. Requesting removal without fixing the problem usually results in immediate re-listing.

Common root cause investigations:

  • Check email server logs for unusual outbound sending volume
  • Check for compromised accounts (look for logins from unusual locations or at unusual times)
  • Scan your web server for malicious files (find /var/www -name "*.php" -newer /var/www/index.php)
  • Review your email sending practices for any list hygiene issues

Step 3 — Request removal

Each blocklist has its own removal process:

  • Spamhaus: www.spamhaus.org/removal — free self-service for most listings
  • Barracuda: www.barracudacentral.org/rbl/removal-request
  • Google Safe Browsing: Submit a reconsideration request via Google Search Console after removing any malicious content
  • Sorbs / SpamCop: Each has a self-service delisting page linked from the blocklist lookup result

Removal processing times range from a few hours to a few days depending on the blocklist.

Step 4 — Monitor going forward

Set up ongoing monitoring so you know immediately if your domain or IP is re-listed. ExposureIndex's continuous monitoring covers this. You can also set up a free alert at Spamhaus or use a dedicated deliverability monitoring service.

Preventing future listings

  • Deploy SPF, DKIM, and DMARC — reduces the impact of spoofing on your reputation
  • Enable MFA on all email accounts — prevents account takeover spam runs
  • Keep web software updated — prevents compromise and hosting of malicious content
  • Use a reputable email service provider — providers like Mailgun, SendGrid, and AWS SES maintain dedicated IP pools with warm-up processes and reputation monitoring
  • Maintain list hygiene — honour unsubscribes immediately, remove bouncing addresses, never buy email lists

Last updated: March 28, 2026