What’s a suspicious domain?

The question came up on slack and I started bullet pointing what would make a domain suspicious. Seemed like a reasonable blog post. In no particular order, some features that make a domain suspicious to spam filters.

Domain is used in…

• … mail users complain about
• … mail users delete without reading
• … mail sent in bulk through the ISP (example: Censorship, Email and Politics)
• … phishing mail
• … malware dissemination

It’s not just the mail the domain is present in. There are other things that lead to suspicion for domains, too.

Domain …

• is located on a network with a bad reputation
• is newly registered
• has network connections to bad domains (like nameservers, etc)
• is a cousin domain to some regular domain
• has a name pattern like snowshoers use
• has network connections to individuals with bad reputations
• has network connections to sources of bad traffic
• is sent through a MTA with bad behaviour (holding open idle connections, retrying too frequently, etc)

While we talk a lot about permission and user engagement and those are crucial for getting to the inbox. But there are lots of other signals that go into mail delivery, some of them will override even the best domain reputation (example: Fun with spam filters). Knowing what the other signals are means a better overall understanding of delivery and the ability to integrate deliverability into business goals and KPIs.