There are a variety of named lists that can be accessed via MQL. List names are always prepended with $ when referenced in MQL. Today, lists are only created and updated by the Sublime team or by the Platform itself. In the future, we'll enable arbitrary list creation, updating, and sharing.

📘

How to use lists in rules

See the lists syntax for usage instructions.

System Lists

System lists are created and managed by your Sublime instance and include information specific to your environment. These lists are populated at runtime to ensure they're always up-to-date.

Org domains

$org_domains

All domains associated with your organization’s message sources. This list is synced daily with your email provider (Google Workspace or Microsoft 365).

Example usage:

sender.email.domain.domain in $org_domains

Org display names

$org_display_names

All display names of users in your organization with a valid mail license. This list is synced daily with your email provider (Google Workspace or Microsoft 365).

Example usage:

sender.display_name in $org_display_names

Recipient domains

$recipient_domains

All domains anyone in your organization has sent an email to. This includes any domain that has appeared in the "to", "cc", and "bcc" fields of any outbound message.

Example usage:

sender.email.domain.domain not in $recipient_domains

Recipient emails

$recipient_emails

All email addresses anyone in your organization has sent an email to. This includes all email addresses that have appeared in the "to", "cc", and "bcc" fields of any outbound message.

Example usage:

sender.email.email not in $recipient_emails

Sender domains

$sender_domains

All domains anyone in your organization has received an email from.

Example usage:

sender.email.domain.domain not in $sender_domains

Sender emails

$sender_emails

All email addresses anyone in your organization has received an email from.

Example usage:

sender.email.email not in $sender_emails

Sublime Lists

Sublime lists are maintained by the Sublime team and are open-source on GitHub.

Alexa Top 1 Million Domains

$alexa_1m

The top 1 million domains, as ranked by Alexa.

Example usage:

any(body.links, .href_url.domain.domain not in $alexa_1m)

Disposable Email Providers

$disposable_email_providers

Domains of disposable (or temporary) email providers that generate short-lived email addresses not owned by or attributable to any single user.

Example usage:

any(recipients.to, .email.domain.domain in $disposable_email_providers)

Free Email Providers

$free_email_providers

Domains of free email ("freemail") providers that allow anyone to create an email address. This is important to ensure the email address does not inherit the reputation of the freemail provider's domain. This list also includes the contents of $disposable_email_providers.

Example usage:

sender.email.domain.domain in $free_email_providers

Free File Hosts

$free_file_hosts

Domains of free file hosting sites that allow anyone to upload and serve arbitrary files.

Example usage:

any(body.links, .href_url.domain.domain in $free_file_hosts)

Free Subdomain Hosts

$free_subdomain_hosts

Free subdomain sites that allow anyone to create their own subdomain and host arbitrary content. This is important to ensure the subdomains do not inherit the reputation of the root domain.

Example usage:

any(body.links, .href_url.domain.root_domain in $free_subdomain_hosts)

Majestic Million Domains

$majestic_million

The Majestic Million is a collection of 1 million domains that have the most referring subnets.

Example usage:

any(body.links, .href_url.domain.domain not in $majestic_million)

Suspicious TLDs

$suspicious_tlds

Top-level domains that are either frequently abused, free to register, or otherwise not generally used in the normal course of business or email communication.

Example usage:

any(body.links, .href_url.domain.tld in $suspicious_tlds)

Tranco Top 1 Million Domains

$tranco_1m

The top 1 million domains found by Tranco ranking, a research-oriented top sites ranking hardened against manipulation.

Example usage:

any(body.links, .href_url.domain.domain not in $tranco_1m)

Cisco Umbrella Top 1 Million Domains

$umbrella_1m

Top 1 million most popular domains as ranked by Cisco Umbrella (based on passive DNS data).

Example usage:

any(body.links, .href_url.domain.domain not in $umbrella_1m)

Umbrella Top TLDs

$umbrella_1m_tld

The TLDs found in $umbrella_1m.

Example usage:

any(body.links, .href_url.domain.tld not in $umbrella_1m_tld)

URL Shorteners

$url_shorteners

Known URL shorteners that allow anyone to host arbitrary content.

Example usage:

any(body.links, .href_url.domain.root_domain  in $url_shorteners)