What is Whitelist?
Also known as: Allow list, Approved list, Safe list
What is a whitelist?
A whitelist is a list of pre-approved domains, apps, IP addresses, email senders, or keywords that a system explicitly allows. Everything not on the list is blocked by default.
This makes a whitelist an inclusion-based control. The opposite of a blacklist, which excludes specific items and allows everything else. Whitelists are the stricter model. Tighter, safer, smaller in reach.
Whitelists answer four operational questions:
- Which placements are approved for this campaign?
- Which IPs are allowed to access this server?
- Which senders bypass the spam filter?
- Which keywords can trigger our ads?
Get the list right and your campaigns run only on inventory you trust.
Whitelist vs blacklist: when to use which
The choice comes down to risk tolerance and reach. A blacklist favors scale. A whitelist favors control. Per the Association of National Advertisers, 23 percent of programmatic spend in 2023 was wasted on fraud, MFA, and unviewable inventory. Whitelists eliminate that waste at the cost of reach.
| Factor | Whitelist | Blacklist |
|---|---|---|
| Default behavior | Block everything | Allow everything |
| Reach | Limited to list | Open web minus list |
| Brand safety | Highest | Medium |
| Maintenance cost | High | Lower |
| Best for | Regulated verticals, premium brand campaigns, zero-trust security | Performance campaigns, direct response, broad prospecting |
| Risk if misconfigured | Lost reach | Bad placements |
Pharma, finance, and gambling advertisers default to whitelists. The legal cost of a single misplaced ad outweighs the reach loss. Direct-response advertisers usually default to blacklists. They need volume. They accept that the verification layer catches the rest.
Whitelist applications across ad-tech and security
Whitelists show up in three distinct places: programmatic ads, email infrastructure, and network access. The mechanics differ. The principle is identical.
| Domain | What gets whitelisted | Source of approval |
|---|---|---|
| Programmatic display and video | Domains, app bundle IDs, placement IDs | Manual audits, IAB Tech Lab ads.txt, historical performance |
| Paid search | Search queries, geographic locations, audience segments | Conversion data, brand-safe keyword research |
| Sender domains, SPF-authorized IPs, individual addresses | Sender Score, internal vendor lists | |
| Network access | IP addresses, CIDR ranges, MAC addresses | Office IPs, VPN exit nodes, partner servers |
| API access | Origin domains (CORS), API keys, OAuth client IDs | Developer registrations, partner agreements |
In programmatic, the whitelist sits at the bidder. The DSP only enters auctions for impressions on approved domains. In email, it sits at the inbound mail server. The receiving server skips spam filtering for approved senders. In network access, it sits at the firewall. The firewall drops every packet that does not originate from an allowed IP.
Same logic, three layers of the stack.
How to build a whitelist
A good whitelist is built in three phases: research, tiered approval, ongoing audit. Skip any phase and the list either starves the campaign or drifts into stale entries that no longer perform.
1. Research the inventory pool
Start with the universe of options. For programmatic, that means every domain that has historically delivered on your campaigns plus the publishers in your target category.
Pull data from:
- The DSP's placement report. Every domain that delivered impressions in the last 90 days, ranked by viewability and conversions.
- IAB Tech Lab ads.txt authorized seller files. Verify the inventory you want is sold by sellers you have a contract with.
- Third-party brand-safety vendors. IAS, DoubleVerify, and HUMAN publish category-aligned approved-publisher lists.
- Direct deals. Premium publishers (Hearst, Conde Nast, Vox, NYT) sell whitelisted PMP deals.
A first pass produces 500 to 5,000 candidate domains.
2. Tier the list by approval level
Not every approved domain deserves equal weight. Split the list into three tiers.
- Tier 1: Premium. Manually vetted, direct relationships, top viewability. Capped CPM, guaranteed placement. 50 to 200 domains.
- Tier 2: Approved. Verified via ads.txt, strong historical performance, no brand-safety incidents in 90 days. Open-auction access at higher bid ceilings. 500 to 2,000 domains.
- Tier 3: Probationary. New additions, on watch for one billing cycle. Lower bid ceilings, daily review of performance and content. Promoted to Tier 2 or removed after 30 days.
The tiering matches budget allocation to confidence level. New entries do not get top spend on day one.
