Email Spam Statistics: How Spammers Use Multiple Domains & 2030 Predictions

1. About This Email Spam Domain Report

This report is exceptionally fresh and built on the latest available data from trusted, reputable industry sources active through early 2026, including Spamhaus, Kaspersky, Interisle Consulting Group, the Cybercrime Information Center, and the M3AAWG-sponsored Cybercrime Supply Chain series.

It goes considerably deeper than standard spam benchmark summaries by combining raw statistics, cross-source validation, sender-domain behavioral analysis, domain-pattern segmentation, and original interpretive commentary grounded in the mechanics of how modern spam operations acquire, deploy, rotate, and discard sending domains.

Unlike general spam overviews, this report takes domain infrastructure as its primary unit of analysis. It examines how spammers treat domains not as stable identities but as disposable operational assets — registered cheaply, configured quickly, escalated to full volume, burned when detected, and replaced with the next domain in a pre-warmed reserve pool. This perspective transforms the study of spam from a simple volume exercise into an infrastructure analysis that reveals the industrial character of contemporary spam operations.

The report includes a unique forward-looking forecast for 2026–2030 based on historical spam-domain volume indicators, domain abuse registration trends, TLD churn patterns, filtering improvement trajectories, and AI-enabled spam scaling evidence. These forecasts are not guesses. They are modeled projections with conservative, moderate, and aggressive scenarios, each with explicit assumptions and stated limitations that distinguish evidence-based extrapolation from original reasoned analysis.

Throughout the document, readers will find extensive original visuals: volume trend charts, TLD abuse score comparisons, spam source country rankings, spam domain lifecycle models, rotation pattern radar diagrams, bulk registration comparisons, and scenario forecast graphs. These visuals are designed to make complex spam-domain infrastructure behavior immediately understandable to researchers, practitioners, content creators, and platform teams.

All insights are grounded in verifiable, cited data sources, with transparent discussion of methodology, source quality, dataset scope, vendor bias risks, and data gaps. No figures in this report are fabricated or extrapolated without clear disclosure.

Scope note: This report focuses exclusively on spam-domain infrastructure: unsolicited bulk email, graymail, nuisance campaigns, sender-domain rotation, disposable domains, and spam-related TLD/registrar behavior. Phishing, credential theft, malware, ransomware, business email compromise, and email account compromise are excluded and covered separately in our email hacking and phishing research.

For phishing trends, compromised email accounts, credential theft, quishing, AI phishing, deepfake phishing, and business email compromise, see our separate report on email hacking statistics.

2. Executive Summary

The key findings of this report, drawn from data spanning 2024–2026, are:

• Spam remains nearly half of all email traffic. Kaspersky's 2025 telemetry clocks spam at 44.99% of all global email, while other estimates range from 46.8% to 48%, converging around 169–176 billion spam emails per day.
• Spam is growing in absolute volume even as its percentage of total traffic fluctuates.Total email volume hit 376.4 billion messages/day in 2025, up from 362 billion in 2024. This growth in legitimate email dilutes spam's percentage share while absolute spam volumes continue rising.
• Domain-based spam infrastructure expanded dramatically in 2025. Between September 2024 and August 2025, Interisle Consulting Group detected 19.5 million unique domains used in cybercrime attacks — including spam — up 126% from 8.6 million the prior year. Spam alone more than doubled year-over-year in event count.
• Bulk domain registration is the cornerstone of modern spam operations. Over 7.3 million cybercrime domains were registered in bulk during the 2024–25 study period, a 177% increase over the prior year. Spammers routinely pre-register hundreds to thousands of domains at one time, often through permissive registrars at sub-$1 per domain.
• New generic TLDs are disproportionately exploited. Despite holding only 12% of the total domain market, new gTLDs (nTLDs) accounted for nearly 47% of all cybercrime domains reported in the 2024–25 study period. The .top, .bond, .xyz, .cc, .vip, and .icu TLDs top the abuse rankings.
• Domain churn is a documented, measurable phenomenon. In the .bond TLD, new domain registrations during October 2025–March 2026 equaled 98.57% of the TLD's entire zone size — a sign of near-total turnover characteristic of disposable domain operations. This pattern extends to .lol (71.7%), .cyou (56.3%), .sbs (52.6%), and .shop (39.4%).
• The spam domain lifecycle is an industrial workflow. Evidence from domain lifecycle research, outbound infrastructure guides, and Spamhaus reporting shows that spam operators maintain organized pools of pre-warmed domains, rotate them on schedules tied to blocklist detection, and can resume campaigns without interruption.
• User-level blocking fails fundamentally against domain rotation. Blocking a sender's domain has no durable effect when the operation carries 50 to 500+ more domains behind it. Each block consumes user attention but leaves the infrastructure untouched.
• Automation is accelerating spam-domain scaling. AI-assisted content variation and automated domain setup make it easier for spam operations to rotate sender identities, but this report focuses on the domain infrastructure behind spam rather than phishing content or credential-theft tactics.
• ICANN, registrars, and blocklist operators are beginning to target associated domain clusters rather than individual domains, marking a critical shift in anti-spam enforcement strategy.

