The case against ads.txt as it currently exists

ads.txt was a genuinely good idea, and it is overdue for some honest criticism. Defending a standard from improvement is not loyalty to it.

What it fixed

Domain spoofing got materially harder, and that was worth doing. For a simple text file, ads.txt removed a real and expensive category of fraud from the open market.

What it quietly broke

Two problems grew up alongside the benefit:

• The files have become unmanageably long, often thousands of lines, copied between sites with little understanding.
• Almost nobody audits their own. An unaudited ads.txt is theatre — it signals diligence without providing it.

A security file that nobody reads is just a longer attack surface with good intentions.

The reseller problem

The bigger structural issue is the reseller sprawl. A typical file authorises a long chain of intermediaries, and each entry is a path you have implicitly endorsed without verifying. The format makes it trivial to add a line and effectively impossible to reason about the whole.

What should change

I am not arguing to scrap ads.txt. I am arguing for tooling that makes auditing the default rather than a chore — line-level provenance, expiry dates, and a real reason to keep the file short. Until that exists, treat your own ads.txt with suspicion. It is probably longer and less examined than you think.