Live Direct Marketing logo
Inbox Placement Test
List hygiene10 min read

Purchased email lists: why they destroy deliverability

Bought lists are not a shortcut. They are a domain-execution event. Trap density of 30-60% is normal. Complaint rates clear every legal threshold within hours. ESPs ban accounts mid-campaign. The math has not changed in 20 years — but the lists are still on the market.

Buying an email list is the deliverability equivalent of paying someone to set your house on fire. The seller knows. You, usually, do not. The list of 100K B2B contacts you bought for $500 contains 30,000 invalid addresses, 5,000 spam traps, and 50,000 contacts who never heard of you and will hit "mark as spam". Within 12 hours of the first send, your domain is on a blocklist, your ESP account is suspended, and your sender reputation needs months to recover. This is the standard outcome — not the worst case.

TL;DR

Purchased lists carry 30-60% bad addresses (invalid + traps + complainers). They violate GDPR, CAN-SPAM, and CASL. ESPs ban accounts on detection. Spamhaus listings follow within hours. Reputation recovery costs months of clean sending. There is no version of this that pays back. Don't.

Real trap density in purchased lists

Composite of testing and reported data from validation vendors on B2C and B2B purchased lists in 2024-2026:

  • Hard-bounce / invalid: 15-30%. Addresses that no longer exist or never existed.
  • Spam traps (pristine + recycled): 3-15%. Higher on older / cheaper lists.
  • Role accounts: 5-15%. Higher on B2B lists.
  • Disposable / temp addresses: 2-8%.
  • Honest valid + opted-in to your specific brand:essentially 0%. None of the recipients consented to your sending.

Even after running a purchased list through every validation service in the market, you remove the obvious dead addresses but leave behind the subtle traps and the recipients-who-didn't-consent — both of which torch your reputation when you send.

Complaint rate on purchased lists

From observed campaigns where purchased lists were sent despite warnings:

  • Typical complaint rate: 1-5%. Gmail's threshold for bulk-spam routing is 0.3%. Crossed by 5-15x.
  • Hard limit before reputation collapse: 0.1%. Crossed by 10-50x.
  • Time to first complaint: within minutes of the first send.
  • Time to ESP suspension: typically 4-24 hours into the campaign, depending on ESP monitoring sensitivity.

These numbers are not edge cases. They are typical. Purchased lists generate complaint rates 50-100x healthy thresholds because the recipients have no relationship with the sender.

Legal status

Purchased list sends violate every major email regulation:

  • GDPR (EU). Requires explicit, affirmative, freely-given consent for marketing. Purchased lists fail this on every axis. Fines: up to 4% of global annual revenue or €20M.
  • CAN-SPAM (US). Doesn't require opt-in but requires accurate sender identity and easy opt-out. The enforcement reality is that purchased-list senders fail opt-out compliance because the lists are so dirty. Per violation: up to $51,744 (2024 cap).
  • CASL (Canada). Requires express or implied consent. Purchased lists fail. Per violation: up to CAD $10M (organization).
  • UK GDPR / PECR. Mirrors EU GDPR for B2C; B2B has narrow exemption that purchased B2B lists generally do not qualify for.

Beyond direct fines, the violation creates discoverable evidence in any subsequent dispute, customer audit, or M&A due diligence. Companies have lost acquisitions over purchased-list discovery in target due-diligence.

ESPs ban accounts

Every reputable ESP (Mailchimp, SendGrid, Klaviyo, HubSpot, Postmark, Customer.io, AWS SES, etc.) explicitly forbids purchased lists in their terms of service. Detection mechanisms:

  1. Sudden hard-bounce spike from a brand-new account.
  2. Complaint rate exceeding internal thresholds (typically 0.1-0.3%).
  3. Hits on internal seed-trap network.
  4. Reverse-image of the list against known purchased-list fingerprints (some ESPs share data on this).
  5. Recipient complaints citing "I never signed up" consistently.

Account suspension is typically immediate when detected. The ESP keeps your money. You lose access to your account, your sending history, and any opt-in subscribers you legitimately had. Recovery (creating a new account, re-warming) takes weeks or months.