3. Key Statistics Table (2024–2026)

4. Methodology and Source Quality

Primary Sources Used

This report draws exclusively from primary or near-primary sources:

• Spamhaus Domain Reputation Updates (Oct 2024–Mar 2026): These semi-annual reports are compiled from zone file data, passive DNS, SMTP telemetry, and human analysis by Spamhaus researchers. They cover new domain registrations, malicious domain detections by TLD and type, and trending abuse terms. Coverage is not exhaustive — GDPR-related limitations on WHOIS/RDAP data create gaps, and the data reflects what Spamhaus has visibility into, not total internet-wide abuse.
• Kaspersky 2025 spam telemetry: Used only for spam-share and spam-source-country statistics. Phishing findings from this source are not analyzed in this report.
• Interisle Cybercrime Supply Chain 2025: Sponsored by M3AAWG, APWG, and CAUCE. Analyzed over 26 million unique cybercrime events including spam, malware, and phishing between September 2024 and August 2025. Collects domain and IP data from 11 threat intelligence services. Published November 2025. Limitation: categorizes spam as one cybercrime category; some overlap with phishing in domain usage cannot always be separated.
• Cybercrime Information Center Spam Activity Reports: Collects spam domain reports from Spamhaus, SURBL, and Invaluement blocklists; enriches with ICANN, registrar, and routing data. Publishes quarterly TLD and registrar rankings. Limitation: focus on gTLD domains; ccTLD coverage varies.
• emailwarmup.com Spam Statistics 2025: Secondary aggregation of multiple sources including Statista for volume figures and cross-referenced spam percentages. Useful for volume trend data but relies on third-party datasets.
• Academic papers: Includes work from Purdue University, Georgia Tech, and NLP conference proceedings on spam campaign clustering and behavioral blacklisting.

Terminology Note on "Spam" vs. "Cybercrime Domains"

Several sources, particularly Interisle and Cybercrime Information Center, aggregate spam-reported domains with phishing, malware, and other cybercrime categories. Where statistics include combined cybercrime figures, this report notes it explicitly. Domain-specific spam statistics (as distinct from phishing or malware) are used where available; combined figures are used only where disaggregation is not possible.

Where source datasets combine spam, phishing, and malware domains, this report uses the data only to explain spam-domain infrastructure: sender-domain rotation, disposable domains, bulk registration, TLD abuse, registrar patterns, and blocklist behavior. For phishing-specific domain behavior, credential theft, quishing, AI phishing, deepfake-assisted attacks, business email compromise, and account takeover, see our separate report on email hacking statistics.

5. Key Definitions

Spam email: Unsolicited bulk email sent without meaningful consent from the recipient. In this report, spam refers primarily to commercial spam (fake offers, promotional spam, subscription spam, adult/gambling advertising, nuisance bulk mail) rather than malware distribution or credential phishing — though those often overlap at the infrastructure level.

Graymail: Email that is technically solicited (the recipient subscribed at some point) but is now unwanted, excessive, or poorly targeted. Graymail occupies the boundary between legitimate marketing and spam. It is relevant to domain analysis because graymail senders often employ domain rotation tactics borrowed from pure spam operators.

Unwanted bulk email (UBE): The technical term used by anti-spam frameworks for unsolicited bulk email. This report uses "spam" as the common equivalent.

Spam domain: A domain name used in the sending infrastructure of a spam campaign. This includes the Mail From domain (the RFC 5321 envelope sender), the From header domain visible to recipients, Reply-To domains, and URL domains embedded in email bodies. A single spam campaign typically uses dozens to thousands of such domains.

Sender domain: The domain appearing in the email's From header or envelope sender address. For spam detection, sender domain reputation is one of the primary filtering signals used by inbox providers.

Domain rotation: The deliberate practice of cycling through multiple sender domains across a campaign's duration. When a domain is flagged, blocked, or accumulates negative reputation, the operation switches to the next domain in its pool. Rotation may occur daily, weekly, or triggered by specific blocklist events.

Domain cluster: A group of domains controlled by the same spam operation. Members of a cluster share observable signals: similar registrant patterns, overlapping infrastructure (hosting ASNs, IP ranges, name servers), similar naming conventions (DGA-style strings or thematic variations), or shared sending behavior visible in blocklist reports.

Disposable or short-lived domain: A domain registered for a brief campaign window, expected to be abandoned within days to weeks. The cost of a disposable domain can be as low as $0.88–$1.88 for a full year's registration, making it economically viable to burn hundreds of domains per month.

Newly registered domain (NRD): A domain registered or first observed within a defined recent window. Spamhaus classifies NRDs within their Zero Reputation Domain (ZRD) dataset as having been registered or newly observed, and lists them for 24-hour monitoring periods since new domains appearing in email flows are a strong indicator of potential abuse.

Domain reputation: A composite scoring system used by inbox providers, blocklists, and security services to assess the trustworthiness of a sender domain. Signals include authentication record status, complaint history, domain age, sending volume patterns, engagement metrics, and association with known spam infrastructure.

6. Detailed Analysis

6.1 Overall Spam Volume: Context

Global spam volume provides essential context before examining domain-level patterns. According to Kaspersky's 2025 telemetry — one of the most methodologically rigorous sources available — 44.99% of all emails sent worldwide in 2025 were classified as spam. This is nearly identical to the 46.8% estimate from emailwarmup.com's multi-source aggregation for 2024–2025. With total email volume at 376.4 billion messages per day in 2025, these percentages translate to approximately 169–176 billion spam emails sent every day.

The absolute number matters more than the percentage. Spam's share of total traffic has been declining since its peak of ~56.6% in 2017 as legitimate email volumes grow faster than spam volume. But at 176 billion spam emails daily in 2025, the absolute problem is larger than ever. Spam did not diminish — it got diluted by legitimate email growth.

The United States receives approximately 8 billion spam emails daily, more than any other country as a target market, while China and the U.S. are tied as the largest sources of outgoing spam at approximately 7.8 billion daily each. Russia leads as the single largest spam-sending country at 32.5% of global outgoing spam by Kaspersky's telemetry, followed by China (19.1%) and the United States (10.57%).

