Many online activities relate back to domain names, in one way or another. With that, rich insight can be gained from this hive of activity. But how can you take advantage of this intelligence? This blog post will discuss various applications across multiple areas within the industry, including defenders, network administrators, email administrators, and email senders.

A quick recap on domain reputation

If you’re unfamiliar, a good place to start is our beginner’s guide to domain reputation. In essence, threat intelligence data provides a valuable indicator of if, when, and how you should engage with a domain.

As with any form of reputation, domain reputation is not binary, i.e., excellent or terrible. There are all shades of grey between. Gaining context behind the reputation score enables effective protection, prioritization, and mitigation.

There are multiple use cases, but before we dig in, there’s an important distinction to note. Think of domain reputation as having two ‘levels’:

  1. A simple ‘yes’ or ‘no’ indicator of whether it’s safe to engage with the domain. This data is best suited to blocking connections, for example, with email and DNS resolver applications.
  2. Context-rich metadata providing dynamic threat intelligence. This is best suited to aiding investigations, monitoring trends, informing decisions, and prioritizing.

Domain reputation for defenders

For Security Operations Centers (SOCs), it’s fundamental to identify and prioritize relevant threats and risks. But with so many risks and often underfunded departments, there’s real pressure to deliver efficiently, with limited resource. Domain reputation data is a cost-effective asset to utilize. Here’s why:

Prioritize live threats 

Take malware on your network, attempting a connection to download another module. It’s set up to attempt hundreds of connections, most to benign websites, to try and obfuscate the real connection to the malicious host.

Using domain reputation, you can find out the reputation of the whole log. From the hundreds of connections, it will highlight which domains are bad in real time. It will also provide details of the malicious activity, e.g., the associated behavior, when it was last seen, related IPs, and much more. This data provides the necessary intelligence to free resources from manual investigation and enables fast, effective remedial work through accurate prioritization.

Proactively mitigate

One reason domain data is so valuable is the ability to detect relationships from one domain to another. The vast majority of malicious activity is automated by computers – leaving a fingerprint of patterns to uncover relationships. So from a single malicious domain, threat researchers can sometimes discover hundreds more.

Domain reputation data gives you proactive insight into threats before any action takes place, keeping you one step ahead in preventing harm to your organization.

For network administrators

Keeping an organization’s network secure in today’s environment, with more devices coming online, in increasingly disparate locations, is an unenviable task. Using domain data at the DNS level will lighten the burden by automatically blocking or redirecting connections to malicious sites.

Blocking malicious connections

Whether a user tries to access a phishing site, or a botnet or malware on your network attempts a connection to its command and control, threat intelligence data can automatically identify and block these connections with great accuracy. So it’s not surprising many insurance companies will reduce premiums if you have protection in this way.

By utilizing domain, IP, and/or nameserver threat feeds via your DNS resolver through response policy zones (RPZs), you gain the ability to block connections automatically. The recursive server queries the threat feeds to see if the domain is listed. Where it is, communications are blocked or redirected, maintaining network security. It is worth noting though, not all botnet C&Cs or malware rely on domain names. For comprehensive protection, threat feeds should also be implemented at the router/firewall level. Learn more here.

Validating events

Depending on the team size, network administrators may also need to validate or further research these events – for example, prove a suggested false positive is, in fact, malicious. In this scenario, the rich metadata available can be utilized to gain more insight and context into each malicious domain.

For email administrators

Using domain data via DNS blocklists (DNSBLs), you are able to filter email content and create a proactive way to protect your email stream.


The data you consume as DNSBLs is created by researchers who are able to determine patterns and relationships between domains. They can assess if a domain is malicious before it’s used in the wild, for example, from the date of registration or patterns in the domain name’s format.

This provides users with proactive protection, not just reactive. Similarly, where domains are newly registered and already sending emails, it’s highly likely there’s malicious intent. Again, domain data allows you to proactively block these communications, keeping you ahead of the threat.

