- November 2021
- Engineering Memo · External Release
Being listed on a DNS-based blocklist (DNSBL) is one of the most operationally disruptive events in email infrastructure management. Depending on which list has listed the IP or domain and which ISPs query that list, a listing can cause immediate delivery failure for anywhere from 5% to 100% of outgoing mail. Understanding how blacklist operators identify and list sending infrastructure — what signals trigger a listing, what investigation processes run before listing, and what evidence is required for successful delisting — is essential knowledge for anyone operating at volume.
This note documents the listing process for the major DNSBL operators — Spamhaus, Barracuda, SORBS, and SpamCop — the specific signals that trigger listing, how to diagnose which list is responsible for a delivery failure, and the delisting process for each. It is written from operational experience with the real-world listing and delisting process, not from the public documentation alone.
How Blacklist Operators Detect Spam: The Three Primary Methods
Blacklist operators use three primary detection methods to identify IPs for listing, which they combine in different ways depending on the operator's methodology and the type of listing.
Spam trap hits. Every major DNSBL operator maintains a network of spam trap addresses — email addresses that have never been legitimately given to anyone, or that were once valid but have been abandoned and repurposed as traps. Legitimate senders who use clean acquisition practices and maintain active bounce suppression should never send to these addresses. Senders who reach spam traps have either acquired addresses through scraping, purchased lists, or failed to suppress addresses that bounced at spam-trap-holding domains. A single spam trap hit from a "pristine" trap (an address never publicly used) triggers immediate listing at Spamhaus. Multiple hits from recycled traps (formerly valid addresses now repurposed) trigger listing after a lower hit count threshold.
Complaint-based listing. SpamCop aggregates reports from users who click "Report Spam" in supported email clients. When an IP receives a sufficient volume of complaints within a time window, SpamCop adds it to its blocklist. The threshold is not publicly specified but is rate-based — it is the complaint rate relative to total sending volume, not the absolute number of complaints. A high-volume sender with a 0.05% complaint rate receives far more absolute complaints than a low-volume sender, but a lower complaint rate, and is treated differently by SpamCop's algorithm accordingly.
Direct observation and reporting. Some blocklist operators — particularly Spamhaus — operate extensive monitoring infrastructure that directly observes spam campaigns, identifies the sending IPs, and lists them based on observed sending behavior rather than waiting for complaint reports. Spamhaus has long-standing relationships with ISP postmaster teams and law enforcement that provide additional intelligence about spam operations. This direct observation capability is why Spamhaus listings are considered more authoritative than complaint-based lists — they reflect observed spam-sending behavior, not just recipient reports which can include false positives.
Figure 1 — DNSBL Listing: Three Detection Pathways
The Major DNSBL Operators: What They List and Why
Spamhaus operates several distinct lists with different listing criteria. The SBL (Spamhaus Block List) lists IP addresses associated with spam operations — typically confirmed spam-sending infrastructure. An SBL listing indicates observed spam-sending behavior, not just a complaint threshold being crossed. The CBL (Composite Blocklist) lists IPs that show botnet-like behavior — sending patterns consistent with compromised machines or automated spam systems. The PBL (Policy Block List) lists dynamic IP ranges that should not be sending email directly — consumer ISP broadband ranges, not datacenter infrastructure. The XBL (Exploits Block List) combines CBL and third-party exploit-based lists. Spamhaus's ZEN list combines SBL, XBL, and PBL into a single query point, which is what most ISPs use in practice.
A Spamhaus SBL listing is the most severe common listing event. Gmail, Yahoo, Microsoft, and most major ISPs query Spamhaus as part of their connection filtering. An SBL-listed IP will be rejected at connection time by all querying ISPs — before any message content is evaluated. Recovery requires submitting a delist request with documentation of what caused the listing, what has been changed to prevent recurrence, and evidence that the sending infrastructure is under legitimate operational control. Spamhaus reviews delist requests manually for SBL listings, and rejection of requests is common if the documentation is insufficient.
Barracuda operates the Barracuda Reputation Block List (BRBL), which is used primarily by corporate email systems running Barracuda's filtering appliances. Barracuda listings are complaint-based — driven by reports from Barracuda appliance users marking email as spam. The BRBL is less broadly queried than Spamhaus but more relevant for B2B senders whose recipients use Barracuda appliances in corporate environments. Barracuda offers an automated delist process through their website, with listings typically removed within 24–48 hours of a successful delist request for senders who have addressed the underlying complaint source.