6.2 Spam Domains and Sender-Domain Behavior

The scale of domain usage in spam campaigns is staggering. Between December 2024 and February 2025 alone, the Cybercrime Information Center collected spam reports covering 4.69 million unique domain names reported for hosting spammed content or spambots — across 738 TLDs, 2,469 registrars (by IANA ID), and 3,875 hosting networks (ASNs).

This is not noise. This figure represents a three-month snapshot of a highly distributed, domain-intensive infrastructure. The sheer number of distinct domains involved — nearly 4.7 million in one quarter — shows that spam operations do not rely on a small set of persistent sender identities. They rely on volume and turnover.

By the September 2024–August 2025 study period, Interisle counted nearly 19.5 million unique domains used in cybercrime events including spam — up 126% from 8.6 million in the prior year. Spam events grew at the most alarming rate of any cybercrime category, more than doubling over 2024.

6.3 Domain Rotation Patterns in Spam Campaigns

Domain rotation is not a fringe tactic — it is the dominant operational model for large-scale spam. The underlying logic is simple: any domain used at high volume for unsolicited email will eventually accumulate user complaints, trigger engagement-based filtering, and appear in blocklists. The only sustainable spam strategy is to have the next domain ready before the current one fails.

A critical data point comes from the domain operations community. Cold-email infrastructure guides, which mirror spam operator behavior in many technical respects, describe the typical domain lifespan as approximately 2 months before reputation decline necessitates rotation. Serious bulk operations maintain three-domain reserves: one actively sending, one fully warmed and standing by, and one in the aging phase. This three-pool architecture allows indefinite continuation of a campaign through sequential domain burn-through.

The Cybercrime Information Center's spam trend data for March–May 2024 documented a jump to over 1.5 million domains reported for hosting spammed content — an increase of more than 900,000 domains in a single quarter compared to the prior period. The report described this as a "domain names shopping frenzy" driven by intensified activity in .com, .top, and .xyz TLDs.

Academic research on spam campaign analysis confirms these behavioral patterns. The Purdue University SMTP log study found that the top spamming IPs responsible for up to 35% of spam traffic targeted three or more destination domains, indicating structured, multi-target campaign behavior. Georgia Tech's SpamTracker research demonstrated that spam-sending IP clusters share behavioral fingerprints across multiple receiving domains, enabling cross-domain detection of spam infrastructure.

6.4 Multi-Domain Spam Campaigns

Large-scale spam operations use multiple sender domains simultaneously, not sequentially. A single campaign might launch from 20, 50, or 500 domains at once — distributing volume across domains to keep each individual domain below the complaint thresholds that trigger blocklisting.

The academic literature on spam infrastructure specifically notes that "spammers register multiple domains to minimize the risk of domain blacklisting". When a blocklist flags a domain, operations simply shift volume to the remaining pool members. The campaign continues without interruption from the recipient's perspective — same content, different sender address.

The Interisle Cybercrime Supply Chain 2025 report found that investigators attempting to take down large spam operations face a structural problem: they must identify and act on every domain in a multi-domain operation simultaneously. If even a single domain is missed, the attack persists. This takedown asymmetry is a fundamental advantage of multi-domain spam architecture.

The largest single documented bulk cybercrime registration set identified by Interisle comprised more than 17,000 domains, all registered through GMO d/b/a Onamae within an 8-hour window on February 19, 2024. This demonstrates the automated, industrial character of domain acquisition for spam operations.

6.5 Domain Clusters and Related Sender Identities

Multiple domains controlled by a single spam operation form a domain cluster. Cluster members share observable signals that can, in principle, link them to the same operation even when the actual registrant data is hidden:

• Shared infrastructure: Domains in the same cluster often resolve to the same IP addresses, use the same hosting ASNs, or share name server configurations. The Palo Alto Unit 42 research found a campaign with 444,898 domains where 99.98% resolved to the same IP address.
• SPF configuration overlap: Research published at PAM 2022 found that spam domains sharing the same SPF targets (IPv6 network ranges or include mechanisms) are "likely to be managed by the same entity".
• Naming patterns: DGA-style domain names generated from the same algorithm produce detectable similarity. Interisle's Cybercrime Supply Chain 2025 report found that "the majority of bulk cybercrime domains exhibit similarity in the construction of those names", consistent with automated domain generation.
• Temporal clustering: Bulk registrations show burst patterns in time — the Interisle data found over 100,000 sets of bulk cybercrime registrations, registered through 438 registrars, with detectable temporal signatures.

The January 2026 ICANN gNSO initiative — "DNS Abuse Mitigation: PDP 1 on Associated Domain Checks" — directly targets cluster-based spam by requiring registrars to review domains associated with the same registrant, account, infrastructure, or behavioral pattern when one domain is identified as malicious. Spamhaus explicitly supports this policy as a counter to the disposable domain lifecycle.

6.6 Newly Registered and Short-Lived Domains

Newly registered domains are a reliable leading indicator of upcoming spam activity. Spamhaus classifies domains as "new" if they have been newly registered or newly observed in DNS within their monitoring window, and lists them in their Zero Reputation Domain (ZRD) dataset for 24-hour periods — specifically because newly created domains are rarely used for legitimate purposes within 24 hours of registration, while cybercriminals register and burn hundreds of domains daily.

The scale is significant. Over the October 2025–March 2026 period, Spamhaus observed approximately 46.9 million new domains registered globally, averaging 7.8 million per month — a +7.6% increase versus the prior six-month period. Not all new domains are malicious, but the concentration of abuse among recent registrations is structurally higher than among aged, established domains.

The most extreme illustration of domain churn comes from the .bond TLD during October 2025–March 2026: new domain registrations in .bond totaled 1.13 million against a total zone size of 1.15 million — meaning new registrations were equivalent to 98.57% of the entire TLD's domain inventory. This is near-complete domain turnover in a six-month period, consistent only with disposable, short-lived domain behavior.

