Phishing infrastructure gets burned by domain reputation before a single email is sent

Red teams age domains for 30-90 days and build reputation through benign traffic, but 60-70% of aged domains are still flagged by email security gateways (Proofpoint, Mimecast) before the first phishing email is sent. The gateways use proprietary scoring that considers domain age, registrar, hosting provider, SSL cert pattern, and historical DNS behavior, and the scoring thresholds are secret. A $500 domain investment plus 3 months of aging can be wasted by a single reputation check. This persists because email security vendors share domain intelligence through threat intel feeds, so a domain flagged by one vendor is blacklisted across the ecosystem within hours.