For senders

For senders, particularly ESPs, domain reputation can offer you and your customers significant protection and insight through the whole lifecycle, from sign-up to ongoing management:

  • Customer vetting: where you have customers sign up – be that online, by email, or telephone – domain reputation can shed light on the prospect’s profile and indicate whether they are to be trusted. The valuable insight the data will give you can inform you how to proceed and whether you want them to use your infrastructure.
  • Onboarding: following the above, make proactive decisions based on reputational signals for managing customers, i.e., pooling customers according to risk. You can protect your most valued customers from being in an IP space with lesser-known, more reputationally risky customers.
  • Monitoring: with customers constantly changing their tactics and approaches, you can’t rely on how they behave initially. None more so than if a malicious actor is trying to mask their real activity. Domain reputation data provides a view of any degradation in reputation so that organizations can act before they have harmful impact.
  • User experience: when crafting email campaigns, or individual emails, anywhere a domain is being used, be that the “to:address”, “from:address”, or in the body of the email, the domain can be checked. Users can get a real-time alert as they create emails, highlighting if the domain is of concern so they can take the appropriate action.
  • Customer support: alternatively, rather than offering customers insight as they’re creating, emails can be assessed for signs of unintended (or intended!) maliciousness before they leave your mail server. Where a domain is listed, the email can be blocked. This keeps your infrastructure safe and provides a valuable touch point for customer support to offer a positive, teachable moment.

The versatility of domain reputation data

As you’ve seen, the application of domain reputation is varied, and we frequently learn about new and creative ways the data is being used. Safe to say, anywhere a domain is used, domain reputation data can be used too. Be that to get a binary answer of whether a domain can be trusted, or to gain detailed insight into that domain to supplement further research, investigations, and ongoing management.

Spamhaus Intelligence API (SIA)

Spamhaus Intelligence API (SIA) contains context-rich metadata relating to IP and domain reputation. Integrate this data with your applications to enhance existing data feeds, or consume as an independent data source.

In this easy-to-consume format, SIA can be used for threat detection and investigation, risk scoring, customer vetting, validation and much more.

  • Save valuable time investigating and reporting
  • Simple and quick to access
  • Data you can trust in

Data Query Service (DQS)

Spamhaus’ Data Query Service (DQS) is an affordable and effective solution to protect your email infrastructure and users.

Using your existing email protection solution, you will be able to block spam and other related threats including malware, ransomware, and phishing emails.

The service has never failed and utilizes the longest established DNSBLs in the industry.

  • Proactive & preventative
  • Save on email infrastructure & management costs
  • Actionable

Border Gateway Protocol Firewall

Border Gateway Protocol (BGP) Firewall provides your users and network with up-to-date protection against botnets and other external attacks.

Set up takes minutes; our data is constantly updated in real time by our experienced researchers on your behalf and can be utilized in your existing firewalls or routers.

  • Prevent data exfiltration
  • Protect your network from botnets
  • Reduce infected machines on your network

DNS Firewall Threat Feeds

Applied at the DNS level of your infrastructure, these threat feeds automatically stop users from accessing malicious sites including phishing and malware dropper websites.

These threat feeds can be integrated with existing recursive DNS servers, or for those who don’t manage their own DNS, we have a managed service available.

  • Reduce IT costs
  • Set and forget
  • Save money on risk insurance


When it comes to your web domains, put the controls back in your hands

29 March 2023


Choosing a domain name registrar may seem simple, but considering security risks in the domain and DNS ecosystem is crucial. In this blog post, Vincent D'Angelo, Global Director at CSC, shares insight into the role of domain registrars in domain ecosystem security and reputation.

Understanding top-level domain (TLD) abuse helps illuminate and predict domain threat trends

23 March 2023


The Domain Name System (DNS) is the backbone of the internet, enabling agile communication between internet entities. This blog post will focus on top-level domains (TLD), and how they can impact the security landscape.

Best practice for owners of a newly registered domain: PART 3

11 March 2023

Best practice

Nurture your new domain and successfully build its reputation to ensure it’s an asset for the long term, not just the next 10 minutes. Learn how in this best practice.