Spamhaus is a non-profit organization operating the most consequential family of email blocklists (DNSBLs) in production. Its data is consumed by Apple iCloud, Microsoft (Outlook.com / Hotmail / Microsoft 365), Yahoo, Proofpoint, Rackspace, and Cloudmark — roughly the non-Gmail half of major mailbox providers. A Spamhaus listing functions as an effective email kill switch for any sender whose audience is predominantly non-Gmail. Removal from any Spamhaus blocklist is always free; any service charging for delisting is a scam.
Most published material about Spamhaus reads as either generic listicles ("the top 10 email blacklists you should know about") or vendor blog posts trying to sell deliverability services. Operators who have actually had to delist a production IP know that Spamhaus is not a single list — it's a family of specialized blocklists with different listing criteria, different delisting mechanisms, and different return codes that mean very different operational things. Treating "Spamhaus" as a monolithic concept is the first mistake; the second is confusing the 127.255.255.x error-code range with real listings, which causes mail servers to wrongly reject legitimate mail. This entry documents the family, the workflow, and the operational reality at production scale.
The Spamhaus Project was founded in 1998 by Steve Linford as a UK-based response to the early-2000s spam epidemic; it now operates as Spamhaus Project SLU, a non-profit headquartered in Andorra. Its 2006-era data already protected 650 million email users — including the European Parliament, US Army, the White House, and Microsoft — from billions of spam emails per day. Twenty-eight years later, the organization is still the editorial backbone of email reputation infrastructure for Microsoft, Apple, Yahoo, and most non-Gmail mailbox providers.
Spamhaus Project (non-profit) vs Spamhaus Technology (commercial)
The structural distinction between the two entities matters operationally because it explains why Spamhaus listings are taken seriously by major mailbox providers — and why no amount of paid lobbying gets a domain or IP delisted faster.
Spamhaus Project SLU is the non-profit, Andorra-based, founded in 1998. It is responsible for the editorial decisions about what gets listed: the OSINT (Open Source Intelligence) research team that investigates SBL candidates, the dedicated investigators and forensics specialists who maintain the active 30,000-40,000-listing SBL dataset, and the policy criteria that determine when an IP or domain is added to or removed from any Spamhaus zone. The Project retains editorial independence from any commercial relationship — a principle Spamhaus emphasizes explicitly.
Spamhaus Technology is the authorized commercial vendor. While small-volume users can query the public DNSBL mirrors for free (with the deprecation discussed below), high-volume senders, ISPs, and security companies must access the data via commercial Data Query Service (DQS) subscriptions which use rsync or BGP rather than public DNS. Pricing for commercial DQS typically runs hundreds to low-thousands USD per year depending on query volume.
The Spamhaus zone family: 8 datasets decomposed
Spamhaus operates eight distinct blocklist zones, each targeting a specific abuse pattern with its own listing criteria, operational use case, and delisting mechanism. Most operators interact with three or four; understanding all eight clarifies architectural decisions.
Spamhaus Blocklist — the manually-maintained core list. IPs of verified spammers, spam gangs, spam support services, snowshoe configurations, bulletproof hosting, spamware sales, botnet C&C, and malware/phishing/ransomware hosts.
Exploits Blocklist — automated, includes Composite Blocking List (CBL) data. Open proxies (HTTP/SOCKS/Wingate), botnet-infected machines, worms with spam engines. Self-service removal once issue is patched, otherwise auto-relists.
Policy Blocklist — IP space that should NOT send mail directly to internet (residential dial-up, dynamic ranges, web servers). Use only at SMTP transaction connecting IP. SMTP Auth-exempt.
Domain Blocklist — RHSBL (Right-Hand Side Block List) for domain reputation. Used at content-stage filtering after SMTP accepts (URL checks, sender domain checks). Free for any use.
Composite SnowShoe (SBLCSS) — automated subset of SBL targeting snowshoe and high-volume spam patterns. Detects volume distribution patterns, frequent IP rotation, fresh-domain registration patterns.
