Most blocklists target sending IPs. SURBL targets the URLs inside your email — and that changes everything about how you get listed and how you get off.
The first sign is usually the same. A few prospects mention they didn't see your email. Then a campaign that should have driven 30 replies drives three. By the time someone on the team thinks to check a blocklist lookup tool, the domain has been listed for weeks, and a meaningful chunk of the company's outbound mail has been quietly dying in transit.
When the listing in question is SURBL, the response we get from most senders is some version of: "But our IP is clean. Our SPF, DKIM, and DMARC all pass. We've never been flagged before. How are we on a blocklist?"
That confusion is the heart of the problem. SURBL doesn't care about your sending IP, and it doesn't really care about your authentication. It cares about the URLs inside your messages. Once you understand that, everything about why you got listed — and what it takes to get off — starts to make sense.
What SURBL Actually Is
SURBL stands for Spam URI Realtime Blocklist. Unlike IP-based blocklists such as Spamhaus or SORBS, which list the IP addresses or hostnames of mail servers sending unwanted messages, SURBL lists the domains and URLs that appear inside the body of unwanted messages. The distinction matters because it changes who can put you on the list and what makes a listing stick.
Here's the practical implication: if your domain is on SURBL and someone sends an email — from any IP, from any sending platform, with perfectly valid authentication — and that email contains a link to your domain, the message can be rejected outright. The recipient's mail server queries SURBL during message processing, sees that a URL in the body is listed, and bounces the message. You can buy a brand new dedicated IP, migrate to a different ESP, and rotate every authentication key, and none of it will help. The URL is what's listed.
SURBL itself is not a single blocklist. It's a composite that combines several specialized lists into one query. The categories that matter most for legitimate senders are the abuse list (domains associated with unsolicited messages), the phishing list (domains used in credential-harvesting campaigns), the malware list, and the cracked-resource list (legitimate websites that have been compromised and are now distributing malicious content). When senders ask "why am I on SURBL," the answer almost always traces back to one of those four categories, and the remediation depends entirely on which one.
The other thing worth understanding: SURBL is a community-run nonprofit, not a commercial vendor. There's no support ticket queue. There's no SLA. Decisions about listing and delisting are made by a small group of volunteers and researchers, distributed primarily across Europe but with members worldwide. The same kind of close-knit community that operates Spamhaus and SpamCop. This shapes the entire delisting process.
How Domains End Up on SURBL
In our experience there are three patterns that account for the overwhelming majority of SURBL listings. They look different from the outside, but the path to delisting is genuinely different for each, and getting the diagnosis right is the difference between a listing that resolves in days and one that drags on for months.
The compromised infrastructure pattern. A company's WordPress site, marketing CMS, or contact form gets exploited. Sometimes the attacker injects a hidden mail-sending script that uses the site's hosting infrastructure to send phishing or malware-laden emails. Sometimes a contact form gets abused as an open relay. The variant we see most often, though, has nothing to do with the website at all — it's an exposed or compromised ESP API key.
The pattern is consistent: a SendGrid API key (or the equivalent for another platform) ends up somewhere it shouldn't. Committed to a public GitHub repo. Sitting in a config file on a compromised employee laptop. Leaked through a third-party integration that got breached. The attacker scrapes or harvests the key, points it at the legitimate SendGrid account, and starts sending phishing or malware-laden mail through that account. Because the messages are authenticated against the customer's domain — DKIM signed with the real key, SPF aligned, From address the real From address — they pass every authentication check and look entirely legitimate to receiving mail servers. The customer doesn't see the volume because the attacker is smart enough to send through DKIM replay or directly to recipients at smaller mailbox providers that don't fully honor DMARC. By the time anyone notices that outbound replies have cratered, the domain is listed and the URLs in those phishing messages are sitting in SURBL's database.
We've worked with companies where this had been going on for weeks before anyone identified what was happening. The site itself was clean. The infrastructure was clean. The compromise was a single API key sitting in the wrong place. Once it was rotated and the unauthorized sending stopped, the SURBL listing remained — because the listing was never about the sending IP in the first place. It was about the URLs that had been distributed.
The cold outreach pattern. A company sends genuine-but-unsolicited business outreach — typically B2B sales, M&A, fundraising, or partnership pitches — to people who didn't ask for it. Most of the time those messages get ignored, deleted, or filed away. But a few recipients do something different: they forward the message to SURBL's reporting address with a note that they did not opt in to receive it. SURBL processes the report, extracts the sending domain and the URLs in the body, and adds them to the list. We've seen this happen to private equity firms doing junior-team outreach, to staffing agencies, to recruiters, and to early-stage SaaS companies running founder-led prospecting. The senders are usually shocked, because the volumes are low and the messages are written by humans, not generated by spam tools. None of that matters. What matters is that someone reported it as unsolicited and someone at SURBL agreed.
The spam trap pattern. SURBL operates spam trap networks — email addresses that exist solely to receive unwanted mail. Hit a spam trap and you've effectively self-reported. Most spam traps are old, abandoned email addresses that have been recycled into the trap network, which is one of the reasons we are so insistent about engagement-based sunsetting. If you keep sending to addresses that haven't engaged in 12 to 24 months, eventually some of those addresses are going to be spam traps, and once a trap operator at a community like SURBL sees mail from your domain hitting their network, your URL gets added to the list.
