Cleanbox
Features Helpdesk Blog Pricing Contact
Sign in Start free trial
Helpdesk General

How DNS blacklists (DNSBL) work

DNS-based Blackhole Lists (DNSBL, also called RBL - Real-time Blackhole Lists) are databases of IP addresses known to send spam. Email servers query these lists in real time to decide whether to accept or reject incoming email.

How DNSBL works technically

When an email arrives, the receiving server takes the sending server's IP address and performs a DNS lookup against the blacklist provider. For example, to check IP 192.0.2.1 against Spamhaus:

  1. Reverse the IP octets: 1.2.0.192
  2. Append the DNSBL domain: 1.2.0.192.zen.spamhaus.org
  3. Perform a DNS A record lookup
  4. If a result is returned (e.g., 127.0.0.2), the IP is listed. The specific return code indicates the type of listing.
  5. If NXDOMAIN (no result), the IP is clean.

This entire process takes milliseconds and requires no special software — it uses standard DNS infrastructure.

Why IP addresses get blacklisted

  • Sending spam — The most common reason. The IP was observed sending unsolicited bulk email.
  • Open relay — The mail server accepts and forwards email from anyone, a configuration exploited by spammers.
  • Compromised server — Malware on the server is sending spam without the owner's knowledge.
  • Shared IP reputation — On shared hosting, one spammer can get the entire IP range blacklisted, affecting all users on that server.
  • Spam traps — The IP sent email to a known spam trap address (an address that should never receive legitimate email).

Major DNSBL providers

ProviderFocusUsed by
Spamhaus ZENComprehensive: spam sources, exploits, policy blocksMost major email providers
Barracuda BRBLIP addresses sending spam to Barracuda's networkBarracuda appliances, third-party services
SpamCopUser-reported spam sources with automatic expiryMany ISPs and email services

Cleanbox supports checking against these providers for both alias addresses and relay addresses.

False listings

Legitimate senders can end up on blacklists. Common scenarios:

  • A shared hosting IP was used by a spammer before the current user
  • A brief compromise was resolved but the listing was not removed
  • An automated system sent email to an old spam trap address

If a legitimate sender is being blocked

  • Whitelist the contact in Cleanbox — whitelisted contacts bypass IP blacklist checks
  • Check the sender's IP on MXToolbox to see which lists they appear on
  • The sender can request delisting from the blacklist provider (each provider has a removal process)

If your own IP is blacklisted

If you run your own mail server and your IP is on a blacklist:

  1. Identify and stop the source of spam (compromised account, vulnerable script, open relay)
  2. Check your listing on MXToolbox
  3. Follow the delisting procedure for each provider:
    • Spamhaus: check.spamhaus.org — self-service removal after resolving the issue
    • Barracuda: barracudacentral.org — request removal
    • SpamCop: Listings expire automatically after 24 hours if no new reports are received

Using Cleanbox Relay in front of your mail server means Cleanbox's IP addresses are what the internet sees, not yours. This protects your server from direct blacklisting while Cleanbox handles the IP reputation management.