The Perils of an .xyz Domain

&gt; One surprising side effect of having a .xyz domain is that the mere inclusion of .xyz inside of a text message will result in a silent delivery failure for many providers.<p>This is wild to me. Tested it out myself and I couldn&#x27;t send an SMS with a spot.xyz link to&#x2F;from Google Voice &lt;-&gt; T-Mobile. And no &quot;failed delivery&quot; notice either, just a silent failure. And yet I still get so many texts that are obviously spam or phishing attempts.

Whoa. I use an xyz domain daily. This thread is eye-opening. Here&#x27;s the reply from a SpamAssassin validator.<p>My domain is almost marked as spam solely on TLD grounds. What&#x27;s the point of a TLD if it isn&#x27;t a first-party domain on the internet?<p><pre><code> SpamAssassin Score: -0.599 Message is NOT marked as spam Points breakdown: -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at https:&#x2F;&#x2F;www.dnswl.org&#x2F;, high trust [***.***.***.*** listed in list.dnswl.org] 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http:&#x2F;&#x2F;wiki.apache.org&#x2F;spamassassin&#x2F;DnsBlocklists#dnsbl-block for more information. [URIs: ***.xyz] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [***.***.***.*** listed in wl.mailspike.net] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: ***.xyz (xyz)] 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author&#x27;s domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 2.0 FROM_SUSPICIOUS_NTLD_FP From abused NTLD 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD 0.0 TVD_SPACE_RATIO No description available.</code></pre>

I was pretty excited when ICANN opened up a bunch of new domain extensions, but it does sometimes feel like &quot;all these extensions are great if you don&#x27;t plan on using them&quot;.<p>It was pretty cool that I managed to buy a bunch of domains like &lt;my last name&gt;.&lt;new-tld&gt;, but to be honest I really don&#x27;t see myself using my .blackfriday domain for anything. For that matter, I think that (somewhat ironically) `my-last-name.email` would not be taken very seriously for a primary email address.<p>I use a `.app` domain for my personal email, which has its issues, but if I owned a business, there is no way on earth that I would be using anything but .com.

Before I get into email business(I run my own email forwarding service[0]), I don&#x27;t understand why provider block those domains.<p>Then I immediately got it. The amount of spam emails from .xyz .click .faith .top is huge. And with every email comes from them, we have to run spam scanner, which isn&#x27;t cheap. So we have to score those TLDs more sensitive.<p><a href="https:&#x2F;&#x2F;www.spamhaus.org&#x2F;statistics&#x2F;tlds&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.spamhaus.org&#x2F;statistics&#x2F;tlds&#x2F;</a> can give some insight about spam rate by tld.<p>---<p>[0] <a href="https:&#x2F;&#x2F;mailwip.com" rel="nofollow">https:&#x2F;&#x2F;mailwip.com</a>

Got a nice .xyz domain mainly for mail with SPF,DKIM correctly set up and tested against multiple validators.<p>No big issues so far except for the HR department of a potential new gig which can painlessly mail me@mydomain.xyz about job interviews BUT never get my replies back.<p>I don&#x27;t who to blame more in this mess:<p>- Me for playing smartass instead of using a @gmail.com because they impose the rules so everybody comply to them (maybe my reluctance to encourage this broken system explain my recklessness)<p>- The IT department of this organization that probably didn&#x27;t what to deal with modern standard and&#x2F;or reasonable spam filtering and set up a blunt rule for new TLD (I mean come on it was a REPLY to a mail ADRESSED to this specific mailbox)<p>- The broken system that keep on inventing arbitrary new rules that everyone must implement to keep getting accepted by &quot;the big players&quot;. (For instance I already had to change hosting two years ago because apparently you are also responsible for bad neighbors)<p>Guess i&#x27;ll just have to be brave and migrate to a more classical TLD and set up redirects to ease transition. But it&#x27;s pretty annoying to start over with crap like that because some dudes in &quot;the big players&quot; teams decided to ban a whole TLD just because it&#x27;s &quot;easier&quot;.

I have had similar experiences with corporate firewalls blocking my .app domain.<p>I got in a painfully stupid argument with a middle-age IT admin “we don’t want to our employees installing apps”<p>It’s not an app, you don’t install it, it’s a “WebApp”, it’s just a freaking fancy website who’s domain ends in .app - lol, this was like three years ago and just thinking about it is getting me heated

I have a .haus domain for personal use. I can send and receive email just fine, but I do run into a lot of apps that do some sort of misguided &quot;validation&quot; on the email address and reject .haus as an invalid domain. One retailer lets me use the .haus email address as a login, but once I log in and try to make a payment it requires me to enter a different &quot;valid&quot; email address to send the receipt to. It&#x27;s very irritating.

