How does a domain get flagged as suspicious?

Domains earn suspicious status through multiple pathways:

Authentication failures where SPF, DKIM, or DMARC consistently fail. Legitimate domains maintain working authentication.

Spamtrap hits indicating the domain sends to addresses that should not exist on any legitimate list.

High complaint rates showing recipients actively reject mail from this domain.

Blocklist appearances on major lists like Spamhaus, Barracuda, or SORBS.

Behavioral patterns matching spam profiles, including sudden volume spikes, new domains with immediate high volume, or content matching known spam fingerprints.

Association with other suspicious domains through shared infrastructure, links, or organizational connections.

Suspicion accumulates like a file at the harbor authority. Each incident adds a page. Eventually, the file grows thick enough that routine inspections become mandatory.