article

Recovering From Bad Link Building: How To Audit And Disavow Harmful Backlinks

Recovering from bad link building requires auditing toxic backlinks, manual removal outreach, disavowing harmful links, and rebuilding trust. This guide provides the exact steps to clean your backlink profile, restore rankings, and improve your brand's crucial AI citation potential.

Liam Dunne
Liam Dunne
Growth marketer and B2B demand specialist with expertise in AI search optimisation - I've worked with 50+ firms, scaled some to 8-figure ARR, and managed $400k+/mo budgets.
March 4, 2026
12 mins

Updated March 04, 2026

TL;DR: Bad links act as reputation debt. When Google calls in the bill during a core update, your traffic drops fast. Recovery follows four stages: audit your full backlink profile to identify toxic links, attempt manual removal from source sites first, upload a disavow file to Google Search Console as a last resort, and submit a reconsideration request only if you received a manual action. The entire process takes weeks to months, not days. Beyond Google, a poisoned backlink profile may also affect how AI answer engines evaluate your entity's trustworthiness, so you need clean link hygiene before you can earn AI citations.

Your organic traffic just fell off a cliff. Maybe a Google Spam Update rolled through, or your CEO forwarded a Search Console notification asking what "manual action" means. Either way, you're likely dealing with the same root cause: a backlink profile full of links that should never have been built.

This guide walks you through the complete recovery process. You'll get the specific steps to identify toxic links, the exact manual removal workflow, and a safe walkthrough of Google's Disavow Tool. We'll also show you why this matters for AI visibility, because a compromised link profile hurts more than just your Google rankings.

Not all backlinks are equal, and the bad ones don't just fail to help you rank. They actively signal manipulation to search engines and may affect how AI answer engines evaluate your entity's trustworthiness.

Unnatural links include any links that attempt to manipulate search rankings rather than earn them through genuine content value. The most common types are:

  • Private Blog Networks (PBNs): Connected sites that link to each other purely for SEO benefit, providing no real user value
  • Link farms: Clusters of domains built solely to pass PageRank to paying clients
  • Over-optimized anchor text: Exact-match keyword anchors used at unnatural rates across referring domains
  • Comment and forum spam: Automated tools mass-submitting links across discussion threads
  • Sitewide links: Footer or sidebar links sold as packages by cheap agencies, appearing across every page of a domain
  • "Bad neighborhood" links: Domains flagged for gambling, adult content, malware, or other high-risk categories linking to unrelated B2B SaaS sites

The problem compounds when you inherit a link profile from a previous agency. As Globex Outreach notes about unnatural links, Google treats these as violations of its Search Central guidelines regardless of who built them or when.

Toxic links don't just hurt your Google rankings. They may interfere with how AI answer engines evaluate your entity's trustworthiness, and most teams completely miss this connection.

Research into how AI answer engines handle citations shows that brand search volume correlates more strongly with citations than raw backlinks do, with brand recognition acting as the primary trust signal. When spam sites from unrelated industries link to your SaaS product, they introduce the kind of reputational noise that lowers an AI answer engine's confidence in your entity. If Google doesn't trust your backlink profile, your CMO should ask: why would ChatGPT?

Cleaning your link profile is not just about recovering lost rankings. It is a prerequisite for the kind of third-party validation that gets you cited in AI-generated answers. For a deeper look at how AI answer engines decide which sources to cite, our AI citation patterns breakdown is worth reading alongside this guide.

Before you can fix anything, you need a complete picture of what's pointing at your domain.

  1. Export from Google Search Console. Go to Links > External Links > Top linking sites and export the full list.
  2. Pull data from a paid tool. Use Semrush, Ahrefs, or Moz to catch links GSC underreports, since GSC typically shows only a fraction of your full profile.
  3. Combine and deduplicate. Merge both exports into a spreadsheet and remove duplicate root domains using your spreadsheet tool's "Remove Duplicates" function.
  4. Cross-reference for completeness. The Hallam Agency's disavow guide recommends this multi-source approach for the most comprehensive picture.

