diff --git a/external/cmd/signup/main.go b/external/cmd/signup/main.go
index 5daca44..5838e68 100644
--- a/external/cmd/signup/main.go
+++ b/external/cmd/signup/main.go
@@ -114,12 +114,6 @@ func (c *character) Say(msg string) string {
 		strings.TrimSpace(msg))
 }
 
-// TODO: move this into an admin-editable world-unreadable file somewhere
-var suspiciousHosts = []string{
-	"mx1.cock.li",
-	"mx2.cock.li",
-}
-
 var ErrNoSuchDomain = errors.New("no host found for email address")
 var ErrNoSuchMailserver = errors.New("no mail server found for email address")
 
@@ -245,10 +239,19 @@ func _main(l *log.Logger, db *sql.DB) error {
 			"i'm sorry, before going further could you share an email with me?",
 			newCharacter("wire guy", "a lil homonculus made of discarded computer cables"),
 			func(s *scene) {
+				suspiciousHosts, err := models.SuspiciousHosts(db)
+				if err != nil {
+					// XXX: maybe log somewhere that the database failed
+					return
+				}
+				var shDomains []string
+				for _, host := range suspiciousHosts {
+					shDomains = append(shDomains, host.Domain)
+				}
 				su.Email = string(s.Input.Bytes())
-				if records, err := DigMX(su.Email); err != nil {
+				if records, err := DigMX(su.Email); err == nil {
 					for _, record := range records {
-						if slices.Contains(suspiciousHosts, record) {
+						if slices.Contains(shDomains, record) {
 							su.Notes = append(su.Notes, models.SignupNote{
 								Author:   "dns",
 								Content:  fmt.Sprintf("email address has suspicious host %s", record),
diff --git a/models/models.go b/models/models.go
index ffce1c6..a1b9b35 100644
--- a/models/models.go
+++ b/models/models.go
@@ -193,3 +193,35 @@ func (s *TownSignup) All(db *sql.DB) ([]*TownSignup, error) {
 
 	return out, nil
 }
+
+type SuspiciousHost struct {
+	ID         int64
+	Domain     string
+	CommonName string
+	Tier       int64
+}
+
+func SuspiciousHosts(db *sql.DB) ([]SuspiciousHost, error) {
+	rows, err := db.Query(`SELECT id, domain, common_name, tier FROM suspicious_hosts`)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	out := []SuspiciousHost{}
+	for rows.Next() {
+		sh := SuspiciousHost{}
+		if err = rows.Scan(
+			&sh.ID,
+			&sh.Domain,
+			&sh.CommonName,
+			&sh.Tier,
+		); err != nil {
+			return nil, err
+		}
+
+		out = append(out, sh)
+	}
+
+	return out, nil
+}
diff --git a/sql/create_signups_db.sql b/sql/create_signups_db.sql
index b32f8eb..112bb31 100644
--- a/sql/create_signups_db.sql
+++ b/sql/create_signups_db.sql
@@ -24,3 +24,13 @@ CREATE TABLE IF NOT EXISTS notes (
 
   FOREIGN KEY (signupid) REFERENCES signups(signupid)
 );
+
+-- 2025-11-22: bad hosts
+CREATE TABLE IF NOT EXISTS suspicious_hosts (
+  id          INTEGER PRIMARY KEY,
+  domain      TEXT,
+
+  -- unused but worth adding instead of another migration later
+  common_name TEXT,
+  tier        INTEGER,
+)