Spamhaus notes that a new-domain-to-zone-size ratio of 10–20% is already considered "unusually high" for a TLD, and that three-quarters of the top 20 TLDs by new domain count exceed this threshold. The registries showing highest churn include Shortdot SA (.bond, .cyou), Radix, and identity digital (.lol, .sbs, .shop).

6.7 TLD and Registrar Patterns

The TLD landscape for spam is highly unequal. While .com holds the most spam domains in absolute numbers — 1.47 million reported in the September–November 2025 quarter — this reflects .com's enormous size (158 million domains). The spam domain score, which normalizes by TLD size, tells a different story.

By spam domain score (spam domains per domain in TLD), the worst-performing TLDs in September–November 2025 were:

For comparison, .com's spam score of 93.2 means roughly 93 spam domains per 10,000 registered .com domains — poor, but orders of magnitude better than .loan (3,753 per 10,000) or .bond (1,071 per 10,000).

Registrar patterns follow similarly skewed distributions. By the June–August 2025 quarter, the top six registrars by raw spam domain count were:

Gname.com's spam score of 856.3 is particularly notable — it means that for every 10,000 domains Gname manages, roughly 856 are linked to spam. By comparison, GoDaddy's spam score of 23.1 reflects both its better abuse controls and the statistical dilution of managing 64 million domains. Interisle's research found that five registrars with the highest percentage of bulk-registered cybercrime domains accounted for more than three-quarters of all bulk-registered cybercrime domains.

6.8 Domain Reputation and Blocklist Behavior

Blocklists remain the primary countermeasure against spam domains. The Spamhaus Domain Blocklist (DBL) uses hundreds of signals to score domains, including authentication and encryption status, domain ownership indicators, signals from large-scale internet traffic, hosting environment associations, and behavioral associations with spam. A domain's reputation is continuously re-evaluated as traffic is observed.

The practical limitation of blocklist-based detection is timing. A domain entering a spam campaign for the first time has no blocklist history. Georgia Tech's SpamTracker research demonstrated that spam-sending patterns can be used to detect spammers before they are listed in any blacklist — by observing behavioral similarities across multiple receiving domains. However, this approach requires infrastructure-scale visibility that individual organizations typically lack.

Spamhaus March 2026 data shows that malicious domain detections have been rising month-over-month, from 195,542 in October 2025 to 650,443 in March 2026 — a 232% increase within a single reporting period, consistent with the accelerating pace of domain-based spam infrastructure deployment.

6.9 User-Level Blocking Limitations

When a recipient blocks a sender's email address or domain in Gmail, Outlook, or any standard email client, the block applies only to that specific domain. A spam operation rotating through 100 domains will generate 100 successful deliveries before the recipient has blocked all domains — and 100 blocking events that consume user time but leave the operation unimpeded.

Real-world testimony from system administrators confirms this structural failure. A 2024 Reddit thread on blocking rotating-domain spam concluded: "They change their emails to appear as someone else you haven't blocked yet. If you get to about 20–30 [blocks], I'd give up, they are automating the process and will likely keep at it." The recommendation shifted from domain-level blocking to service-level filtering: "Best bet is to use a service that tracks origination of the emails and tries to filter emails processed at that level."

The same limitation applies to unsubscribe attempts. If a user unsubscribes from a sender domain, a spam operation using domain rotation simply routes future messages from a different domain — one the user has never interacted with and whose unsubscribe history is blank. The unsubscribe action breaks the connection between campaign identity and domain identity that the operation has deliberately severed.

6.10 How Spam Domains Bypass Filters and User Rules

Modern spam operations use a layered toolkit of domain-level evasion techniques:

Subdomain multiplication: Some spam operations use low-cost hosting or subdomain services to create many sender variations without registering a new root domain each time.

Abusing cloud sending infrastructure: Send spam through reputable cloud mail APIs (AWS SES, SendGrid, Mailchimp) so messages inherit better deliverability reputation. This makes the sending domain secondary — the sending IP belongs to a trusted platform.

Newly registered domain windows: New domains have no negative reputation history. There is a window of hours to days between when a domain first sends spam and when it appears on blocklists. Campaigns structured to operate within this window can achieve high inbox delivery before detection.

Content variation at scale: With AI-generated content now covering more than 50% of spam emails, operators can generate syntactically varied message bodies, subject lines, and sender names at zero marginal cost, defeating content-fingerprint-based detection.

Sender name dissociation: Spam operators frequently change the display name in the From header while keeping content identical. Because most email clients prominently show display names rather than domains, users may not recognize domain changes. A rotation from "Amazon Rewards Team" using domain A to "Amazon Rewards Team" using domain B is effectively invisible to the average recipient.

Subdomain multiplication: The Cybercrime Information Center found 56,694 subdomain reseller accounts reported for hosting spammed content in a single quarter. Third-party subdomain services (e.g., free hosting platforms) allow spam operations to generate unlimited subdomain variations under a parent domain, potentially bypassing domain-level blocklist lookups that target the parent domain.

6.11 AI and Automation in Spam-Domain Scaling

AI and automation have changed spam operations in two ways that directly affect domain-based patterns: they have enabled content production at scale (reducing the cost of content variation per domain), and they have enabled domain selection, configuration, and warm-up processes to be automated at industrial scale.

Automation affects spam primarily at the infrastructure level: domain registration, DNS setup, warm-up scheduling, sender rotation, and content variation can now be managed with far less manual effort. This report does not analyze AI phishing, quishing, deepfakes, or credential-theft campaigns; those belong in the separate email hacking statistics report.

