How does Spamhaus decide whether to list a subdomain or a whole domain on the DBL?
Michael Ko
Co-founder & CEO, Suped
Published 23 Apr 2025
Updated 23 May 2026
10 min read
Summarize with
Spamhaus does not use one fixed rule that always lists only the exact subdomain or always lists the whole domain on the DBL. The practical answer is this: Spamhaus lists the narrowest domain or hostname that matches the abuse pattern when it can do that safely, especially for compromised legitimate sites, but it can list the parent domain when the evidence points to broader abuse, repeated use across multiple hostnames, or a domain that has not built a legitimate reputation.
That distinction matters because a DBL listing is a domain reputation signal, not an IP listing. Spamhaus says the Spamhaus DBL includes domains used in unsolicited bulk email, phishing, fraud, malware distribution, and domains with poor reputation based on a wider set of observed behaviors.
- Hostname only: This is common when a real site is compromised and one hostname carries the abusive URL.
- Subdomain scope: This happens when the evidence stays tied to a sending, tracking, image, or click hostname.
- Parent domain: This happens when the domain itself looks risky or abuse appears across more than one hostname.
- Wildcard effect: If the parent domain is listed, DBL lookups for its hostnames also return a listed result.
The direct answer
Spamhaus does not publish the exact criteria that decide whether a DBL entry is scoped to a hostname, a subdomain, or a whole domain. Its DBL FAQ says domain reputation is evaluated with several criteria and that listings are constantly reevaluated. So the right operational assumption is not "a subdomain protects the parent." The better assumption is "scope follows the evidence Spamhaus has."
I treat a DBL listing like a scope question first. Before debating removal, I want to know whether the exact hostname is listed, whether the organizational domain is listed, and whether the listed name appears in the message body, envelope, HELO, rDNS, click tracking, image host, or visible sender identity.
|
|
|
|---|---|---|
Hostname | Compromised site | Contained |
Subdomain | Isolated abuse | Medium |
Domain | Broad pattern | High |
Wildcard hit | Parent listed | High |
Common DBL listing scopes and what they usually mean.
The table is compact on purpose. The hard part is not naming the DNS label. The hard part is deciding whether the label is the cause, a symptom, or just one visible piece of a wider domain reputation problem. A blocklist or blacklist hit on a tracking subdomain still deserves a parent-domain review, because mailbox filters often combine DBL data with authentication, content, engagement, and prior reputation.
Spamhaus Reputation Checker screen showing a DBL lookup result for a domain.
When a hostname or subdomain is listed
The clearest case for a narrow listing is the abused-legit category. Spamhaus announced that hostname-level data for this DBL component went into production on February 1, 2022. The reason was simple: if a large legitimate platform has one compromised user hostname, listing the whole registered domain creates unnecessary collateral blocking.
The hostname update explains the shift: hostname listings make the DBL more targeted for compromised legitimate sites, especially where many unrelated sites share the same second-level domain.
Narrow listing
- Legit domain: The main site has normal history and the issue sits on one hostname.
- Single host: The bad URL, redirect, image host, or click host is tied to one DNS name.
- Fix path: Clean the compromised host, remove bad content, and verify the site stays clean.
Domain listing
- Unknown domain: The domain has little legitimate history or looks created for abuse.
- Many hosts: Several subdomains, URLs, or message identities point to the same problem.
- Fix path: Address the full sending and web footprint before requesting removal.
This is why separating mail streams onto subdomains helps, but does not give immunity. If a marketing hostname creates a DBL issue, the damage is easier to isolate. If the same domain family has multiple bad signals, the parent domain still has exposure. The same pattern applies to subdomain reputation in mailbox filtering.
My rule for sending subdomains
Use subdomains to make reputation easier to observe and contain, not to hide risk. If a sender uses lots of disposable hostnames, that pattern itself looks bad.
Why the whole domain still gets listed
A whole-domain DBL listing generally means Spamhaus sees the domain itself as the useful unit of risk. That can happen even when the first visible symptom was one subdomain. If the parent domain is new, obscure, repeatedly seen in unwanted mail, or connected to several bad hostnames, narrowing the listing does not solve the filtering problem.
- Multiple hosts: Spamhaus sees spam, phish, malware links, or unwanted bulk mail across several labels.
- Weak history: The domain has not built enough durable legitimate use to earn narrow treatment.
- Shared content: The same landing pages, redirects, or tracking chains appear across related labels.
- Snowshoe pattern: Many domains or subdomains are rotated to spread abuse thinly.
- Manual evidence: A human review connects the domain to a broader operational problem.