Composite zone — combines SBL + CSS + XBL + PBL into a single DNS query. One query returns multiple distinct answers (one per dataset where IP is listed). Recommended for SMTP-time blocking.
Don't Route Or Peer — JSON files with CIDR blocks + ASNs for hijacked netblocks. Designed for BGP route filtering, not SMTP. eDROP merged into DROP April 10, 2024 (now single unified list). Free for any use.
BCL (released June 2012) lists IPs operating botnet C&C infrastructure. ROKSO (Register of Known Spam Operations) historically tracked the ~100 organizations responsible for ~80% of world's spam — no longer publicly available since after 2023, law-enforcement-only access. New attribution mechanism in development per Spamhaus FAQ.
Why ZEN is the recommended SMTP query
Spamhaus explicitly recommends NOT querying the SBL, XBL, PBL, and CSS subzones separately when ZEN covers them. The reasoning is mechanical: a single DNS query to zen.spamhaus.org returns multiple distinct answers within the same DNS response packet — one per dataset where the IP is listed, with different return codes for each — using less infrastructure than four separate queries.
# Single query to ZEN returns combined results $ dig +short 2.0.0.127.zen.spamhaus.org 127.0.0.2 # Listed in SBL (verified spam source) 127.0.0.4 # ALSO listed in XBL (exploit/botnet) 127.0.0.10 # ALSO listed in PBL (should not send direct) # Equivalent to four separate queries: # dig 2.0.0.127.sbl.spamhaus.org # dig 2.0.0.127.xbl.spamhaus.org # dig 2.0.0.127.pbl.spamhaus.org # dig 2.0.0.127.css.spamhaus.org # — but with one round-trip instead of four.
The IP is reversed in the query: 192.168.1.5 becomes 5.1.168.192.zen.spamhaus.org. The mail server interprets each return code and decides whether to reject the SMTP connection, defer it, or accept and route to spam folder.
Return code reference (including the error range nobody covers)
Every Spamhaus DNSBL query returns an IPv4 address in the 127.x.x.x range. The mail server parses this code to decide what to do. Most published guides cover the reputation codes; almost none cover the 127.255.255.x error range — which is one of the most common production confusions.
| Return code | Meaning | Source | Operator action |
|---|---|---|---|
127.0.0.2 | SBL listing — verified spam source | Manual SBL listing | Reject SMTP |
127.0.0.3 | SBL CSS — composite snowshoe | Automated CSS | Reject SMTP |
127.0.0.4 | XBL — CBL data, exploits/botnets/proxies | Automated CBL | Reject SMTP |
127.0.0.9 | DROP — hijacked netblock | BGP-layer dataset | Block at firewall (not SMTP) |
127.0.0.10 | PBL — ISP-managed, should not send direct | ISP portal | Reject SMTP unless authenticated |
127.0.0.11 | PBL — Spamhaus-managed range | Spamhaus PBL | Reject SMTP unless authenticated |
| ⚠ Error range — NOT reputation issues | |||
127.255.255.252 | Quota exceeded | Query infrastructure | Reduce query rate / upgrade to DQS |
127.255.255.254 | Querying through public/open resolver — Spamhaus can't attribute | Query infrastructure | Switch to private resolver or DQS key |
127.255.255.255 | Bad/malformed query | Query infrastructure | Fix query syntax |
Who actually uses Spamhaus data (and who doesn't)
This is where the operational impact of a Spamhaus listing varies dramatically by audience. The receivers that consume Spamhaus data:
Apple iCloud Microsoft (Outlook.com / Hotmail / Microsoft 365) Yahoo Proofpoint Rackspace Cloudmark Most enterprise mail filters Most ISP mail systems globally
The receivers that do NOT consume Spamhaus data for delivery decisions:
Gmail (uses internal reputation systems)
How an IP gets listed: the SBL workflow
Understanding the listing process is the foundation for understanding the delisting process. Here's what happens when a new spam pattern is detected against an IP:
SBL listing workflow (manual investigation track)
127.0.0.2 for that IP.For automated zones (XBL, CSS), the listing flow is faster — sensors observe a problem signature and list the IP automatically without human review. For DROP, the listing requires evidence of netblock hijacking or wholesale criminal control and is rare but persistent.