Domain generation algorithms (DGAs), originally developed for botnet command-and-control infrastructure, are now applied to spam domain naming. The Interisle 2025 report found that "the majority of bulk cybercrime domains exhibit similarity in the construction of those names", consistent with DGA-style generation.

The combination of automated domain registration, repeatable naming patterns, pre-configured DNS templates, and scheduled domain rotation means a single spam operation can maintain hundreds of sender domains with minimal manual work.

7. Domain Rotation Pattern Taxonomy

The following taxonomy describes the major categories of spam-domain rotation behavior, based on documented patterns from Spamhaus, Interisle, and domain operations research.

7.1 Single-Domain Spam Senders

The simplest form: a single domain used for all spam sending. This was the dominant historical pattern before blocklists became effective. Today, single-domain spam operations are typically associated with small-scale, low-sophistication operators or with brief, opportunistic campaigns. Single-domain senders have the highest detection risk — all negative reputation accumulates in one place — and the lowest operational resilience. They represent a declining fraction of total spam volume.

7.2 Multi-Domain Sender Networks

The current dominant model for serious spam operations. A pool of 10–500+ domains operates simultaneously, with sending volume distributed across the pool. Each domain sends below the complaint threshold that would trigger immediate blocklisting. Pool members are regularly retired and replaced. The Interisle 2025 study found over 100,000 sets of bulk cybercrime registrations — implying that multi-domain pools are the norm rather than the exception for organized spam operations.

7.3 Fast-Rotating Domains

High-volume domains used briefly — hours to days — before abandonment. These operate on the assumption that even brief delivery before blocklisting is profitable, especially when the per-domain cost is sub-$1. The Cloudmark SMS spam analysis found that spammers hoped to achieve "a positive return on investment by delivering enough messages before blacklisting is enforced... A few hours are plenty to make a profit on a 99 cent domain, and in some cases a few minutes may be enough".

This model requires automated domain provisioning and campaign switching. Domain churn statistics in .bond (98.57% zone turnover), .lol (71.7%), and .cyou (56.3%) are consistent with fast-rotating domain behavior at TLD scale.

7.4 Slow-Burn Domain Clusters

Some spam operations invest in domains that appear legitimate over time. These domains go through multi-week warm-up phases, send lower volumes to maintain positive engagement metrics, and operate for months before achieving their full spam-delivery objective. Slow-burn domains are more effective at reaching inboxes but require more investment and longer planning horizons. They are typically used for higher-value spam categories (investment scams, subscription traps) where each conversion is worth more.

7.5 Subdomain-Heavy Patterns

Rather than registering thousands of root domains, some operations exploit free or low-cost subdomain services to generate domain-like addresses without registering distinct domains. A single compromised or registered root domain can support thousands of subdomain variations. The 56,694 subdomain reseller accounts flagged in a single quarter by the Cybercrime Information Center indicate the scale of this infrastructure.

Subdomains bypass some blocklist lookups that only check the registered domain (eTLD+1). A blocklist entry for malicious-sender.com does not automatically block spam from newcampaign.hosting-service.com unless the lookup traverses to the parent.

7.6 Lookalike and Variation Domains

Spam campaigns for specific offers or promotional themes register dozens of variation domains that share a common theme: brand-name with added words (discount-digest-2025[.]top, dailydeal-mail[.]xyz, promo-alerts[.]icu), date-embedded strings (loan-offer-april2025[.]xyz), or keyboard-proximity typos. These clusters share thematic identity without sharing a domain name. Thematic analysis of Spamhaus trending terms shows "casino" with 261,665 new domain registrations in six months (Oct 2025–Mar 2026), a 78% increase — indicating coordinated, theme-based domain registration at scale.

7.7 Reply-To and Sender Name Variation

Even when the sending domain is fixed or constrained, spam operators manipulate the Reply-To address, the From display name, and sender identity fields to create the illusion of variation. Each email may appear to come from a different person or organization while routing through the same sending infrastructure. When combined with domain rotation, this creates a compound obfuscation: different domain, different name, same campaign.

8. Spam Domain Behavior Model

The following seven-stage model describes the operational lifecycle of sender domains in a typical organized spam campaign:

Stage 1 — Domain Acquisition: The operator bulk-registers cheap gTLDs, preferring low-cost, permissive TLDs (.top, .xyz, .bond, .icu). Domains cost as little as $0.88–$1.88 per year. Registration uses automated tools, often with anonymous or false registrant data. DGA-style naming patterns allow automated generation and registration of hundreds of domains simultaneously.

Stage 2 — DNS Configuration: SPF, DKIM, and MX records are configured. Mail servers are provisioned, typically on shared hosting infrastructure in ASNs with permissive abuse policies. Multiple domains in the pool may share the same underlying IP infrastructure — a pattern that creates detectable clustering signals for investigators.

Stage 3 — Warm-Up Phase: Volume is increased gradually over 1–4 weeks to build sender reputation. Standard warm-up protocols start at 5–20 emails/domain/day and scale upward. Engagement-based filtering systems at major inbox providers (Gmail, Outlook) use initial engagement rates to calibrate their trust scores for the domain.

Stage 4 — Volume Scaling: The domain reaches full operational capacity — potentially thousands of emails per day for a single domain within a multi-domain pool. The campaign runs at full scale until detection.

Stage 5 — Detection Trigger: User complaints accumulate; anti-spam engines identify behavioral anomalies; the domain appears in blocklist feeds. For Spamhaus, detection involves evaluating hundreds of signals continuously. For major inbox providers, machine learning models trained on billions of user behavior signals flag the domain.

Stage 6 — Abandonment: The operator drops the flagged domain from the active sending pool. Because the domain's registration cost is negligible compared to the campaign's revenue potential, abandonment is costless. The domain joins a population of expired, burned spam domains that persist in blocklist records.