The first two patterns are by far the most common in the work we do. The third is more often a Spamhaus or UCEPROTECT problem than a SURBL one, but it does happen.
Why SURBL Listings Hurt More Than People Expect
When senders first discover a SURBL listing, the instinct is to compare it to other blocklist scenarios they've heard about — and to assume the impact will be similarly modest. SURBL is not Spamhaus. If you're on the Spamhaus SBL, between 60% and 70% of your mail is dead in the water overnight. SURBL doesn't carry that level of weight on its own, but it shows up in places that matter, and the failure mode is uniquely insidious.
Major commercial security gateways — Mimecast, Proofpoint, and similar — subscribe to SURBL as one input in a weighted scoring system. A SURBL listing on its own might cost you ten or fifteen points in a given filter's risk score. If you're also generating complaints, sending to inactive recipients, or hitting other negative signals, those points stack. Once you cross the filter's blocking threshold, your messages start getting quarantined — but only at the recipients running those gateways. Gmail and Outlook recipients might still be receiving your mail just fine. So the deliverability problem is partial, geographically uneven, and concentrated at exactly the kind of B2B prospects you most want to reach. Enterprise targets running enterprise security stacks are precisely the audience most likely to be filtering you.
![Multi-blocklist lookup result showing a domain listed simultaneously on SURBL multi, Spamhaus DBL, Swinog URIBL, Day Old Bread List, and other URI blocklists with the SURBL TXT record showing "Blocked on lists [abuse]"](https://cdn.prod.website-files.com/69d636305710fb5c1ef92d7a/69f0ddbec435676c395bdd8b_surbl-multi-uri-blocklist-cross-listings-multirbl.png)
The other failure mode is content-level filtering at the gateway. Even when a SURBL-listed URL doesn't trigger an outright block, some gateways will deliver the message but disable the links — they arrive in the inbox with the URLs stripped or rewritten so they don't resolve. Click-through rates collapse and nobody can figure out why. The standard deliverability metrics most teams watch don't surface the problem because the messages technically delivered.
And then there's the diagnostic difficulty. SURBL listings frequently produce SMTP 554 Message content rejected bounces or similar content-rejection codes. When a sender's IP looks clean and authentication passes, the team chasing the problem rarely thinks to check URI blocklists. We've seen companies spend weeks investigating IP reputation, asking their ESP to swap IP pools, and reviewing DKIM signatures, when the actual issue was a single URL listing that took ten minutes to identify with a SURBL lookup.
What SURBL Actually Tells You When You're Listed
The first reaction to a listing is almost always to email SURBL and ask why. The first response from SURBL is almost always unhelpful. We've seen versions of this message many times: a one-line note saying something like "your domain was reported for sending unsolicited mass emails, clean up your act." That's it. No detail. No specific message. No clear path forward.
If you push back and ask for specifics, you might — eventually — get a redacted version of the original report. A subject line. A date. A blurred sender address. The category they assigned. Sometimes language like "this was not a third party spam sent from your account via unauthorized IPs — it was advertising your company." That phrasing is itself useful information because it tells you the listing came from genuine outreach, not a compromise.
The reason the responses are so terse is partly a function of how the volunteer community operates. SURBL's people are running spam trap networks and list maintenance in their spare time. They aren't a customer support organization. They aren't motivated to walk you through the evidence. Their model assumes the burden of proof is on the sender to demonstrate that the listing is incorrect or that the underlying behavior has been remediated.
Which is exactly why most senders who try to handle the delisting themselves get nowhere. They argue. They explain that they're a legitimate company. They demand to see the report. None of that moves the listing. What moves the listing is concrete evidence that the root cause has been addressed and that the sending behavior has changed.
How to Actually Get Off SURBL
The remediation path has four steps and the order matters. SURBL won't delist a domain if the underlying issue hasn't been fixed, and applying for removal before you've cleaned up the cause will get the request denied — which makes the next attempt harder, because you've now signaled that you don't understand what got you listed.
Step one: identify the listing precisely. Use the official lookup tool at surbl.org/lookup and check which specific sub-list your domain is on. The sub-list determines the remediation. A phishing (PH) listing means your domain or your website is suspected of credential harvesting, which usually points to a compromise or a fraudulent page hosted somewhere on your infrastructure. A cracked (CR) listing means your legitimate site has been compromised and is hosting malicious content without your knowledge — common with WordPress sites that have outdated plugins. An abuse (AB) listing means your sending behavior triggered the report — usually unsolicited outreach or spam trap hits. Each one has a different fix.
Step two: fix the root cause. If you're on a CR or PH listing, the website itself needs a security audit, but the audit needs to extend beyond the site to every credential and integration that can send mail on the domain's behalf. We've worked with clients to scan and clean compromised WordPress installations, identify and rotate exposed ESP API keys, audit SendGrid (and equivalent) accounts for unauthorized sending activity, harden contact forms against abuse, and lock down access to the DNS zone itself. The work isn't finished until you can demonstrate that the attack vector is closed and that no credentials are still circulating in places they shouldn't be.