Delisting workflow per zone (operational gap most guides miss)
The delisting mechanism varies by zone, and conflating them leads to wasted effort. The four operational patterns:
Open ticket via SBL Team
The SBL Team will not process a removal request if the spam issue that caused the listing is still active. Fix the problem first. If contested, escalate to the European Review Team. This team handles cases where the initial process did not resolve to the sender's satisfaction. Removal is always free; paid delisting services are scams.
Automated removal at check.spamhaus.org
Self-service removal works if the security breach is patched (open proxy closed, malware removed, botnet infection cleaned). If the underlying issue is still active, automated sensors will relist within minutes. Do NOT request removal until the root cause is fixed.
Self-service form at check.spamhaus.org
Submit the self-service removal request. Allow time for DNS propagation. CSS targets snowshoe-style sending patterns (volume distribution, fresh-domain registrations) — fix the underlying pattern before requesting removal or you'll be relisted automatically.
Through your ISP's PBL portal
PBL listings are managed by ISPs. If your IP is in a residential range and your mail program needs to send via SMTP Auth, configure SMTP Authentication correctly — the listing remains but your authenticated mail flows. For static business IPs in PBL ranges, contact the ISP to remove the range from their PBL listing.
ISP/network operator must contact Spamhaus
Individual senders cannot delist DROP entries. The network operator (ISP or owner of the listed netblock) must contact Spamhaus with evidence the netblock is no longer under malicious control. If you're a victim of being in a DROP-listed netblock, contact your hosting provider or ISP first, not Spamhaus.
Demonstrated remediation history
ROKSO listings (now law-enforcement-only post-2023) historically required 6+ months of demonstrated non-spam activity before delisting was considered. Removal is the slowest of any Spamhaus zone, reflecting the seriousness of operating-level spam attribution.
Real-world delisting timing
Published guides typically state delisting "takes minutes to 24 hours" — true for clean cases, misleading for shared infrastructure. The actual production reality:
The shared-infrastructure trap is the most common surprise. If your IP is in a shared hosting range or VPS provider's pool, and other tenants on the same range continue spamming, your IP can keep being relisted for weeks or months even after your own remediation is complete. The fix is operational: move to dedicated IPs (which is what production deliverability requires anyway) or migrate to a hosting provider with cleaner range hygiene.
DQS migration: the public mirrors are deprecating
Spamhaus is gradually deprecating the old public DNSBL mirror approach in favor of the free Data Query Service (DQS). The transition affects every operator running their own mail infrastructure.
| Aspect | Public mirrors (legacy) | DQS (current) |
|---|---|---|
| Authentication | None — free anonymous queries | DQS key per operator |
| Open-resolver detection | Triggers 127.255.255.254 errors | Solved by DQS key authentication |
| Cost (free tier) | Free, low-volume only | Free for qualifying users; SBL/XBL/CSS/DROP/DBL/PBL/ZRD/AuthBL |
| Cost (commercial) | N/A — required upgrade for high-volume | Hundreds to low-thousands USD/year, includes support + extra datasets |
| Technical support | None | Free tier: none. Paid tier: yes |
| Plugin availability | SpamAssassin, Rspamd plugins | Same plugins, DQS-keyed |
| 2026 status | Still works, deprecating | Recommended for new deployments |
Spamhaus monitoring in Cloud Server for Email infrastructure
Customer-specific Spamhaus integration on managed PowerMTA + MailWizz infrastructure includes:
- Pre-delivery DNSBL checks against ZEN at the SMTP transaction layer. Inbound connections are filtered against Spamhaus reputation before message acceptance, reducing spam load and improving downstream filtering accuracy.
- Outbound IP monitoring against all Spamhaus zones (SBL, XBL, CSS, PBL, DBL, DROP, ZRD). Continuous polling detects new listings within minutes of their publication, triggering automated alerts before customers experience meaningful deliverability impact.