Stage 7 — Rotation and Continuation: The campaign continues immediately from the next domain in the pool — a pre-warmed domain that is already configured and ready to scale. From the campaign's perspective, continuity is maintained. From the recipient's perspective, a new sender appears with no negative history.

9. Trend Analysis (2024–2026)

What Changed

The most significant shift observable in 2024–2026 data is the accelerating scale of domain infrastructure abuse. The raw numbers tell a consistent story:

• Unique cybercrime domains: 8.6M → 19.5M (+126% YoY)
• Bulk-registered cybercrime domains: 2.63M → 7.3M (+177% YoY)
• Malicious domain registrations: +149% YoY
• Spam events: more than doubled YoY

This is not an incremental change. The order of magnitude shift in domain-based spam infrastructure volume between 2023–24 and 2024–25 indicates a structural inflection point, likely driven by the combination of cheap domain availability, AI-enabled content generation, and automated domain management tools.

Is Domain Rotation Increasing?

Yes, and the evidence is multi-sourced. The domain churn statistics from Spamhaus — where TLDs like .bond and .lol show near-complete zone turnover — are consistent with rapid rotation. The 177% increase in bulk domain registrations for cybercrime purposes provides a supply-side indicator. The pattern of spam domain spikes followed by TLD-specific declines (e.g., .top's spam count falling 53% from April–September 2025 to October 2025–March 2026 as operations migrated to .cfd and .bond) shows fluid TLD rotation in addition to individual domain rotation.

The automation of domain generation, as evidenced by DGA-style naming in bulk registration sets, and the AI-driven reduction in content generation costs, together create conditions for rotation to become more automated and faster-cycle over time.

How Filtering Changes Affected Domain Behavior

Stronger bulk-sender authentication requirements have made domain reputation more central to inbox placement. As a result, spam operations increasingly rely on technically configured but disposable domains, rotating them before enough negative reputation accumulates.

DMARC adoption surged from approximately 524,000 domains with valid records in 2023 to 937,931 by early 2026 — though only 411,935 actually enforce their policy. This means that authentication-based filtering, while improving, is far from universal.

The net effect on spam-domain behavior: domains now more often arrive with technically valid SPF/DKIM/DMARC records (reducing authentication-based filtering effectiveness) while rotating faster to minimize behavioral pattern accumulation.

10. Forecast to 2030

Forecasting Methodology

The following forecasts are modeled projections based on:

• Historical spam volume trends (2017–2025 data)
• Current domain abuse registration growth rates (Spamhaus, Interisle)
• AI automation adoption curves (2024–2025 data)
• Filtering improvement trajectory (Gmail, Microsoft enforcement actions)
• Domain registration cost and availability trends (ICANN, registrar data)
• Regulatory and policy initiatives (ICANN associated domain checks, M3AAWG recommendations)

All projections in this section are clearly labeled as estimates and should not be interpreted as guaranteed outcomes. Confidence levels are noted where assessments are stronger or weaker.

Three Scenarios

Scenario 1 — Conservative: Stronger filtering enforcement, better domain clustering detection, and coordinated registrar action reduce the visible inbox impact of spam. Blocklist systems adopt associated-domain cluster analysis at scale (per the ICANN January 2026 initiative). Domain rotation continues but becomes less effective as cluster-based detection catches domains before they complete their warm-up phase. Automated content variation continues, but improved behavioral filtering reduces the effectiveness of repeated sender-domain patterns.

Scenario 2 — Moderate: AI-enabled spam scaling continues to push absolute spam volumes upward, but improved cluster-based detection partially offsets the worst effects. Domain rotation becomes more sophisticated — faster-cycling, using more diverse TLDs and registrars to avoid concentration signals. The arms race between spam infrastructure and filtering technology advances but neither side achieves a decisive advantage.

Scenario 3 — Aggressive: Large-scale automated spam operations fully embrace automated domain naming, multi-registrar distribution, and fast domain rotation. New gTLD availability continues to expand (ICANN's gTLD expansion program adds hundreds of new TLDs). Spam volume grows to levels not seen since the mid-2000s peak, approaching 60+ billion spam emails per day. Cluster-based filtering proves difficult to deploy at consumer scale, and domain rotation renders individual blocking essentially useless.

2030 Prediction Table

Scenario Assumptions and Limitations

The conservative scenario assumes effective implementation of ICANN's associated domain check initiative, meaningful registrar enforcement improvements, and continued advancement in inbox provider AI-based cluster detection. These are plausible but not guaranteed — regulatory implementation timelines are typically slower than projected, and registrar compliance varies widely.

The aggressive scenario assumes continued availability of sub-$1 domain registrations, expanding new gTLD supply, and AI model capabilities that allow self-optimizing spam campaigns. The scenario does not assume any breakthrough technical intervention by defenders. It also assumes that AI-generated content variability will keep pace with content-fingerprinting improvements.

The moderate scenario treats the current trajectory as the most likely path, with ongoing arms-race dynamics and no decisive change in either direction.

11. Practical Implications

For Regular Email Users

• Domain-level blocking provides minimal long-term protection against rotating-domain spam. Blocking 10–20 spam domains from a single operation may simply train that operation's systems to avoid your address temporarily while it cycles through the next pool members.
• Unsubscribing from confirmed spam operations can be counterproductive. It confirms your email address is active and may be passed to other domains in the cluster's rotation.
• Reporting spam through the "Report Spam" function in Gmail, Outlook, or Apple Mail contributes directly to blocklist intelligence. Unlike individual blocking, spam reports feed into infrastructure-level systems that can identify and flag domain clusters.
• Using email aliases for newsletters, signups, and promotions can help identify which source led to unwanted bulk email and make it easier to disable one noisy address without affecting your primary inbox.