You need to sort each domain into one of three buckets: keep, request removal, or disavow. These lists are not interchangeable, and conflating them is where most teams make their first mistake. Work through your deduplicated domain list and flag any row showing one or more of these signals:

  • Irrelevant domain: The site has no connection to your industry, use case, or geography
  • Over-optimized anchors: Exact-match commercial keywords appear at unnaturally high frequency
  • Bad neighborhood: Domain hosts gambling, adult content, pharma spam, or triggers malware warnings in Google Safe Browsing
  • No real content: Site exists only for link aggregation or auto-generated articles with no user value
  • Suspicious patterns: Excessive hyphens in domain name or mass registration dates matching your link spike
  • Sitewide placement: Footer or sidebar links appearing across every page of the referring domain
  • Unnatural velocity: Hundreds of low-quality domains all pointed at you on the same date

Manual review is non-negotiable. As noted in the editorial.link disavow guide, no tool can determine toxicity with complete certainty, which is why experienced SEO professionals manually review flagged backlinks before taking action rather than mass-disavowing entire lists. Semrush's Backlink Audit tool assigns a toxicity score from 0 to 100 based on dozens of toxic markers, and it's a useful starting filter, but use it as a triage tool, not a final verdict.

Step 2: The removal-first strategy (before you disavow)

The disavow tool is a last resort, and Google states this explicitly in the official disavow documentation: if you have a manual action for unnatural links, try to remove those links from the other site first, and only disavow what you cannot get removed.

This matters for two reasons. First, if you received a manual action, submitting a reconsideration request with a weak removal effort signals to a human reviewer that you didn't take the problem seriously. Second, disavowing links you could have removed yourself looks like corner-cutting, and Google reviewers read reconsideration notes carefully.

How to execute manual outreach

For each domain on your removal list:

  1. Find the webmaster contact. Check the site's Contact page, WHOIS data, or the domain's LinkedIn presence. Tools like Hunter.io can surface email patterns for domains with clear ownership.
  2. Send a concise, professional request. Do not threaten legal action or accuse the site of spam. State that you're conducting a link audit, provide the specific URL containing the link, and request removal.
  3. Follow up once after 5-7 days. If you receive no response after your follow-up, note it in your tracking sheet and move the domain to your disavow list.
  4. Document everything. Save emails, screenshots of sent messages, and timestamps. Google expects evidence of removal attempts, not promises, when you submit a reconsideration request.

As the Elite Strategies disavow guide explains, the disavow links tool is not meant to remedy all backlink ills. Removing links yourself is always the preferred path, and only move domains to your disavow list after documented outreach fails.

Once your removal outreach is complete and fully documented, you're ready for the final tool: Google's Disavow file.

Step 3: How to use the Google Disavow Tool safely

Get the syntax wrong and Google will reject the file entirely, leaving your old disavow list in place (or nothing active if you don't have one yet).

Disavow file format and syntax rules

The file must be a plain .txt file encoded in UTF-8 or 7-bit ASCII. The Google Search Central disavow documentation specifies a maximum of 100,000 lines and a 2MB file size limit. Every domain you disavow should be prefixed with domain: so Google excludes the entire domain, not just a single URL.

Here's exactly what a properly formatted disavow file looks like:

# Disavow file - last updated 2025
# Links confirmed unnatural after removal outreach failed

# Specific URLs where removal was declined
http://spam.example.com/paid-links.html
http://linkfarm.example.net/directory/yourbrand

# Full domains where all links are toxic
domain:shadyseo.com
domain:linkfarm.xyz
domain:pbn-network.net

Lines starting with # are comments and Google ignores them. You cannot disavow an entire subdirectory path like example.com/en/, and one URL or domain per line is the only accepted format. As Koanthic's complete disavow guide confirms, uploading a new list completely replaces your existing one, so always include every domain you want disavowed, not just new additions.

Common mistakes that make things worse

Before you upload, check your file against these failure modes that Bluehost's disavow guide flags as most common:

  • Accidental good link disavows: Bulk-exporting without reviewing individual domains catches legitimate links in the net
  • Wrong file format: Uploading a Word or Excel file instead of plain .txt (Google rejects these immediately)
  • Protocol confusion: Mixing http and https versions without domain: prefix only disavows one variant
  • Self-harm: Including your own domain by mistake during copy-paste operations
  • Incomplete history: Forgetting to include previously disavowed domains when uploading a new file, effectively reinstating them

The upload process

  1. Go to the Google Search Console Disavow Tool
  2. Select the correct property from the dropdown
  3. Click the upload button and select your .txt file
  4. If errors exist, Google shows them immediately and your old list remains unchanged
  5. Correct the errors and re-upload

A critical property note: The Google disavow documentation confirms that the disavow tool does not support Domain properties. You must use a URL-prefix property (like https://www.example.com). If your site has both http and https properties verified separately, upload your list to each one. As Neil Patel's disavow guide notes, www.example.com and example.com are technically different URLs in GSC, so check which property contains your traffic data before uploading.

Recovery timelines: manual actions vs. algorithmic penalties

The recovery process and expected timeline differ significantly depending on what type of penalty you're dealing with. Most teams treat them as the same problem, which leads to incorrect next steps and unrealistic expectations when reporting upward.