The reality of Internet filtering and firewalls, and a rule generalisable to <i>any</i> attempt at control and autonomy, is that the effect-to-effort ratio matters. The principle of a small effort with a large result is behind the architecture of every switch, gate, door, valve, or dam.<p>New generic TLDs have the disadvantage of being recently unleashed. There are no venerable sites on XYZ, or its siblings. Much of what&#x27;s registered there, and that word was &quot;much&quot; and not &quot;all&quot;, <i>is</i> absolutely unworthy crap. And for those who are faced with defending either their own or their customers, clients, users, employees, or other stakeholder&#x27;s security and time, wholesale blocking of the entire TLD solves <i>a lot</i> of problems with very little downside cost.<p>The obvious response is &quot;but there&#x27;s a lot of crap on legacy TLDs as well&quot;. Yes, there is, but there are <i>also</i> valued, venerable, and essential domains, and blocking all of them is not a viable option. (Though the prospect of whitelisting is becoming increasingly attractive.)<p>I&#x27;ve known people who are, on the one hand, Internet freedom advocates of decades-long standing --- before most people reading this were born. Who wholesale block access by all China ASNs to their webservers --- because all they see from such networks is malicious traffic. Again: effect-to-effort ratio here is high.<p>No, it&#x27;s not &quot;fair&quot;. Yes, there&#x27;s collateral damage. But you&#x27;re absolutely fighting not merely human nature but all of control theory in trying to combat this.<p>Register on XYZ and you&#x27;ll be increasingly fighting a common practice of default-deny, whitelist-by-request. For every user you&#x27;re trying to reach.<p>And you should ask yourself if it&#x27;s really worth it.<p>XYZ, meantime, are mining and arbiraging short-term cashflow for long-term reputation at the specific expense of its legitimate customers. Those with the least bit of sense will abandon the registrar, leading to an ever-accelerating reputational death spiral.

The XYZ TLD is a hotbed for spam due to it&#x27;s very low fee&#x27;s for purchase &#x2F; renewal. The registrar was, at one point, selling massive blocks of xyz domains to foreign squatters and spam artists for quick cash. No wonder it&#x27;s become blacklisted by email&#x2F;cell providers.<p>Can anyone try `abc.xyz`? and see if that fails to send? It would be very typical for our corporate overlords to be omitted from our spam censorship filters.

Well .COM has had its day.<p>There (was?) even a semi-parody site called Domains For the Rest of Us[0] that generates .COM domains that you can use for side projects (or startups?).<p>[0] <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=24538758" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=24538758</a><p>The new gTLDs are a godsend since all the domain hacks have been largely exhausted. E.G: `del.icio.us`.<p>I like the new avalanche of gTLDs since it reduces domain squatting, domain hacks, and stops people snapping up short .COMs as if they were some digital gold to be mined.<p>Not to mention the hassle of having a really obscure ccTLD like .SO and having to battle to get that domain back if it was seized by pirates, yarr

If I ever start a super-secret club, I now know what the domain name TLD should be. Nobody would be able to spread the secret!

Kind of related: I have a &#x27;firstname@lastname.email&#x27; email address. I had booked movers online as I am moving apartments. I thought it was confirmed because I got an automated email back confirming the booking. I gave them a call about a week later to double check everything was OK and it turned out they never booked me in because they thought it was a fake address (&quot;Wow, this is really weird, I&#x27;ve never seen an email address like this&quot;).<p>Luckily, they could still book me in but at a different time slot...

&gt; we would occasionally get feedback from users and prospects that the .xyz domain felt unprofessional<p>I had a .xyz domain. I thought it was easier, the domain was short to type.<p>I was completely wrong. I asked a few non-technical friends. They said they would never use my site because of the .xyz, it felt like a spam site. I redid the site on .net with a longer domain name - much better results.

I teach college and I can tell you that most people don&#x27;t type urls. Many don&#x27;t even know how. I will tell them to go to an address like kahoot.it to play a review game and most of them just type kahoot and search. if they do actually type in a url they will type kahoot.com instead of what I told them to type which takes them to the site for creating kahoots not directly to playing them. (you can get there from .com but it isn&#x27;t the quickest way)

I have my personal site on an xyz domain because it&#x27;s the only thing I could justify spending on. I don&#x27;t intend to earn from it, it&#x27;s just a static site, and it&#x27;s significantly cheaper than anything else. I&#x27;ll probably stick with it.

