Threat-Intel Cross-Reference

Your domain has a reputation that's tracked publicly, and sometimes you don't know it's been damaged until your transactional emails stop arriving and your customer-success team starts investigating. Threat-intel feeds — Spamhaus DBL, URLhaus, Google Safe Browsing, Microsoft SmartScreen, the various commercial reputation services — log domains observed in spam, phishing, or malware campaigns. Inclusion can come from a real compromise (your subdomain takeover got squatted and now serves phishing), from a misattribution (someone on your shared IP did something bad), or from related-name confusion (an attacker registered `support-yourapp.com` and ran a campaign that briefly tagged your real domain). Knowing your reputation status is operational hygiene; ignoring it is how email deliverability dies quietly.

Spamhaus DBL maintains a curated list of domains observed in spam-related abuse — phishing pages, malware download hosts, command-and-control infrastructure. Listings come from a mix of automated detection (honeypots, spam traps) and analyst review. URLhaus, run by abuse.ch, tracks URLs serving malware specifically. Both are queryable via DNS lookup or REST API. A listing means at least one trustworthy source associated your domain with abuse; the cause varies from 'you've been compromised' to 'a related domain shares your hosting' to 'someone made a mistake.'

Email deliverability tanks first — Gmail, Outlook, ProtonMail, and corporate spam filters consult these feeds and route listed senders to junk or block them outright. Browser warnings on Safari, Chrome, and Edge for users navigating to listed URLs (Google Safe Browsing in particular). DNS-level blocking by some resolvers (Quad9, OpenDNS, NextDNS) means listed domains simply don't resolve for users on those services. If the listing reflects actual compromise, the threat is ongoing — phishing or malware running on infrastructure you control means cleanup, secret rotation, and probably a customer notification.

If you find your domain listed: investigate the cause first. Search your subdomains for unexpected content (the takeover check we run can help). Audit recent DNS changes for entries pointing at unexpected hosts. Check your CDN and email-provider logs for unusual outbound activity. Once you've confirmed clean state (or remediated compromise), submit a removal request through the listing service's standard channel — Spamhaus and URLhaus both have well-documented delisting processes. To prevent listing in the first place: lock down your DNS with strict change controls, monitor for subdomain takeovers continuously, audit your SPF/DKIM/DMARC posture so spoofers can't impersonate you (their abuse from your domain is what gets you listed), and use a transactional email provider with reputation isolation. If you're listed without an obvious cause, check your hosting IP — shared hosting on a 'noisy neighbor' IP sometimes triggers listings.