The recovery cost is months, not days

A purchased-list blast that lands you on Spamhaus DBL costs you: domain delisting work, IP delisting at major providers, reputation re-warming (4-12 weeks), lost campaign opportunity, ESP migration if banned, and customer-trust recovery. Real cost typically $20K-$100K for a moderately sized B2B operation. The list cost $500.

Scraped lists are worse

"Free" scraped lists (built by extracting addresses from LinkedIn, GitHub, web pages) are worse than paid lists:

  • Higher pristine-trap density — trap operators heavily plant in scrape targets.
  • More obviously machine-extracted patterns — easier for providers to fingerprint.
  • Same legal status — scraping doesn't create consent.
  • Often combined with role-account harvesting, which accelerates complaint rate.

Tools that automate this — "email finders", domain-prefix-pattern guessers, LinkedIn data extractors — produce technically-deliverable but reputation-destroying lists. The fact that a tool can extract an address does not make sending to it a viable strategy.

Rented and co-marketing lists

"We'll send to our list on your behalf" is common in B2B (event partners, content syndication relationships). The mechanics differ from purchase but the outcome can be the same:

  • If they send and only forward replies to you: relatively safe — their domain takes the hit, not yours.
  • If they hand you the list: same as purchase. Same risks.
  • If you send from a co-branded domain: their reputation becomes yours quickly.

The safe pattern is the first: partner sends from their domain, recipients consent to be forwarded to you (via reply or click-through opt-in). Anything else is a list-purchase with extra steps.

Legitimate alternatives

  1. Inbound content marketing. Slow but compounding. Subscribers actively opt in.
  2. Cold outreach with proper warm-up. Sending to manually researched, role-relevant prospects from a warmed domain at low volume. Legal in most jurisdictions for B2B; reputational impact manageable if done right.
  3. Paid lead capture. Targeted ads driving signups with double opt-in. Higher cost per address than buying, but the addresses are actual prospects who consented.
  4. Conference / event lead capture. Recipients explicitly shared contact info. Use within reasonable expectation of context.
  5. Referral programs. Existing subscribers refer others who explicitly opt in. Highest-quality acquisition channel available.

Practical rules

  • Never buy a list. Not for any price, not for any purpose.
  • Never scrape addresses.
  • Never accept a list as part of a deal or migration.
  • If you inherit a list from an acquisition or transition-of-ownership, treat it as suspect — validate rigorously, prefer re-opt-in confirmation before marketing sends.
  • If a vendor offers you "a clean list of decision-makers in your industry", the product is the "clean" claim, which is false.
  • Educate sales teams. Sales-driven org pressure is the most common path to bad-list adoption.

Frequently asked questions

What if the list seller swears the addresses are 'opted in to receive offers from third parties'?

That phrase is meaningless under GDPR (no specific consent), thin under CASL, and operationally untested under CAN-SPAM. Even if technically truthful, the recipients didn't opt in to your specific brand — they will hit spam at the same rate as on a purely cold list. Legal risk + operational risk + reputation risk all stack.

Can I send 'just one introductory email' to a purchased list?

No. The reputation damage from one purchased-list send is the full cost. Mail providers don't give first-time-offender forgiveness. The ban / blocklist / reputation collapse all happen on the first send.

What about LinkedIn-scraped contacts — they're public, right?

Public visibility doesn't equal consent to be marketed to. LinkedIn's ToS forbids scraping. GDPR considers an email address personal data regardless of how it was obtained. The legal and reputational outcomes are identical to purchased lists.

Does it matter if I send from a 'throwaway' domain?

Marginally — you isolate the reputation damage from your primary brand. But: ESPs still ban your account, recipient providers still flag and may share fingerprints with main-domain data, and the legal exposure is identical. Throwaway domain is a tactical hack that doesn't change the underlying problem.
Related reading

Check your deliverability across 20+ providers

Gmail, Outlook, Yahoo, Mail.ru, Yandex, GMX, ProtonMail and more. Real inbox screenshots, SPF/DKIM/DMARC, spam engine verdicts. Free, no signup.

Run Free Test →

Unlimited tests · 20+ seed mailboxes · Live results · No account required