What are typotraps or honeytraps?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Picture this: someone signs up for your list and types "user@gmial.com" instead of "user@gmail.com". You never confirm the address. You just add it. Months later, that typo gets you flagged. That's a typotrap in action.
Typotraps are email addresses built on misspelled versions of popular domains. Think @gmial.com, @yaho.com, @hotmial.com. Nobody actually uses those domains for real email. They exist purely to catch senders whose lists contain unchecked typos. If you're hitting them, it means addresses joined your list without ever verifying they were real.
Honeytraps work differently. These are addresses deliberately planted on websites, forums, and public pages. Humans don't hand them out. Only scrapers and bots collect them. If one lands on your list, it's a signal that someone harvested addresses from the web, or that you bought a list from someone who did.
Both trap types sit quietly on your list until you send. Then they report you. Hitting either kind is enough to get your domain or IP flagged by blocklists like Spamhaus.
How to find and remove them
Start with confirmed opt-in. It's the single most effective defence against typotraps because the subscriber has to click a link in a real inbox. A misspelled domain never gets that confirmation email, so it never makes it onto your list in the first place.
For an existing list, here's a practical audit flow:
- Domain check. Export your list and look for addresses on domains that don't match any real provider. Domains with transposed letters, missing vowels, or extra characters are red flags. This can be done manually for small lists or with a validation tool for larger ones.
- Engagement check. Trap addresses never open, never click. If an address has zero engagement over a long stretch, treat it with suspicion. That's not proof, but it's a signal worth acting on.
- Validation run. A proper list validation process checks whether a domain has valid MX records and whether the address format resolves to anything real. Addresses on dead or suspicious domains get flagged for suppression.
- Suppression, not deletion. Once you identify a trap address, suppress it rather than simply deleting it. Deleting means it could re-enter your list if someone submits the same bad address again. Suppression keeps it blocked.
The root cause matters too. Typotraps point to a confirmed opt-in gap. Honeytraps point to a data acquisition problem. Fix the root, not just the symptom.
But if you're not sure how clean your current list is, we do list audits at RME. Or if something's already broken and you're seeing blocklist flags, our SOS hotline is free and we actually pick up.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.