Whitelisting is the selection of trustworthy sources and applications in digital communications and IT security. A whitelist is a collection of data associated with people, businesses, or software products, and as trustworthy sources allow the delivery of emails, the execution of programs and apps, and the display of online advertising. Each data entry of the whitelist has the task of defining a sender, receiver, or a source as authorized access. The entirety of the record is then checked by a system (for example, user device, server or add-on). The goal is to permanently exclude defective software and spam and ensure the security of the system. Whitelisting is used extensively in email marketing, IT security, and online advertising - sometimes in combination with blacklisting.

How it works[edit]

In contrast to blacklisting which excludes certain resources, positive examples of trustworthy sources are used in whitelisting to provide access to a service, the display of an advertising medium or the delivery of email, and to exclude all other resources. This is also referred to as a default deny approach. All resources that are not on the whitelist are rejected. As a rule, a verification takes place with first-time registration in order to regulate the admission and access to the whitelist. The criteria to be included in a whitelist may vary greatly depending on the provider, organization, or software. You can distinguish between the following types of positive lists:

  • Commercial whitelists where the co-operation partners pay a certain amount to the distributer or internet provider. Commercial whitelists are legally partially controversial.
  • Non-commercial whitelists that use specific properties in the server configuration, fixed IP addresses, and other test methods.

Email whitelisting[edit]

Email clients can be used to create a whitelist on the user side. The user maintains the whitelist by adding email senders manually. Most mail programs such as Mozilla Thunderbird, Microsoft Outlook or Apple Mail, offer such functionalities and filter possibilities. This is called client-side whitelisting. Filter criteria can be:

  • Email addresses and parts of them.
  • Certain keywords that indicate spam.
  • Certificates that are linked to people or servers.

Within the framework of collaborations such as the Certified Senders Alliance, the Spamhaus Whitelist or the ReturnPath initiative, whitelists are used to regulate the distribution of newsletters, as well as to prevent disturbing advertising and phishing. The deliverability of newsletters within the framework of email marketing is ensured by the fact that the senders participate in the above-mentioned collaborations - whereupon an Internet service provider (ISP) allows the distribution of newsletters by an email service provider (ESP) with its infrastructure. The user can only prevent this type of email transmission with a blacklist in the email program.

Application whitelisting[edit]

In the areas of software, servers and advertising, positive lists are also used. The principle is similar, but application whitelisting is not necessarily implemented in such a way that the end user has access to it. The respective user device has this protection mechanism because the manufacturer or system administrator has provided this in the program and system logic.[1] Or the user must install an add-on or plug-in on his device based on whitelisting and other protection mechanisms (for example, an advertising blocker). If an application is to be executed on a system, it is first checked whether the positive list contains it. If this is not the case, execution of the application is prevented. The following filter and test criteria are used for application whitelisting:[2]

  • Certificates and digital signatures to verify the reputation of the providers of programs, advertising, and infrastructures.
  • Paths for authorized access by administrators and web designers.
  • Hash functions to check if the entries in the whitelist correspond to the programs to be executed.

At the level of servers, IP addresses, domains or IP clusters, whitelisting is described as server-side whitelisting. Each Internet service provider (ISP) operates its own whitelist to allow trustworthy sources to access their own infrastructure. ISPs and ESPs are also partially cooperating with a particular type of data transmission. For IT infrastructures with high security requirements, whitelisting is used to protect against exploits as blacklisting is not an effective protection against attacks that have never occurred.[3]

Benefits and Disadvantages[edit]

Whitelisting is a practice which is criticized by different parties, depending on the application. Two examples:

  • Application whitelisting requires maintaining the records, in other words, dynamic lists. Considering the variety of programs, apps, operating systems, and servers, managing application whitelists can be difficult. The cost is apparently only worthwhile for providers of anti-virus software, firewalls, and other protection measures.[4]
  • In the area of ​​advertising, various websites and initiatives use whitelisting to ensure the delivery of advertising emails or advertising. Whether and to what extent this is legally permissible when it is a question of commercial whitelists has yet to be clarified (as of 08/10/2016).

Relevance to online marketing[edit]

Whitelisting is practiced in online marketing in various areas to allow the reception of newsletters and the display of advertising or to increase the security of a system. Email marketing campaigns can implement both approaches to ensure the delivery of emails. Certain resources that are not intended to be advertised on are excluded, while other resources are preferred by whitelisting. This makes it possible to control the deliverability or the placing of ads. Functions such as frequency capping, double opt-in, and proven principles of permissions marketing should also be considered as part of such campaigns, so the sender or advertiser does not land on a blacklist. Similar best-practice examples apply to online advertising.


  1. application whitelisting searchsecurity.techtarget.com. Accessed on 08/10/2016
  2. Default Deny All Applications (Part 2) windowsecurity.com. Accessed on 08/10/2016
  3. Top 10 Common Misconceptions About Application Whitelisting resources.infosecinstitute.com. Accessed on 08/10/2016
  4. Default Deny All Applications (Part 1) windowsecurity.com. Accessed on 08/10/2016

Web Links[edit]