If you're on an abuse listing tied to outreach, the fix is operational, not technical. You need to change something concrete about who you're sending to, what you're saying, and how often. That might mean tightening your audience list, removing recipients who never engage, dropping the volume per sender, or restructuring your outreach to be more clearly opt-in. We rarely recommend sweeping changes — the goal is to identify the smallest set of changes that addresses the specific concern, because the more dramatic the change, the harder it is to operate the business afterward.
Step three: enforce email security on the sending domain. This step gets skipped constantly, and it's the one that prevents recurrence. If your DMARC policy is set to p=none or p=quarantine rather than p=reject, anyone on the internet who can spoof your domain can send mail that looks like it came from you — and any of that mail can hit a spam trap or trigger a report that gets your domain listed all over again. We've seen clients work through one SURBL remediation only to face a second listing months later because the domain was being abused for spoofing while the team focused on the sending behavior of their own employees. Move DMARC to p=reject. Set up MTA-STS. Lock down the DNS zone with DNSSEC. Audit which applications have access to send mail through your Google Workspace or Microsoft 365 tenant — we've found accounts with more than a dozen third-party apps connected, several of them unsecured (no SSL certificates, sourced from regions with limited oversight), several of them clearly abandoned. Each one is an attack surface. Close them.
Step four: submit the delisting request with documentation. Once the cause is fixed and the security posture is shored up, the delisting request itself is the easy part. But what you say in it matters. Don't argue. Don't explain why the listing was wrong. Document what you found, what you removed, what you changed, and what you've put in place to prevent recurrence. SURBL's reviewers see a lot of "I don't know why I'm on the list, please remove me" requests. They see far fewer that say "we identified an exposed SendGrid API key being abused for unauthorized sending, rotated all credentials, audited the account for residual access, moved DMARC to reject, and verified the unauthorized traffic has stopped." The second kind gets delisted. The first kind doesn't.
Across the work we've done with clients facing SURBL and similar URI blocklist listings, this approach has consistently produced delistings — often within a few weeks of the remediation being in place. The pattern that fails is the one that tries to skip step two or three.
Why "Just Spin Up a New Domain" Is Usually a Bad Idea
When senders learn that SURBL listings stick to the domain rather than the IP, the first idea is almost always to register a new domain and redirect outbound mail through it. We understand the appeal. It feels like a clean slate. It usually isn't.
New domains are inherently untrustworthy from the perspective of mailbox providers. The internal Google statistic that gets cited in deliverability circles is that 98% of newly registered domains are purpose-built spam operations. Gmail's filters know this and apply heavy scrutiny to mail from any domain that's less than a few months old. The 2% of legitimate senders trying to start a business get caught in the same scrutiny, which is why a new domain takes months to warm up and earn enough sending history to be trusted.
The problem compounds if the new domain is being used specifically for the type of outreach that caused the SURBL listing in the first place. Now you're running cold outbound from a domain with no reputation, no warmup, and content patterns that look exactly like what got you flagged before. The result is usually worse deliverability, not better.
There are scenarios where a domain split makes sense — typically when you want to separate transactional and marketing traffic, or when a subdomain strategy is being used to isolate risk. But spinning up a look-alike domain to evade a SURBL listing is rarely the right move. Fix the original domain. The infrastructure for fixing it is mature, the path is well-understood, and the result is durable.
What This Looks Like in Practice
A typical engagement starts with a domain that's been on SURBL for several weeks and a sender who's already exchanged a few unhelpful emails with the listing community. The first call is mostly forensic: we look at the website, the DNS zone, the email infrastructure, the application access, the credential hygiene, and the sending patterns of the last 90 days. In nearly every case we find at least one of these: a compromised CMS, an exposed or leaked ESP API key being abused for unauthorized sending, missing or weak DMARC enforcement, third-party apps with unnecessary access, or a sending pattern that — while legal and good-faith — was visibly going to generate complaints if it continued.
The remediation plan that comes out of that audit is usually a combination of a one-time cleanup, a permanent infrastructure change, and an operational adjustment. The cleanup might be rotating an exposed API key, removing unauthorized access from an ESP account, or pulling a malicious plugin out of WordPress. The infrastructure change might be moving DMARC to enforcement, adding MTA-STS, and locking down the application access list. The operational change might be reducing volume on cold outreach, switching to a more clearly opted-in audience, or restructuring how outbound campaigns are reviewed before they go out.
After two to four weeks of the new behavior in place, we go back to SURBL with documentation. The delisting almost always happens at that point. The work that remains is making sure it doesn't happen again — which usually means keeping enforcement on, monitoring the sending domains in Google Postmaster Tools and the SURBL lookup, and flagging any new third-party app access that could become a future vector.
If your domain is currently listed on SURBL and your outbound mail is suffering, the right next step is a focused investigation — not another delisting request. SH Consulting works with companies on exactly this kind of remediation, including the security audit, the DNS and authentication work, and the delisting submissions to the URI blocklist communities. You can read more about what we do at https://www.sh.consulting, or book a 30-minute call to walk through your specific situation.
