The estate at a glance
Every figure below is computed at render time from the captured dataset.
Three views of the same problem
Exposure measured by mailbox volume, by severity, and by the gap between what was sold and what is running.
Mailboxes by verdict
Risk-band split
Provider → actual pool
Key findings
Six observations, each independently sufficient to depress delivery to the inbox.
All 90 domains were registered on the same day, 2025-04-24. One registrant (“a single registrant”), NameCheap, across two roughly three-minute automated bursts — the textbook signature of snowshoe spamming. Forty-seven distinct names appear across the ninety domains, and every domain expires on the same day.
“Infra.email” is in fact Microsoft 365 shared outbound. Sixty domains and 5,030 mailboxes route through it with no IP isolation, operating against Microsoft 365’s anti-bulk terms — there is no dedicated reputation to protect or rebuild.
5,000 of 5,120 mailboxes (97.7%) publish DMARC p=none. The policy is published but not enforced — it tells receivers to take no action on failures. All of these sit on the Infra.email pool.
17 domains are already SURBL-listed (127.0.0.64). That places 1,700 mailboxes on domains that are publicly blacklisted today — mail from them is filtered before content is ever evaluated.
No compliant one-click unsubscribe. Unsolicited income-opportunity copy is being sent to personal consumer inboxes — independent CAN-SPAM exposure compounded by Google/Yahoo February-2024 bulk-sender failures.
30 domains carry weak SPF (~all softfail); 28 have no working website or TLS. The supporting web presence and authentication posture do not meet the baseline receivers now expect.
Action register
The full ninety-domain disposition. Search, filter, sort by risk, and open any row for the underlying evidence.
Showing 0 / 0 domains
| Provider | Actual pool | Registered | SPF | DMARC | Blacklist | Verdict |
|---|
A 90-day path back to the inbox
Remediation in three deliberate phases. The current estate is not rebuilt — it is retired, and reputation is re-earned from a clean base.
Stop the bleeding
Halt the harm before any rebuild is attempted. Nothing on the current estate is worth defending in its present state.
- Pause all sending from the 17 blacklisted domains immediately.
- Suspend the unsolicited income-opportunity campaigns to consumer inboxes.
- Stop onboarding new mailboxes onto the shared Microsoft 365 pool.
- Notify stakeholders that the estate is being retired, not patched.
Rebuild the base
Stand up a clean, isolated sending foundation that does not inherit any of the snowshoe provenance or shared-pool reputation.
- Acquire domains over time from varied registrars — no single-day bursts.
- Move to dedicated, IP-isolated infrastructure with real reputation.
- Deploy enforced authentication: SPF hardfail, DKIM, DMARC p=reject.
- Restore legitimate websites with valid TLS for every sending domain.
Re-earn reputation
Reputation is earned through behaviour, not configuration. Warm gradually and prove legitimate engagement to the receivers.
- Warm new domains slowly with low, rising volume to engaged recipients.
- Operate compliant one-click unsubscribe and honest sender identity.
- Monitor placement, complaint and bounce rates against Google/Yahoo thresholds.
- Scale only as inbox placement and engagement metrics confirm trust.
Methodology — external, passive, read-only.
Captured 2026-05-19 via dig / whois / RDAP / curl / DNSBL. Every figure in this report is reproducible from the raw dataset; no privileged access, mailbox content or sending credentials were used or required.
Stated limitation. Because the estate sends through shared Microsoft 365 and Google egress, the specific outbound IPs are not externally enumerable. Findings on shared-pool reputation are therefore conservative — the true exposure on those IPs may be greater than what passive measurement can confirm.