What are URI (link-based) blocklists?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

URI blocklists track the domain names that appear inside the body of your email, not the IP you sent from or the domain you sent as. If a recipient sees a link like bit.ly/xyz or yourtrackingdomain.com/click?id=123, a URI blocklist checks that domain against a list of known-bad places. If it matches, the filter can junk or reject the message no matter how clean your sending reputation is.

The big ones to know:

  • SURBL - Spam URI Realtime Blocklist. Aggregates domains seen in spam, phishing, and malware payloads.
  • URIBL - similar idea, runs its own crawlers and trap network.
  • Spamhaus DBL (Domain Block List) - Spamhaus's URI list. Used by basically every serious filter. See the Spamhaus DBL FAQ for what gets a domain listed.
  • Spamhaus ZRD for brand-new domains, AuthBL for abused authentication systems, and content scanners inside Gmail and Microsoft that consume these feeds plus their own internal lists.

This is a different problem from getting your sending IP or your From: domain blocklisted. A URI listing punishes anyone who puts that domain in their email, even if your authentication is perfect and your complaint rate is zero. We see this hit legitimate senders three ways:

  1. Public link shorteners. Spammers love bit.ly, tinyurl, goo.gl-style services because they hide the destination. Filters know this and treat shortener domains with suspicion. Some shorteners get fully listed on URIBL when abuse spikes.
  2. Shared tracking domains from your ESP. If your ESP uses a single tracking domain for thousands of customers (think email.sendgrid.net style), one spammer on that shared domain can taint everyone else's clicks. This is why serious ESPs let you set up a custom tracking domain on your own subdomain.
  3. Linking to a site that got compromised. You linked to a partner's blog post six months ago. The partner got hacked, the site started serving malware, the domain got DBL'd. Your old campaign now hits the listing on every resend.

How to check if a domain you link to is listed

Don't wait to find out from a bounce. Pull every domain that appears in your last 30 days of sends (CTAs, footer links, tracking domains, images, unsubscribe) and check them. Free tools:

  • MXToolbox blacklist check - paste a domain, it queries SURBL, URIBL, DBL, and dozens more.
  • Spamhaus lookup at spamhaus.org/lookup - hits DBL directly.
  • multirbl.valli.org - 200+ DNSBL and URIBL sources in one shot.

For ongoing monitoring, query the lists directly over DNS. To check if example.com is on SURBL, look up example.com.multi.surbl.org. If it returns an A record (usually 127.0.0.x), it's listed. The return code tells you which sub-list flagged it. Same pattern for DBL: example.com.dbl.spamhaus.org. Cheap to script, runs in seconds.

What to do if a domain you use gets listed

  • If it's your own domain: go to the blocklist's delisting page (SURBL, URIBL, and Spamhaus all have self-service forms). Fix whatever caused the listing first - compromised page, open redirect, an affiliate program that's letting spammers through. Listing again 48 hours later means you didn't actually fix the root cause.
  • If it's a shortener or a third-party domain you don't control: stop using it. Switch to a tracking subdomain on a domain you own (click.yourbrand.com). You control the reputation, you control the fix.
  • If it's a partner or vendor link: ping them, tell them which list flagged them and which URL is hitting the listing. Most legitimate operators don't know until someone tells them.

The rule of thumb: every link in your email is a piece of your reputation surface, not just your From: domain and your IP. URI blocklists are how filters enforce that. If you want to understand where URI lists sit in the bigger filtering picture, see how MBPs work with blocklists and anti-abuse orgs and what the main anti-abuse networks actually do.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Learn how link blocklists work and how to avoid them.

I included links in my emails and just found out about URI blocklists. How do these work? If my links get flagged for being in spam campaigns (even if I'm legitimate), how do I get them delisted? Are there domains I should avoid linking to?

Edit the yellow boxes, then send to the AI of your choice.