How I treat DBL scope
A practical severity model for deciding how wide the investigation should be.
Exact hostname
Contained
Start with that host, then verify nearby mail and web labels.
Marketing subdomain
Medium
Review list source, click hosts, image hosts, and recent campaigns.
Parent domain
High
Treat this as a domain-wide reputation incident.
Relisted domain
Critical
The underlying cause is still active or returned after removal.
Do not reduce this to one spam trap hit. A single trap is not a reliable explanation for a DBL listing by itself. Complaint rate also does not map cleanly to Spamhaus DBL risk. I have seen low complaint programs create serious listing issues because the problem was list acquisition, bad affiliate traffic, compromised web content, or a URL reputation issue.
How DBL lookups can confuse the answer
DBL supports wildcard behavior for parent-domain listings. If example.com is listed, a lookup for a host under example.com can also return listed. That does not always mean Spamhaus created a separate listing for that exact host. It can mean the parent domain is listed and the lookup inherited that result.
DBL lookup examplesBASH
dig +short example.com.dbl.spamhaus.org A dig +short mail.example.com.dbl.spamhaus.org A dig +short click.mail.example.com.dbl.spamhaus.org A
When I review a listing, I test the exact hostname, the sending subdomain, and the registered parent domain separately. If every hostname under the parent returns listed, the next question is whether the parent itself returns listed. That answer changes the incident plan.
Do not query DBL like an IP blacklist
DBL is domain-only. Querying IP addresses against DBL gives misleading results. Use DBL for domains and hostnames found in rDNS, HELO, envelope sender, headers, and message content.
How to investigate the scope
Start with the listed label and work outward. A general blocklist basics review helps if the distinction between DNSBL, domain blocklist, blacklist, and URL list is unclear. For a broader technical check, a domain health checker is useful because DBL risk rarely sits alone.
- Check scope: Look up the exact hostname, sending subdomain, root domain, and visible URL hosts.
- Inspect mail: Review headers, envelope sender, DKIM d= domain, links, images, and redirects.
- Audit lists: Find purchased data, scraped data, old inactive segments, and weak consent paths.
- Review web: Check CMS updates, redirects, injected files, and any user-generated pages.
- Fix first: Remove the cause before requesting delisting, or the domain can relist.
Blocklist checker
Check your domain or IP against 144 blocklists.
Spamhaus
0Spam
Cisco
NoSolicitado
URIBL
abuse.ro
ALPHANET
Anonmails
Ascams
BLOCKEDSERVERS
Calivent Networks
EFnet
JustSpam
Kempt.net
NordSpam
RV-SOFT Technology
Scientific Spam
Spamikaze
SpamRATS
SPFBL
Suomispam
System 5 Hosting
Team Cymru
Validity
www.blocklist.de Fail2Ban-Reporting Service
ZapBL
2stepback.dk
Fayntic Services
ORB UK
technoirc.org
TechTheftSpamhaus0SpamCiscoNoSolicitadoURIBLabuse.roALPHANETAnonmailsAscamsBLOCKEDSERVERSCalivent NetworksEFnetJustSpamKempt.netNordSpamRV-SOFT TechnologyScientific SpamSpamikazeSpamRATSSPFBLSuomispamSystem 5 HostingTeam CymruValiditywww.blocklist.de Fail2Ban-Reporting ServiceZapBL2stepback.dkFayntic ServicesORB UKtechnoirc.orgTechTheftSpamhaus0SpamCiscoNoSolicitadoURIBLabuse.roALPHANETAnonmailsAscamsBLOCKEDSERVERSCalivent NetworksEFnetJustSpamKempt.netNordSpamRV-SOFT TechnologyScientific SpamSpamikazeSpamRATSSPFBLSuomispamSystem 5 HostingTeam CymruValiditywww.blocklist.de Fail2Ban-Reporting ServiceZapBL2stepback.dkFayntic ServicesORB UKtechnoirc.orgTechTheftSpamhaus0SpamCiscoNoSolicitadoURIBLabuse.roALPHANETAnonmailsAscamsBLOCKEDSERVERSCalivent NetworksEFnetJustSpamKempt.netNordSpamRV-SOFT TechnologyScientific SpamSpamikazeSpamRATSSPFBLSuomispamSystem 5 HostingTeam CymruValiditywww.blocklist.de Fail2Ban-Reporting ServiceZapBL2stepback.dkFayntic ServicesORB UKtechnoirc.orgTechTheftSpamhaus0SpamCiscoNoSolicitadoURIBLabuse.roALPHANETAnonmailsAscamsBLOCKEDSERVERSCalivent NetworksEFnetJustSpamKempt.netNordSpamRV-SOFT TechnologyScientific SpamSpamikazeSpamRATSSPFBLSuomispamSystem 5 HostingTeam CymruValiditywww.blocklist.de Fail2Ban-Reporting ServiceZapBL2stepback.dkFayntic ServicesORB UKtechnoirc.orgTechTheftIf the listing appears only on a click or image hostname, focus on recent campaigns and URL chains. If the root domain returns listed, widen the review to every mail stream and web property using that domain. The deeper explanation of the DBL itself is in the Spamhaus DBL guide.