Does anybody know if there&#x27;s a consolidated list of domains and their various blacklist&#x2F;deliverability issues compiled someplace? I for one would love to know how broad this problem is across the various TLDs for network filtering&#x2F;email&#x2F;sms&#x2F;messaging etc. Seems like it would be a pain to maintain even as a snapshot but I would definitely be interested.

&gt; initial email open rates rose from 70% to 86%<p>I know this is common knowledge, but it still really creeps me out that companies can track this.

This is a total shame because .xyz is extremely catchy and, in my mind, could be the new .com in a few years. All the other TLDs are hard to remember -- in my experience, people will ask &quot;was it my.website or mywebsite.com?&quot; but if you tell someone &quot;it&#x27;s mywebsite.xyz&quot; they always get it right.

We thought we were being smart when we bought a .io domain. Can&#x27;t tell you how many times we told people the site was foo.io, and they would say, ok got it. &quot;foo.io.com&quot;.

It&#x27;s sometimes difficult to believe how much misguided logic is put into input validation. Addresses which must have a street and a number, middle names not allowed, valid postal codes not recognized or auto-filling the wrong town, arbitrary maximum length for street names, and I could go on. We programmers (or we product managers?) invest way too much time in nonsense.

Oh. As someone with a blog on a .xyz, this is disappointing news (but extremely good to know). Guess I should look at migrating...

Why are .net domain names relatively unpopular? New technology sites often use .io and .dev even when there are a lot of available .net names.

Funnily enough, I&#x27;ve found that the .email TLD is often rejected as an invalid domain when I&#x27;m filling out my email address online.

- uses googlemail as TXT entries but privateemail.com MX entries for spot.xyz domain<p>- no DKIM&#x2F;DMARC verification headers that make sense, just a default ~all<p>- wonders why emails are classified as spam<p>Well, yeah. Maybe use an email spam rating tool next time, like mail tester [1]?<p>[1] <a href="https:&#x2F;&#x2F;www.mail-tester.com" rel="nofollow">https:&#x2F;&#x2F;www.mail-tester.com</a>

These are also good reasons to avoid using .so domains. You can also expect mail delivery issues and blanket corporate firewall blocks on .so. The rising prominence of <a href="https:&#x2F;&#x2F;notion.so" rel="nofollow">https:&#x2F;&#x2F;notion.so</a> is changing the cultural situation somewhat, but very slowly.<p>(Edit: I work at Notion)

This isn&#x27;t much different than when Google de-indexed millions of .co.cc domains. They determined that there were so many spammers on those domains that it was better to just remove them all and stop worrying about it. It did get a very few legit sites in the process, but not enough to care.<p>I get that the people here want more control over their devices, but to be fair, anyone posting here is at the extreme end of the tech spectrum when compared to your average phone user. Those phone users want someone else to help them. It&#x27;s why I have spam assassin crancked super tight on the mail server that my parents use. They would rather miss a few legit emails and texts than get flooded with spam.<p>The .co.cc discussion was here on HN <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=2733352" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=2733352</a>

<i>we would occasionally get feedback from users and prospects that the .xyz domain felt unprofessional and that they would prefer to use an app with a different URL. This was surprising feedback, as we did not believe that, beyond the initial discoverability of our product, the domain itself would create this type of impact.</i><p>Not surprising at all to me, who has used the Internet for over two decades --- to be honest, all these new and unusual TLDs, whenever they show up in search results, are almost entirely sites filled with SEO spam and similarly useless content. It&#x27;s nearly an instinct to ignore them at this point.<p>(As for the company, it&#x27;s too bad virtualspot.com and virtual-spot.com were already taken; spotvirtual.com looks weird, but at least doesn&#x27;t have the negative connotations of an even weirder TLD.)

As a guy who&#x27;s blog and email consists of .xyz domains, I can only say two or three times in ad many years has it ever been a problem (that I&#x27;m aware of, at least), and then it was a website not letting me create an account using it for email.<p>I suspect I&#x27;m either lucky, or something.

Wikipedia has a blanket ban on .xyz domains unless specifically whitelisted. I&#x27;ll likely move finl.xyz to some other tld eventually.

Yep - used to work at a bank that <i>very aggressively</i> blocked gTLD because they had a (very stupid in this case) security-first mindset. Despite having multiple first-class URL filter products that can detect reputation and site category without needing to bother an analyst or cause a disruption.<p>SOCs, web filter, email filter teams and vendors all need to catch up to the 2010-era idea that carpet-blocking TLDs is not the first tool to reach for when securing a network, especially when you have a good URL filter in place.