Manual actions: human reviewer, reconsideration required

A manual action means a human at Google reviewed your site and determined it violated the link spam guidelines. You'll see it clearly in GSC under Security & Manual Actions > Manual Actions. Recovery requires you to fix the violations (remove and disavow toxic links) and then submit a formal Reconsideration Request explaining what you found, what you did to fix it, and what you've changed to prevent recurrence.

According to the penalty recovery timeline guide from Black Swan Media, manual penalties often resolve within 10-30 days after a successful reconsideration request. The manual vs. algorithmic penalty breakdown from Bespoke Digital confirms that manual actions have more predictable timelines, typically 2 weeks to 3 months, compared to algorithmic devaluations. The key variable is the quality of your reconsideration request documentation.

Algorithmic penalties: no notification, no clear end date

Algorithmic devaluations from Google's Spam Updates come with no notification. Google's link spam detection has been fully integrated into its core ranking systems since 2016, so there is no longer a separate "Penguin penalty" to recover from as a distinct event. You notice a ranking drop in analytics and GSC shows no manual action. The fix is the same (remove, disavow), but there's no reconsideration request to submit. You clean the profile and wait for Google to recrawl, reprocess, and apply the updated signals.

According to Search Engine Land's Google penalty guide, algorithmic penalties can take anywhere from 6 months to over 2 years for full recovery, and Google-Penalty.com's recovery timeframe research notes that some sites never fully regain their previous rankings. Where you land in that range depends on several factors: how many toxic links you have, how long they've been active, how frequently Google crawls your domain, how competitive your niche is, and whether a relevant update cycle has run after you submitted your disavow file. Sites with a small number of recently acquired toxic links from a single campaign tend to recover faster. Sites with years of accumulated spam across hundreds of referring domains sit at the longer end of that window. This is exactly why catching problems early through quarterly audits matters far more than executing a perfect recovery after the fact.

The disavow file itself processes within a few weeks according to Google's own documentation, but Koanthic confirms that you may not see ranking improvements for 3-6 months after processing, and full recovery can take up to 12 months for extensive campaigns, depending on crawl frequency and update cycles.

Set expectations clearly when reporting upward. Traffic recovery from a disavow is measured in quarters, not weeks. If your CMO expects a rebound in 30 days, align on realistic milestones early.

Future-proofing: building authority that AI answer engines trust

Surviving one penalty doesn't make you immune to the next one. And here's the bigger picture: the practices that caused this problem, buying links, building PBNs, hiring cheap agencies that "guarantee" placements, are directly opposed to the kind of authority that earns AI citations.

Traditional SEO treated every link as a vote. The more votes, the higher the rank. AI answer engines don't work that way. These systems evaluate source credibility through domain mentions, citations, and overall trustworthiness. A purchased link from a domain with no thematic relevance to your product doesn't just fail to help with AI citations. It actively introduces noise into the entity signals that AI answer engines use to understand what your brand does and who vouches for it.

Our guide to answer engine optimization covers this shift in detail. The operating model for AI visibility is earning citations through content and credibility, not buying links through vendors.

The CITABLE framework and third-party validation

At Discovered Labs, we look at link health through the lens of entity trust. Our CITABLE framework has seven components that together shape how AI answer engines and search engines evaluate your brand:

  • C - Clear entity & structure: A 2-3 sentence BLUF (bottom line up front) opening that establishes exactly what your brand is and does
  • I - Intent architecture: Answering both the main question and adjacent questions your buyers are likely asking
  • T - Third-party validation: Reviews, user-generated content, community mentions, and earned citations from authoritative sources
  • A - Answer grounding: Verifiable facts backed by sources, so AI answer engines can confirm your claims
  • B - Block-structured for RAG: Content organized in 200-400 word sections with tables, FAQs, and ordered lists for retrieval
  • L - Latest & consistent: Timestamps and unified facts across every platform and property you own
  • E - Entity graph & schema: Explicit relationships in copy and structured data, so AI systems understand who you are in context

The T component, third-party validation, is where link recovery directly intersects with AI visibility strategy. In practice, this means:

  • Reviews on G2, Capterra, and Trustpilot from real users with verified accounts
  • Reddit threads and forum discussions where your product is mentioned in context, not promoted
  • Earned press mentions in publications that AI answer engines actively index and trust
  • Partner and integration mentions on credible, topically aligned domains

This is the antithesis of link spam. Where spam buys manufactured votes from unrelated domains, third-party validation earns genuine recognition from sources that AI answer engines already trust. Every toxic link you remove and replace with a legitimate earned mention improves both your Google authority and your AI citation rate. For more on how this plays out technically, our competitive technical SEO audit guide connects entity health to AI infrastructure gaps in concrete terms.