SpamCop (now operated by Cisco) produces listings based on user complaint reports submitted through SpamCop's reporting interface. SpamCop listings are among the most volatile — they expire relatively quickly (24–48 hours without new complaints) and are applied based on complaint rate within a time window. Many large legitimate senders periodically appear on SpamCop due to complaints from recipients who use SpamCop's reporting system, particularly from cold email campaigns or re-engagement campaigns to segments with elevated complaint rates. SpamCop is queried less broadly than Spamhaus by major ISPs but is still used by some ISPs and many corporate environments.
Table 1 — Major DNSBL operators: listing criteria and delisting process
| DNSBL | Primary listing trigger | ISP adoption | Delist process | Typical delist time |
|---|---|---|---|---|
| Spamhaus SBL | Observed spam sending; spam trap hits | Critical | Manual review; requires documentation | 1–5 business days |
| Spamhaus CBL/XBL | Botnet/exploit behavior; automated spam patterns | Critical | Automated; address root cause first | Hours to 24h |
| Barracuda BRBL | Complaint reports from Barracuda users | High (corporate) | Online form; automated approval | 24–48 hours |
| SpamCop BL | Rate of user complaint reports | Medium | Automatic expiry (48h without new reports) | 48h (self-expiring) |
| SORBS | Spam trap hits; spam reports | Low (declining) | Manual or automated depending on list zone | Variable |
Diagnosing a Blacklisting Event
The first step in responding to a suspected DNSBL listing is confirming which list has listed which IP. This sounds straightforward but is complicated by the fact that multiple IPs may be in use simultaneously (across different virtual MTAs and IP pools), and multiple lists may have listed the same IP for different reasons.
The diagnostic process: check each sending IP against Spamhaus, Barracuda, SpamCop, and SORBS directly using their lookup tools or a multi-DNSBL checker. Do not rely solely on third-party aggregator services that may show stale data — check the authoritative list directly for each suspected listing. Cross-reference confirmed listings against the accounting log for the period before the listing: which IPs were sending what traffic, at what volumes, to what destinations, with what deferral rates? The listing date combined with the pre-listing accounting log data typically reveals the likely cause.
The SMTP response codes that indicate a DNSBL-related rejection: 554 5.7.1 with message text referencing "blacklisted" or a specific DNSBL URL. Most ISPs include the DNSBL name or lookup URL in the rejection message, allowing specific identification of which list triggered the rejection. For example, a Gmail rejection referencing Spamhaus will include text like "IPs are blocked because they appear on the Spamhaus ZEN list." Reading the full smtp-response text from the accounting log — not just the response code — provides the diagnostic information needed to identify the specific list.
The Delisting Process: What Works and What Doesn't
Successful delisting requires three things in sequence: (1) identifying and fixing the root cause of the listing, (2) submitting a delist request with documentation of the root cause and the fix, and (3) demonstrating that the problem will not recur. Skipping step 1 and proceeding directly to step 2 produces delist request rejections and, if the listing recurs shortly after a successful delist, significantly more difficult future delisting because the blacklist operator has now observed the problem recurring.
For spam trap hits — the most common cause of Spamhaus SBL listings for otherwise legitimate senders — the root cause investigation must identify how the spam trap address entered the list. Candidates include: a list import from a third-party source that contained the trap, a sign-up form that was not validated (allowing trap addresses to sign up), or an old list segment that was reactivated after the addresses had been converted to traps. The fix must address the source: remove the import, add validation to the sign-up form, or permanently suppress the old segment. Documentation for the delist request should describe which specific segment contained the trap, how it was acquired, and what process change prevents recurrence.
For complaint-based listings (Barracuda, SpamCop), the root cause is elevated complaint rates from a specific campaign or list segment. The fix is to suppress the complaining segment and implement FBL complaint processing if not already in place. For SpamCop, which self-expires in 48 hours without new complaints, the most important action is ensuring no additional campaigns send to the complaining segment until the complaint rate has stabilized — if the listing expires and then immediately recurs from a new campaign to the same problematic segment, it indicates the root cause has not been addressed.
