The Spamhaus Project


Address acquisition for mailing lists - the basics

Here are the right and wrong ways to acquire marketing contacts. Ensure your address acquisition choices don't negatively impact your reputation.

by The Spamhaus TeamFebruary 15, 20225 minutes reading time

Jump to


There are many approaches to address acquisition when building email marketing lists; however, these approaches won’t always benefit your deliverability and email reputation. Here we examine the data marketers should be recording, considerations when using online forms, and address acquisition methods to avoid at all costs.

What data should you be collecting?

The methods utilized to build mailing lists or contact databases are critical to creating and maintaining good list hygiene. In today’s world, where laws regarding personally identifiable information (PII) [insert link to legalities article] are prevalent, you must accurately record data during the acquisition process, preserve it and update it as necessary.

We recommend keeping the following information for every contact:

  • The date & time of the sign-up in UTC.
  • The channel that was used to obtain the email address.
  • The IP address that submitted the email address.

If one of your IPs or domains is blocklisted and manual intervention is required to resolve the issue, ISPs and/or reputation providers often demand proof of consent. Without good records, such proof is impossible to provide, and therefore any resolution to a block will take longer.

In the event of a GDPR or similar data removal request, having these records could save your company a great deal of money in fines.

Recommendations for website and online forms

Make “opting-in” voluntary – If you collect contact email addresses via a website or online form, we recommend utilizing a checkbox that the user must voluntarily selectbefore being added to a marketing program.

Using a pre-checked box is generally viewed as dishonest and is actively illegal in some countries. People can fail to notice the checkbox and then get an unpleasant surprise when they receive marketing emails they did not ask for or expect. Consequently, they report the mail as spam, causing you reputational and brand degradation. Be transparent in your sign-up process!

Protect your forms – Due to an ongoing and widespread problem that began in August of 2016that has been escalating ever since, we recommend that you secure web forms against abuse by adding a CAPTCHA or ReCAPTCHA to the form (both are free tools).

Bots use unsecured forms to sign up an uncountable number of bad email addresses, resulting in database poisoning. This can also create what amounts to a denial of service attack (DoS).

Confirmed opt-in – Once a contact has completed a form, we strongly recommend using the confirmed opt-in (COI) method, obtaining active consent via email from the user. Read [insert article] for an in-depth look at opt-in options.

Ways NOT to increase your marketing contact lists

When it comes to increasing the number of marketing contacts in your lists, we strongly advise against any of the following methods:

  1. Buying a list
  2. Harvesting email addresses
  3. Using append

Best practice states that contacts should confirm that they consent for you to send them communications (COI). Consent is not transferable, and violating it makes recipients angry. In the days of GDPR (and other laws), breaking that consent can be an exceptionally costly thing to do. See below for a detailed explanation of why you shouldn’t ever consider using one of the above three approaches to expand your marketing lists.

Purchased or Rented Mailing Lists

The damage that a purchased list can do is incalculable.

Spamhaus has clear views about purchasing and selling mailing lists: because consent is not transferable, this practice is, by definition, impossible and therefore fraudulent. Buying and selling lists do not allow the purchaser to obtain consent to send email to the recipients in that list.

  • Permission is not transferrable.
  • As a result of complaints, bounces, and potential spamtrap hits, using such lists can:
    • Result in IPs or domains being put on blocklists
    • Reduce overall deliverability and inbox placement for a long time – reputation is much harder to rebuild than to destroy!
    • Cause severe damage to brand reputation

The Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) has published a statement about the sale of email address lists, which Spamhaus fully supports – “The practice of selling, buying or sending to lists of purchased email addresses – whether business to business (B2B), business to consumers (B2C) or other categories, is in direct violation of M3AAWG core values.”


Harvesting is a data collection practice in which emails are obtained by scraping websites, forums, etc. Some less than scrupulous operators also try random combinations of email addresses at specific ISPs to find active email addresses.

This method provides no avenue for opt-in or any kind of permission or consent and typically causes serious blocking and delivery issues for any sender that employs it.

  • Permission is not transferrable.
  • As a result of complaints and spamtrap hits, using such lists can:
    • Cause severe, long-lasting damage to brand reputation
    • Degrade inbox placement in the short term
    • Reduce deliverability in the long term


In marketing terms, “epending” or “appending” is the practice of taking demographic information known (or assumed) to be related to a particular customer and matching it with other data. The terms are interchangeable in use. Following published industry best practices, we firmly recommend not using this address acquisition method.

M3AAWG has published a clear statement about e-pending, which Spamhaus fully supports: “The practice of email appending is in direct violation of core MAAWG values.”.

Co-reg/Affiliate Marketing

While it is technically possible to do co-registration (co-reg) or affiliate style marketing without violating permission or applicable laws, it is exceptionally challenging. Our advice is not to do it because (again) permission is not transferrable.

Managing your data collection methods brings peace of mind

When you buy, rent, epend/append, or use co-reg/affiliate lists; you have no quality assurance on the integrity of this data. You cannot purchase consent, and such lists significantly increase the risk of long-term damage to your email campaigns because permission is not transferrable. As we said at the beginning – please avoid at all costs.

With a robust sign-up policy in place, it’s time to think about how frequently you should be sending emails and the importance of engagement.