For Email Productivity and Inbox Management Tools

• Tools that block or mute individual sender addresses have limited effectiveness against multi-domain spam. Effective tools need to identify sender cluster identity beyond the From domain — using behavioral signals, content similarity, sending infrastructure overlap, and cross-domain pattern recognition.
• Sender-name normalization (mapping "Amazon Rewards Team" across multiple domains to the same logical sender) can help users see through domain-rotation obfuscation.
• Integration with blocklist data (Spamhaus DBL, SURBL) at the domain-reputation lookup level provides earlier detection than waiting for user complaints to accumulate per-domain.

For Email Providers

• Authentication enforcement (SPF, DKIM, DMARC) is now a minimum baseline, not a differentiator. The February 2024 Gmail/Yahoo requirements and Gmail's November 2025 escalation established this standard. Non-enforcement of authentication allows spam domains to borrow reputation signals from legitimate senders.
• Behavioral AI models trained on sending patterns across many domains — rather than per-domain reputation scores — are better suited to detect cluster-based spam operations before individual domains accumulate enough negative signal.
• Sharing domain-cluster intelligence across providers would significantly improve detection latency. The current model where each provider independently discovers domain abuse creates windows that spam operations exploit.

For Spam Filtering Teams

• Single-domain assessment is insufficient. Spamhaus's own recommendations explicitly state that "defenders should not rely on single-domain assessments" and should "correlate domains using all available intelligence".
• Zero Reputation Domain (ZRD) monitoring is a high-yield signal. New domains appearing in email flows within 24 hours of registration are a strong indicator of spam campaigns; filtering should apply elevated scrutiny to NRDs.
• TLD-level reputation monitoring: TLDs with spam scores above 1,000 (.top, .bond, .vip, .icu, .cyou) warrant heightened scrutiny for all new sender domains from those registries.

For Domain Reputation and DNS Abuse Researchers

• Cluster-based analysis — linking domains through shared infrastructure, SPF configurations, registrant patterns, and naming conventions — is the most productive research direction for advancing spam detection.
• The ICANN associated domain check initiative creates a new policy lever for registrar-level cluster suppression. Academic and industry research that produces implementable cluster-detection algorithms has direct policy application.
• TLD churn statistics (new domains as % of zone size) are a practical proxy for abuse level at the registry level. TLDs with churn above 40–50% warrant presumptive elevated-risk classification.

For SaaS Products That Help Users Block or Manage Unwanted Senders

• Products focused on helping users "block" spam senders need to evolve toward sender-cluster identification and behavioral pattern recognition — not just single-domain blocking.
• The spam-domain lifecycle model (acquisition → warm-up → scale → abandon → rotate) provides a framework for building predictive blocking: identifying a domain's operational stage based on behavioral signals, rather than waiting for blocklist confirmation.
• Aggregating anonymized user blocking behavior across a user base allows detection of coordinated multi-domain campaigns that individual users would never see in full. A spam operation's 100-domain pool becomes visible when 10,000 users each block 10 of those domains and the data is correlated.

For Content Marketers Writing About Spam Statistics

• The most commonly cited spam statistics (volume, percentages) significantly understate the problem when domain-level behavior is excluded. Spam is not primarily a content problem — it is an infrastructure problem organized around domain acquisition, rotation, and cluster management.
• Data from Spamhaus, Interisle/M3AAWG, and the Cybercrime Information Center provides the most granular and verifiable domain-specific spam statistics currently available.
• The distinction between "spam as a percentage of email traffic" (44.99–46.8%) and "spam as a domain-abuse problem" (millions of new domains per month, 7.3M bulk-registered for cybercrime in one year) provides two complementary angles for coverage.

12. Data Gaps and Research Limitations

• Spam-specific domain data is scarce. Most domain-level reporting (Spamhaus, Interisle, Cybercrime Information Center) aggregates spam with phishing, malware, and other cybercrime categories. Isolating spam-domain statistics from combined cybercrime figures requires inference and estimation. Dedicated spam-domain tracking at the scale of phishing domain tracking would significantly improve research quality.
• Domain rotation frequency data is largely anecdotal. The "~2 month" domain lifespan estimate comes from practitioner discourse about cold email infrastructure, not controlled research on malicious spam operations. Rigorous empirical studies measuring rotation frequency specifically for spam (as distinct from phishing) are not available in the public literature.
• Domain cluster sizes are not directly reported. While Interisle reports the total number of bulk-registered domain sets (100,000+), the size distribution of individual cluster pools is not publicly available. Understanding whether the typical pool is 10 domains, 100, or 1,000+ would materially change the practical assessment of blocking strategies.
• AI-spam quantification is imprecise. The "50%+ of spam is AI-generated" figure is widely cited but sourced from a single secondary report without a clear primary methodology. Rigorous measurement of AI contribution to spam production remains a research gap.
• Geographic data on spam domain registration is partially obscured by GDPR-related WHOIS redaction, which Spamhaus explicitly notes as a limitation in its methodology. True registrant geography is often unverifiable.
• Category breakdowns of spam content (promotional spam vs. nuisance bulk vs. adult/gambling) with domain-level attribution are generally not available. Kaspersky reports spam categories in terms of prevalent scam themes and attachment families, but connecting specific categories to domain rotation behaviors requires inference.
• Historical time-series data for domain rotation metrics is fragmented. Consistent longitudinal measurement of domain churn rates, new domain abuse rates, and bulk registration volumes has only recently become available (2023–2026 in Spamhaus and Interisle reports). Longer time series would enable more rigorous trend analysis.