- Per-zone delisting playbooks. When a customer IP is listed, our deliverability team executes the appropriate workflow — SBL manual ticket, XBL self-service after root-cause fix, CSS form submission — based on the specific zone and the listing context. Detailed remediation procedures are documented in the operations library.
- DQS-based query infrastructure. Our PowerMTA and SMTP filtering layers use DQS keys, avoiding the open-resolver attribution problem and the 127.255.255.254 false-listing risk. Customers never experience phantom rejections from misconfigured query infrastructure.
- Snowshoe-pattern detection at the architecture level. Per-vMTA traffic isolation and per-domain throttling profiles in PowerMTA make accidental snowshoe patterns (which trigger CSS listings) very difficult to produce — clean per-IP volume distribution and explicit virtual MTA assignment defeat the heuristics CSS uses to flag distributed spam patterns.
For customers running their own mail infrastructure, we provide Spamhaus deployment consulting — DQS key acquisition, mail server DNSBL plugin configuration, and per-zone delisting workflow training as part of operational engagement.
Auditing your Spamhaus status
Standard verification commands and tools:
# 1. Manual DNS query against ZEN (single-query check across SBL/XBL/CSS/PBL) # Reverse the IP: 192.0.2.5 → 5.2.0.192 dig +short 5.2.0.192.zen.spamhaus.org # 2. Check specific zone (rare — usually use ZEN instead) dig +short 5.2.0.192.sbl.spamhaus.org dig +short 5.2.0.192.xbl.spamhaus.org # 3. Domain check against DBL dig +short example.com.dbl.spamhaus.org # 4. Online official tool (recommended for end users) # https://check.spamhaus.org # Shows specific listing reasons + delisting links # 5. Test for the 127.255.255.x error range # If you see this, your DNS resolver is the problem, not the sender dig +short 1.0.0.127.zen.spamhaus.org # Expected: 127.0.0.2 (test address always listed) # If: 127.255.255.254 — fix your resolver, then retry
The official tool at check.spamhaus.org is the canonical source for end-user lookups — it shows the specific listing reasons, links to delisting forms where applicable, and explains the listing context in operator-friendly language.
Related glossary concepts
- Sender Reputation — Spamhaus listings are one of the major reputation signals. Most receivers use Spamhaus data alongside their own internal reputation models.
- IP Warming — accidentally triggering CSS (snowshoe) listings during warming is a common operational mistake. Per-IP volume distribution patterns matter.
- SPF, DKIM, DMARC — authentication standards. Spamhaus listings are independent from authentication failures, but failing authentication frequently correlates with patterns that lead to Spamhaus listings.
- PowerMTA — the MTA's per-domain throttling and virtual MTA isolation are the architectural defenses against accidentally producing the patterns CSS uses to flag spam.
- Blacklist removal guide — operational walkthrough including Spamhaus + 14 other major DNSBLs.
Frequently asked questions
Can I pay to be delisted from Spamhaus faster?
No. Removal from any Spamhaus blocklist is always free, and any service charging for delisting is operating outside the legitimate Spamhaus ecosystem. Spamhaus is explicit that no third party can expedite or guarantee removal. Deliverability consultants do not have special access to the SBL Team or any back-channel for fast-track delisting. The actual fast-track is fixing the root cause cleanly the first time and submitting an accurate, technical, evidence-based delisting request — that combination produces the fastest review.
If my IP is on a Spamhaus list, will Gmail still deliver my mail?
Probably yes, with caveats. Gmail does not consume Spamhaus data directly, so a Spamhaus listing has no automatic effect on Gmail delivery. However, the patterns that produce Spamhaus listings (spam complaints, hitting spam traps, sending to dead lists) are also independently detected by Gmail's internal reputation systems — so by the time you're listed at Spamhaus, you're often also showing reputation degradation at Gmail. Treat a Spamhaus listing as a warning signal that Gmail-side metrics may also be deteriorating, even if the immediate Gmail delivery isn't affected.
What's the difference between SBL and SBLCSS?