Prevention: Infrastructure Practices That Reduce Listing Risk
The most effective prevention for DNSBL listings is not faster delisting — it is reducing the probability of listing in the first place. The specific practices that reduce listing risk most effectively:
Real-time bounce suppression. Hard bounces from addresses at DNSBL-operating domains (or domains owned by blacklist-affiliate organizations) are a signal to suppress the specific address before any future sends. Bounce processing that operates in real-time (within minutes of a bounce) is significantly more protective than batch processing (which allows additional sends to the bouncing address before suppression takes effect).
List validation at acquisition. Validating email addresses at the point of sign-up — confirming domain existence via MX record lookup, validating email format, implementing double opt-in — eliminates the category of invalid addresses that include spam traps. Spam trap addresses cannot complete a confirmed opt-in process, because the confirmation email is sent to the trap address which does not have a human operator to click the confirmation link.
FBL registration and real-time processing. Registering for feedback loops at Yahoo, Microsoft, and other FBL-supporting providers ensures that complaint signals arrive before they accumulate to listing thresholds. FBL processing that suppresses complainants within seconds of complaint receipt prevents the accumulation of complaints from the same recipients across multiple campaigns.
DNSBL monitoring before every campaign. Checking each sending IP against the major DNSBLs before each campaign send — not just reactively after delivery problems appear — allows listings to be detected and addressed before they affect a campaign in progress. A listing that is present when the campaign starts affects delivery for the duration of the campaign. A listing detected in a pre-send check can be addressed before the campaign begins.
Re-listing: Why Some IPs Get Listed Repeatedly
Some sending IPs experience repeated DNSBL listings — delisted, then relisted within days or weeks. This pattern indicates that the root cause of the listing was not addressed before delisting, or that the sending programme has a structural issue that continuously generates the conditions that trigger listings.
The most common structural cause of repeated listings: list acquisition practices that continuously introduce new addresses from problematic sources. If a sender imports lists from the same third-party source monthly, and that source consistently contains spam traps, delisting after each individual trap hit will not prevent the next listing — because the next import will contain new trap addresses. The fix is upstream (the import source), not downstream (the delisting process). A sending programme that treats delisting as a routine operational task rather than an incident requiring root cause elimination is on a treadmill that will not stop until the acquisition practice changes.
A second common cause: re-engagement campaigns sent to very old address segments. List segments that are more than 2–3 years old without engagement from those specific addresses may contain recycled spam traps — addresses that were once valid but have since been repurposed by the original ISP into trap addresses. Sending to these segments triggers trap hits even though the addresses were acquired through legitimate means and were valid at the time of acquisition. The fix: never re-engage segments older than 18 months without first running them through a list validation service that specifically checks for known trap addresses. If the segment cannot be validated, suppress it entirely rather than risking the trap hits.
A third cause of repeated listings: cold email sending from shared IP pools. Cold email consistently generates higher complaint rates than opted-in marketing, and if cold email traffic shares IPs with promotional or transactional traffic, the complaint accumulation from cold email contributes to complaint-based listings (Barracuda, SpamCop) that affect all traffic on those IPs. The fix is the architecture fix: cold email in its own isolated IP pool with separate domain, so listings from cold email activity are contained to that pool and do not affect the promotional or transactional pool.
ISP-Specific DNSBL Queries: What Each Provider Checks
ISPs do not all query the same set of DNSBLs. Understanding which lists each major ISP queries helps prioritize listing response: a Barracuda BRBL listing is more urgent if the sending programme's list is predominantly corporate/B2B addresses (where Barracuda appliances are common) than if it is predominantly consumer ISP addresses (where Barracuda is rarely used). A SpamCop listing is more urgent if the programme sends to large communities of technically sophisticated users who use SpamCop's reporting tools.
Gmail queries Spamhaus ZEN (combining SBL, XBL, PBL) and its own internal IP reputation database. A Spamhaus listing that causes Gmail rejections is identifiable in the accounting log from the specific SMTP response text Gmail returns. Microsoft queries Spamhaus and its own internal reputation system (SmartScreen). Yahoo queries Spamhaus and maintains its own internal list. Most corporate mail systems with Barracuda appliances query BRBL alongside Spamhaus. SpamCop is queried by some ISPs and many corporate spam filtering systems, but adoption has declined since Cisco's acquisition and integration into their broader security portfolio.