Unpopular opinion (maybe): given the current situation, we should probably consider phasing out TLDs somehow. It&#x27;s becoming more and more clear than no TLD outside those established before the &#x27;90s are actually viable for anything outside of &quot;my small personal blog&quot;. It would also avoid people having to remember if the TLD is .net or .com, for instance (even though in my experience .net is slowly disappearing too).

I have my name .xyz and I’ve mostly given up using it for email, because I am sick of:<p>* “Do you mean ‘biz’” on web forms<p>* other forms just refusing to validate unless I disable the client-side validation<p>* other systems ostensibly accepting it and just never sending me anything, because it fails to validate silently in their backend<p>* having to put whatever I am trying to get done on hold for a few minutes when I need to read it to a human, because they’ve “never heard that one before”

Most of these new TLDs are just the .biz of the present moment. I went to email whitelist a decade ago and haven’t looked back.

I have a .xyz domain for my personal stuff. The biggest issue I&#x27;ve had with it is that steam refused to acknowledge that it was a valid email domain. So they just wouldn&#x27;t let me switch off gmail to me@mydomain.xyz because it didnt get past their filters. That was the biggest roadbump I had for switching off gmail.

We did a bunch of testing of crawling, indexing, and checking of rankings of the 15 top tlds. The .xyz actually was crawled and indexed by google within a few hours, many others took days to get crawled.<p>Google prefers to crawl and index .xyz sites over others domain endings. But they won’t rank them well in the index.

most popular &quot;.xyz&quot; domains (ranked by # of DNS queries) all appear to be spam, <a href="https:&#x2F;&#x2F;domain.glass&#x2F;whois&#x2F;xyz" rel="nofollow">https:&#x2F;&#x2F;domain.glass&#x2F;whois&#x2F;xyz</a>

I run email servers and I get such a massive amount of spam on &quot;vanity&quot; TLD&#x27;s that I just block them outright. I don&#x27;t automatically block them all but any that start sending serious levels of spam get blocked. Which is most of them and that block covers the whole TLD. It&#x27;s just too much work to try anything else.<p>Now this is just for incoming email. I still allow web browsing and links to these domains through various systems and outgoing mail to those domains works.<p>The incoming mail though, I just can&#x27;t allow it. It&#x27;s just pure spam at ridiculous levels.

tough story for a company and I know there&#x27;s a ton of shady TLDs out there now but this will change rapidly I think - it used to be a .com world but as we all know .io etc has changed rapidly in last 5 years. Lately due to lack of .coms I get the feeling a lot of the other TLDs like .shop, .whatever are being used more and more for random sites for startups, projects etc, so I&#x27;m sure as they become more accepted in tech systems like SMS (weird about the filtering) and servers etc.

I wonder about how the .wtf TLD compares.

I run a couple of businesses with .xyz domain (geocode.xyz , poidata.xyz ) Never had any issues with email.

Yes this TLD is cursed because of it&#x27;s low price it has been used by all spammers and hackers on earth

The reason .xyz domains are banned is because of the amount of spam sent from that domain. In my case 100% was spam. So blacklisting it was an easy fix.<p>If I was owner of the .xyz TLD domain, I would be very concerned to kick out spammers because it kills the value of the .xyz TLD.

It is rather disappointing. I run my personal blog and email on .xyz because it&#x27;s great for graphics puns. Hotmail and gmail will accept my messages, but corporate email servers often seem to blackhole me.

I don’t mind the message being marked as `spam`, and I don’t mind looking up the spam list, but I feel scared when I can’t see it at all (has useful message been blocked by mistake?)

Still need to update the footer to the new domain.

Has anyone noticed any of this with .dev domains?

What about .app domains?

Email is such a steaming pile of shit these days. I can’t wait till everyone moves off of it.

Just get the dotcom. [0,1]<p>[0] <a href="http:&#x2F;&#x2F;www.paulgraham.com&#x2F;name.html" rel="nofollow">http:&#x2F;&#x2F;www.paulgraham.com&#x2F;name.html</a><p>[1] <a href="https:&#x2F;&#x2F;zlipa.com" rel="nofollow">https:&#x2F;&#x2F;zlipa.com</a>

&gt; <i>One surprising side effect of having a .xyz domain is that the mere inclusion of .xyz inside of a text message will result in a silent delivery failure for many providers.</i><p>Why are people afraid to use the real term for this?<p>It&#x27;s called censorship.<p>Your provider is silently censoring your text messages. In peacetime. You can&#x27;t expect it to improve when that&#x27;s no longer the case.