3. Audit on a schedule
A whitelist is a living document. Review it every 30 days against four signals: viewability, invalid traffic rate, conversion performance, brand-safety incidents reported by your verification vendor. Per the GARM Brand Safety Floor, eleven content categories (adult, illegal drugs, hate speech, terrorism, and others) are universal exclusions. Any whitelisted domain that drifts into those categories gets pulled the same day.
Domains that miss two consecutive monthly reviews get demoted a tier. Domains that miss four get removed.
Real-world example: a regulated finance whitelist
A mid-market wealth-management firm runs a programmatic display campaign during tax season. Compliance requires zero exposure on news sites covering financial scandals, crypto speculation, or partisan political content. Monthly spend is $120,000.
A blacklist alone is not enough. The firm builds a whitelist instead.
- Tier 1: 78 domains. Direct PMP deals with WSJ, Barron's, Morningstar, Bloomberg, FT. Average CPM $14.20. Viewability 78 percent.
- Tier 2: 1,140 domains. Vetted finance and lifestyle publishers from ads.txt + IAS approved lists. Average CPM $5.80. Viewability 67 percent.
- Tier 3: 280 probationary domains. New publishers under 30-day watch.
Outcome over a 90-day campaign:
- Total impressions: 14.6 million. Lower than an open-auction campaign at the same spend.
- Viewability: 71 percent. Up from 52 percent on the prior open-auction campaign.
- Compliance incidents: zero. Down from four flagged incidents the previous quarter.
- CPA: $96. Up from $74 on open auction. The premium reflects the inventory quality.
The firm accepted the higher CPA. The compliance team accepted the lower reach. Both got what they needed.
Whitelisting in modern ad-tech
Whitelists are not falling out of favor. They are getting more granular. Per the Spamhaus Project, DNS-based reputation lookups exceed 50 billion queries per day, and modern ad and email systems both lean on real-time reputation data instead of static lists alone.
Three shifts shape how whitelists work today:
- Curated marketplaces. SSPs like Magnite, PubMatic, and Index Exchange now sell pre-curated PMP packages. The buyer does not build the list. The SSP does, then certifies it. Faster setup, less control.
- Dynamic whitelists. Modern DSPs auto-promote domains into the approved list when they hit performance thresholds, then auto-demote them when they fall below. The marketer sets the rules. The system maintains the list.
- AI-curated approval. Verification vendors use ML to score inventory in real time on a per-impression basis. The whitelist becomes a probabilistic filter, not a static file.
In a connected ad-creation-and-launch platform like Coinis, whitelist management runs in the background. When a campaign launches into Meta or programmatic channels, the platform applies a category-appropriate whitelist or exclusion list based on the vertical. Performance signals feed back into the list nightly. The marketer reviews tier promotions and demotions, not raw domain lists.
The whitelist still does what it always did. Allow only what you trust. Block everything else. The work of building and maintaining it is what changes.
Related terms
Frequently asked questions
What is the difference between a whitelist and a blacklist?
A whitelist allows only the items on the list and blocks everything else. A blacklist does the opposite. It blocks specific items and allows everything else. Whitelists are stricter and safer but smaller in reach. Blacklists scale to the open web but let new bad actors slip through until they get reported.
Why do advertisers use whitelists?
Three reasons. Brand safety on regulated categories like pharma, finance, and gambling. Premium reach on a hand-picked publisher set with proven performance. Compliance with category restrictions defined by the GARM Brand Safety Floor. A whitelist trades open-web scale for predictable inventory quality.
What is an email whitelist?
An email whitelist is a list of approved sender addresses, domains, or IPs that a mail server treats as trusted. Whitelisted senders skip spam filtering and reach the inbox. Corporate IT teams use whitelists to ensure transactional mail from payroll and HR vendors is never quarantined. Sender Score from Validity is the standard reputation source.
How big should a programmatic whitelist be?
Most advertisers run whitelists between 200 and 5,000 domains. Smaller lists give tighter brand safety but starve the auction. Larger lists capture more reach but dilute the quality control. The sweet spot is around 1,000 to 2,000 domains for a national campaign, refreshed every 30 days against ads.txt and viewability data.
Are whitelists better than blacklists?
Neither is universally better. Whitelists fit regulated categories, premium brand campaigns, and zero-trust security. Blacklists fit performance campaigns that need open-web scale. Most mature ad accounts run both. A whitelist for top-funnel brand budgets. A blacklist with verification for direct-response budgets that need volume.