The practical triage order for a listing investigation: Spamhaus first (broadest impact, most ISPs query it, most authoritative), then Barracuda if B2B volume is significant, then SpamCop if the programme sends to technically sophisticated audiences, then SORBS and smaller lists last. This priority order ensures that the listings with the largest delivery impact are addressed before the listings with more limited scope.
Domain-Level Blacklisting vs. IP-Level Blacklisting
DNSBL listings can apply at the IP level (the standard case) or at the domain level. Domain-level blacklisting occurs when the sending domain — or a domain appearing in URLs within the message body — is listed on a URI-based blacklist (URIBL or SURBL). These domain blocklists specifically target the domains that appear in spam messages' URLs, which remain constant even as IP addresses rotate.
URIBL and SURBL listings affect delivery differently from IP-level DNSBL listings. An IP DNSBL listing blocks the connection before message content is evaluated. A URIBL listing is applied after the message is received, during content analysis. The delivery impact: the message is accepted at the SMTP layer (because the IP is not listed) but is then filtered to spam or blocked during content analysis because a URL in the message body points to a listed domain.
From a diagnostic perspective, URIBL-related delivery problems are harder to identify because the SMTP acceptance (250 OK) is logged normally — the filtering decision happens inside the receiving server after acceptance, and the sender may not receive any delivery failure notification. The only visible signal is a reduction in engagement rates from recipients at ISPs that use URIBL data in their content filtering. Checking the domain of every URL in campaign messages against URIBL and SURBL before sending is the prevention practice — some marketers use URL checkers or email testing services that include URIBL checks as part of pre-send validation.
Operational Protocol for Listing Events
A DNSBL listing event should trigger a defined operational protocol rather than an improvised response. The response quality and timing consistently determines how long the listing affects delivery — operators who follow a clear protocol resolve listings faster and with better root cause documentation than those who improvise under pressure.
The protocol: (1) Receive alert from monitoring system (DNSBL check, delivery rate drop, or accounting log 5xx spike). (2) Confirm the listing by querying the specific DNSBL directly. (3) Pause sends from the listed IP immediately — not the entire pool, just the affected IP. (4) Identify the timeframe of the listing and cross-reference with accounting log data from the 48 hours before listing. (5) Identify the likely cause (spam trap segment, complaint spike, authentication failure). (6) Remediate the cause (suppress the segment, fix authentication, process pending FBL complaints). (7) Document the cause and fix in writing. (8) Submit the delist request with the documentation. (9) Resume the affected IP only after delisting is confirmed. (10) Document the incident in the operational incident log with full timeline and corrective actions.
Step 10 — the incident log — is often omitted in time-pressure situations but is essential for two reasons: it provides the evidence base for future delist requests if the IP is listed again (demonstrating that prior incidents were properly addressed), and it provides the data for a quarterly review of listing patterns that may reveal structural list quality or acquisition problems that are generating repeated incidents. Without an incident log, patterns of repeated listings are invisible until they become severe operational problems.
A well-managed sending infrastructure that implements real-time DNSBL monitoring, pre-send IP checks, FBL complaint processing, real-time bounce suppression, and list validation at acquisition will experience far fewer listings than infrastructure that relies on reactive delisting as the primary response to listing events. The investment difference between these two approaches is modest in engineering time — perhaps 20–40 hours of initial setup and 2–4 hours per month of maintenance. The operational cost difference, measured in delivery disruption, postmaster time, and customer experience impact from listing events, consistently makes the prevention-first approach the better investment for any sender above 100,000 monthly messages.
Monitoring is not a substitute for good sending practice — it is the detection system that confirms that good practice is working and alerts when it is not. Together, they form the complete operational posture for DNSBL management: prevent where possible, detect immediately where prevention falls short, remediate systematically with documented root cause analysis, and review patterns quarterly to identify structural improvements that prevent recurrence at scale.
Infrastructure and DNSBL Monitoring
Our managed infrastructure includes real-time DNSBL monitoring for all sending IPs, immediate alerting on listings, pre-send DNSBL checks, and managed delisting assistance. FBL registration, bounce processing, and list validation support are included as standard services. Request assessment →