Quarterly audits prevent the next crisis

A clean link profile degrades over time. Competitors can run negative SEO campaigns pointing spam links at your domain, old link building campaigns resurface as domains revive under new owners, and your audit schedule determines whether you catch these problems before they compound.

Recommended audit cadence:

  1. Monthly: Review new links added via GSC "New links" export
  2. Quarterly: Full backlink audit against your toxicity classification criteria
  3. After any major Google update: Pull a fresh export and check for newly flagged domains

Recovering from bad link building takes months, not weeks, but the process is methodical. Audit your full profile, attempt manual removal, disavow only what you can't remove, and rebuild authority through earned citations. Each step improves your Google rankings while restoring the entity trust AI answer engines need to cite your brand.

Once your link profile is clean, use our 15 AEO best practices guide to build a citation-ready content strategy, and explore how AI citation tracking works to measure your progress.

Ready to see where your link profile and entity health stand today? Our team benchmarks your visibility against your top three competitors across the queries your buyers actually ask AI answer engines. Book a visibility audit and we'll show you exactly how we work, and be honest whether we're a good fit.

How long does a disavow take to work?

Processing the file takes a few weeks according to Google's documentation, but ranking recovery takes longer. Manual action penalties typically resolve in 2-4 weeks post-reconsideration approval, while algorithmic recoveries take 3-12 months or more, depending on crawl frequency and when the next relevant update runs.

Can I undo a disavow file upload?

Yes. Uploading a new list replaces the existing one entirely, as Google's disavow documentation confirms. To undo a disavow, upload a new file that excludes the domains you want reinstated. Note that Google needs to recrawl and re-evaluate reinstated links, which takes additional weeks.

Do broken links (404s) need to be disavowed?

Generally no. As Lumar's disavow FAQ explains, 404 pages don't receive or pass link value because Google reads the link as not connecting to anything. Focus your disavow efforts on active toxic links. The one exception is when a URL was live and toxic before going 404, since Google may retain memory of previously indexed pages for several months.

Should I disavow low-DA domains that aren't spam?

No. Low Domain Authority (a Moz metric, not a Google metric) alone is not a toxicity signal. A small niche blog with low DA that covers your industry and mentions your product naturally is completely fine. Only disavow links with clear manipulation signals, not just links from small sites.

What if I can't find contact details for the linking site?

Document the attempt. Screenshot the domain's contact page (or lack thereof), note the date, and move the domain to your disavow list. Google's reconsideration process accounts for cases where webmaster contact is genuinely impossible, as long as you show evidence of the attempt.

Key terminology

Manual action: A penalty applied by a human Google reviewer who determined your site violated the link spam guidelines. You'll find it in Google Search Console under Security & Manual Actions. It requires a formal Reconsideration Request after you complete the fixes.

Algorithmic penalty: A ranking demotion that Google's algorithm applies automatically through its integrated spam detection and core ranking systems, with no notification in GSC. Recovery requires fixing the underlying issue and waiting for the next crawl and algorithm cycle.

Toxic backlink: A link that attempts to manipulate search rankings rather than being earned through genuine content value, including links from PBNs, link farms, comment spam, irrelevant directories, and paid link schemes.

Domain Authority (DA): A third-party metric Moz created on a 1-100 scale to estimate how likely a domain is to rank. It is not a Google metric and should not be your sole indicator of link quality.

Disavow file: A plain .txt file you upload to Google Search Console to instruct Google to ignore specific URLs or entire domains when calculating your site's authority. Use this advanced feature only as a last resort after manual removal attempts fail.

Private Blog Network (PBN): A group of websites built solely to pass PageRank to target domains by linking between them. PBNs violate Google's Search Central guidelines and provide no genuine user value.

Get a free AEO audit

See how your content performs in AI search engines.

Continue Reading

Discover more insights on AI search optimization

Jan 23, 2026

How Google AI Overviews works

Google AI Overviews does not use top-ranking organic results. Our analysis reveals a completely separate retrieval system that extracts individual passages, scores them for relevance & decides whether to cite them.

Read article
Jan 23, 2026

How Google AI Mode works

Google AI Mode is not simply a UI layer on top of traditional search. It is a completely different rendering pipeline. Google AI Mode runs 816 active experiments simultaneously, routes queries through five distinct backend services, and takes 6.5 seconds on average to generate a response.

Read article