SBL is the manually-maintained core list of verified spam sources, with listings made by Spamhaus's OSINT research team after investigation. SBLCSS (also called CSS) is a separate automated sub-list specifically targeting snowshoe and high-volume spam patterns — the difference is mechanism: SBL is humans deciding, SBLCSS is sensors detecting. The delisting flow differs accordingly: SBL requires a manual ticket via the SBL Team (24+ hours), SBLCSS has a self-service form at check.spamhaus.org (30 min - few hours). It's important to confirm which sub-list you're on before attempting removal. Both sub-lists are part of the ZEN composite zone.
How do I know if I'm being affected by the 127.255.255.x error range?
Test your DNS resolver against a known-listed test address. Spamhaus reserves 127.0.0.1 and similar test IPs that should always return a known listing for diagnostic purposes. Run dig +short 1.0.0.127.zen.spamhaus.org from your mail server. The expected response is 127.0.0.2 (a real test listing). If you see 127.255.255.254 instead, your DNS resolver is a public/open resolver (8.8.8.8, 1.1.1.1, etc.) and Spamhaus can't attribute your queries — fix this by using a private recursive resolver (your own bind, unbound, or PowerDNS recursive) or migrating to DQS with a key. Never reject mail when you see 127.255.255.x — those codes mean YOUR query infrastructure has a problem, not that the sender is listed.
Can I be on multiple Spamhaus lists simultaneously?
Yes — and the multi-listing scenario is what ZEN's multi-answer DNS response is designed to surface. A single IP can be in SBL (verified spammer), XBL (also running an exploited proxy), and PBL (in a residential range that shouldn't send direct) simultaneously. A query to ZEN returns all three return codes in one response. The delisting workflow must address each separately: fix the spam issue and submit an SBL ticket, patch the security breach and self-service the XBL, configure SMTP Auth to bypass PBL. Until all are resolved, the IP is effectively unusable for direct mail.
What was ROKSO and why is it no longer public?
ROKSO (Register of Known Spam Operations) was a database of spammers and spam operations that had been terminated from three or more ISPs due to spamming. It tracked roughly 100 organizations responsible for ~80% of the world's spam, with publicly-sourced information about their domains, addresses, and aliases. Per Spamhaus, it stopped being publicly available "at some point after 2023" — a special version remains available to law enforcement agencies, containing data on hundreds of spam gangs with evidence and logs of illegal activities. Spamhaus has stated that a new attribution mechanism is under development that will serve a similar purpose to ROKSO but won't be a direct replacement. ROKSO data still informs SBL listings internally; what changed is public visibility, not internal use.
Why did the e360 Insight LLC lawsuit matter for Spamhaus?
In September 2006, David Linhardt, owner of US bulk-emailing company e360 Insight LLC, filed a lawsuit in Illinois US against Spamhaus in the UK for blacklisting his bulk mailings. Spamhaus, being British with no ties to Illinois, asked for the case to be dismissed for lack of jurisdiction. Judge Charles Kocoras ignored the dismissal request and proceeded — prompting British MP Derek Wyatt to call for the judge to be suspended. Spamhaus refused to participate in what it considered an illegitimate proceeding. The case is operationally relevant because it established the precedent that Spamhaus does not capitulate to legal pressure regarding listings. This editorial independence is part of why mailbox providers trust Spamhaus data — there's no leverage that gets a real spammer delisted.
What's the relationship between Spamhaus and Postmaster Tools?
None directly. Google Postmaster Tools is Gmail's own reputation feedback system — IP reputation, domain reputation, spam complaint rates, authentication failure rates, all measured by Gmail's internal systems. Spamhaus is an independent non-profit operating its own DNSBL infrastructure consumed by other receivers (Microsoft, Apple, Yahoo, Proofpoint). Both are reputation signals operators must monitor, but they're separate systems with different methodologies and different audiences. A clean Postmaster Tools reputation does not protect against Spamhaus listings, and vice versa. Production senders monitor both.
Last updated: May 2026 · Sources: Spamhaus SBL official documentation, ZEN documentation, PBL documentation, DROP documentation, Spamhaus DNSBL Usage FAQ, Wikipedia: The Spamhaus Project, Prospeo 2026 Spamhaus guide, Warmy 2026 SBL/DROP delisting research.