The Problem with TLD Reputation: Why .xyz and .top Domains Get Blocked
Not all domain extensions are created equal. While .com, .org, and country-code TLDs like .nl or .de have generally good reputations, newer generic TLDs like .xyz, .top, and .click are disproportionately used for spam and phishing.
The numbers
Studies consistently show that certain TLDs have spam ratios far above average:
| TLD | Typical use | Spam association |
|---|---|---|
.xyz | Generic, cheap registrations | Very high — frequently used for throwaway spam domains |
.top | Generic | Very high — one of the most abused TLDs |
.click | Marketing | High — phishing and redirect domains |
.buzz | Generic | High — low barrier to registration |
.icu | Generic | High — bulk-registered for spam campaigns |
.club | Community | Moderate-high — mixed legitimate and spam use |
.loan | Finance | Very high — almost exclusively spam/scam |
.work | Professional | High — commonly used for phishing |
Why this happens
The core reason is economics. These TLDs often cost under $1 to register. Spammers buy them in bulk — hundreds or thousands at a time — use them for a single campaign, and abandon them when they get blacklisted. The low cost means there is no incentive to maintain a domain's reputation.
Contrast this with .com domains ($10-15/year) or country-code TLDs that require local presence verification. The higher cost and administrative barriers act as a natural spam deterrent.
Should you block entire TLDs?
It depends on your risk tolerance:
- If you rarely receive legitimate email from these TLDs — Yes, blocking them eliminates a significant source of spam with minimal false positives
- If you work in tech or international business — Be cautious. Some legitimate startups use
.xyz(notably Alphabet/Google ownsabc.xyz), and some international contacts may use unusual TLDs
Filtering by TLD in Cleanbox
Create a filter with a regex pattern:
- Component: From (address)
- Operator: matches (regex)
- Value:
\.(xyz|top|click|buzz|icu|club|loan|work)$ - Action: Deny
This blocks email from any sender on these TLDs. If you want to be less aggressive, combine it with a spam score condition:
- Group 1: From matches the TLD regex above
- Group 2: Spam score greater than 1
- Logic: ALL (both must match)
This only blocks suspicious-TLD email that also has a positive spam score, allowing the rare legitimate email from these TLDs through if it passes all other checks.
Several of our filter samples already include TLD-based blocking: "Block suspicious attachments from shady domains" and "Block forwarded messages with suspicious attachments" both use this regex pattern.
A note on fairness
Blocking by TLD is a blunt instrument. There are legitimate businesses and individuals on every TLD, including the problematic ones. If you use TLD blocking, consider whitelisting specific contacts who use these domains — whitelisted contacts bypass all spam checks and filters.