Sources

All sources cited in this report are listed here with available publication details.

1. Spamhaus Domain Reputation Update, Oct 2025–Mar 2026 (April 2026) — https://www.spamhaus.org/resource-hub/domain-reputation/domain-reputation-update-oct-2025-mar-2026/
2. Spamhaus Domain Reputation Update, Apr–Sep 2025 (October 2025) — https://www.spamhaus.org/resource-hub/domain-reputation/domain-reputation-update-april-september-2025/
3. Spamhaus Domain Reputation Update, Oct 2024–Mar 2025 (April 2025) — https://www.spamhaus.org/resource-hub/domain-reputation/domain-reputation-update-oct-2024-mar-2025/
4. Spamhaus Domain Reputation Update, Apr–Sep 2024 (October 2024) — https://www.spamhaus.org/resource-hub/domain-reputation/domain-reputation-update-apr-2024-sept-2024/
5. Kaspersky Spam and Phishing Report for 2025 (February 2026) — https://securelist.com/spam-and-phishing-report-2025/118785/
6. Interisle Cybercrime Supply Chain 2025 (November 2025) — https://interisle.net/insights/cybercrimesupplychain2025
7. Interisle: Cybercrime Supply Chain 2025 — Bulk Registration Article (December 2025) — https://interisle.substack.com/p/cybercrime-supply-chain-2025-bulk
8. Interisle: Supply Chain 2025 — TLD Name Space (December 2025) — https://interisle.substack.com/p/supply-chain-2025-cybercrime-across
9. Cybercrime Information Center: Spam Activity Dec 2024–Feb 2025 — https://www.cybercrimeinfocenter.org/spam-activity-numbers-december-february-2025
10. Cybercrime Information Center: TLD Rankings Sep–Nov 2025 — https://www.cybercrimeinfocenter.org/spam-activity-in-tlds-september-november-2025
11. Cybercrime Information Center: TLD Rankings Jun–Aug 2025 — https://www.cybercrimeinfocenter.org/spam-activity-in-tlds-june-august-2025
12. Cybercrime Information Center: Registrar Rankings Jun–Aug 2025 — https://www.cybercrimeinfocenter.org/spam-activity-in-registrars-june-august-2025
13. Cybercrime Information Center: Spam Trends Mar–May 2024 — https://www.cybercrimeinfocenter.org/spam-trends-march-may-2024
14. emailwarmup.com: How Many Emails Went to Spam in 2025 (March 2026) — https://emailwarmup.com/blog/email-statistics/how-many-emails-went-to-spam-and-promotions-in-2025/
15. Cloudmark: Disposable Domains Used in SMS Spam (2020) — https://www.cloudmark.com/en/blog/cloudmark/disposable-domains-used-sms-spam
16. M3AAWG: Cybercrime Supply Chain 2024 (November 2024) — https://www.m3aawg.org/news/CybercrimeSupplyChain2024
17. CAUCE: Insights from the 2024 Cybercrime Supply Chain Report — https://www.cauce.org/insights-from-the-2024-cybercrime-supply-chain-report/
18. Factually: How Spammers Bypass Email Filters (November 2025) — https://factually.co/fact-checks/technology/techniques-spammers-bypass-email-filters-sender-reputation-e053e0
19. Mkorczynski/PAM 2022: Early Detection of Spam Domains with Passive DNS and SPF — https://mkorczynski.com/PAM2022Fernandez.pdf
20. Fernandez et al. / SpamClus — Agglomerative Clustering for Spam Campaigns (ACL 2024) — https://aclanthology.org/2024.nlpaics-1.8.pdf
21. Vaniea et al. — SoK: Grouping Spam and Phishing Email Threats for Smarter Security — https://vaniea.com/publication/saka2025sokcampaign/saka2025sokcampaign.pdf
22. Purdue University: Filtering Spam with Behavioral Blacklisting — https://engineering.purdue.edu/~ychu/publications/sigm09_spamcamp.pdf
23. Georgia Tech: SpamTracker — Behavioral Blacklisting — https://faculty.cc.gatech.edu/~vempala/papers/spam-ccs.pdf
24. Palo Alto Unit 42: Typo DGAs in Malicious Redirection Chains (March 2025) — https://unit42.paloaltonetworks.com/typo-domain-generation-algorithms/
25. Interisle: Infrastructure Patterns in Toll Scam Domains (2025) — https://arxiv.org/html/2510.14198v1
26. Spamhaus Domain Blocklist (DBL) — https://www.spamhaus.org/blocklists/domain-blocklist/
27. Prospeo: Email Deliverability Changes 2024 — https://prospeo.io/s/email-deliverability-changes-2024
28. LinkedIn/Domain Ops: Email Domain Warm-up Strategies 2024 — https://www.linkedin.com/top-content/marketing/email-marketing-improvement/email-domain-warm-up-strategies-2024/
29. Reddit/sysadmin: Block Spam That Keeps Changing Domain (March 2024) — https://www.reddit.com/r/sysadmin/comments/1bni997/block_spam_that_keeps_changing_domain/
30. sqmagazine: Email Spam Statistics 2026 — https://sqmagazine.co.uk/spam-statistics/
31. DeBounce: Email Spam Statistics 2026 — https://debounce.com/blog/email-spam-statistics/
32. theNetworkInstallers: AI Cyber Threat Statistics 2025 — https://thenetworkinstallers.com/blog/ai-cyber-threat-statistics/
33. Cloudflare 2025 Year in Review — https://blog.cloudflare.com/radar-2025-year-in-review/
34. EURid: Cybercrime Supply Chain Report 2025 Commentary — https://eurid.eu/pl/news/cybercrime-supply-chain-report-highlights-need-for/