How Suped fits into the workflow
Suped's product helps with the monitoring side of this problem. It brings DMARC, SPF, DKIM, hosted SPF, SPF flattening, hosted MTA-STS, alerts, and blocklist monitoring into one workflow, so a DBL event can be reviewed next to authentication failures, sending sources, and domain changes.
Blocklist monitoring page showing domain and IP checks across blocklists with importance and status
For most teams, Suped is the strongest practical DMARC platform because the incident path is actionable. A DBL alert is more useful when it sits beside the sender that used the domain, the authentication result, and the steps needed to fix the underlying issue.
Where Suped helps
- Early alerts: Real-time notifications reduce the delay between listing and investigation.
- Source context: Verified and unverified senders are easier to separate during an incident.
- DNS control: Hosted SPF and hosted DMARC reduce slow DNS handoffs during remediation.
- MSP scale: Multi-tenant reporting keeps client domains visible without separate spreadsheets.
Suped does not decide Spamhaus listings, and no monitoring platform can force DBL removal. The value is that it gives the team a clear incident queue, the data needed to find the cause, and a way to confirm that authentication and domain controls stay healthy after the listing clears.
How to reduce listing risk
I work backward from the listing logic. If Spamhaus scopes listings based on observed abuse and reputation, then the sender's job is to make legitimate behavior durable, visible, and boring. That means stable domains, clean consent, secure web assets, and authentication that lines up with the actual sender.
- Use stable domains: Avoid rotating new domains or disposable subdomains for normal email volume.
- Separate streams: Keep transactional, lifecycle, marketing, and affiliate traffic on clear labels.
- Secure web apps: Patch CMS software, remove injected redirects, and limit upload abuse.
- Watch auth: Monitor SPF, DKIM, and DMARC so spoofing and broken sources are visible.
- Cut bad data: Remove sources that produce spam complaints, trap hits, or no engagement.
- Fix relists: A repeated DBL listing means the original cause was not fully removed.
Basic DMARC TXT valueDNS
v=DMARC1; p=none; rua=mailto:dmarc@example.com
Do not assume authentication alone prevents a DBL listing. SPF, DKIM, and DMARC prove identity and policy; they do not prove that a campaign is wanted, that a website is clean, or that every URL in the message has good reputation. For the related case where a domain is listed without active sending, the issue often sits in URLs, hosting, or domain history rather than SMTP volume.
Views from the trenches
Best practices
Check the exact hostname and parent domain before deciding how wide the fix must be.
Keep sending labels stable so good reputation has time to attach to each mail stream.
Treat a relisting as proof that the first remediation did not remove the real cause.
Common pitfalls
Assuming one low complaint metric rules out a Spamhaus DBL listing is a bad shortcut.
Using many fresh subdomains can look like reputation evasion instead of risk control.
Requesting removal before cleaning web redirects often leads to fast reappearance.
Expert tips
Review URLs, image hosts, click hosts, envelope domains, and DKIM domains together.
For compromised sites, isolate the hostname but still audit nearby DNS labels carefully.
Use subdomains for clear ownership and observability, not as disposable reputation shells.
Expert from Email Geeks says Spamhaus DBL listings are not always scoped the same way; multiple bad subdomains can cause a parent-domain listing.
2023-01-03 - Email Geeks
Expert from Email Geeks says the hostname change was meant to reduce collateral blocking for shared platforms and compromised legitimate sites.
2023-01-03 - Email Geeks
The practical takeaway
Spamhaus decides DBL scope by the scope of the evidence. If one compromised hostname on a legitimate domain is the problem, a narrow hostname listing fits the modern DBL model. If abuse appears across multiple hostnames, the domain lacks trusted history, or the domain itself looks tied to the activity, the parent domain can be listed.
My final answer is simple: use subdomains because they improve control and investigation, but do not rely on them as a shield. Check the exact DNS label, the parent domain, and every domain that appears in the message. Then fix the underlying sending, web, and authentication causes before treating delisting as complete. For the broader effects of a blocklist or blacklist event, see what happens when not sending emails still leads to a DBL listing.
