RFC 5782: DNS-Based Blacklists and Whitelists

Informational DNS & Mail Routing DNSBLDNSWLIP ReputationSpam Filtering

ELI5: Imagine a shared phone book that marks which phone numbers are known telemarketers. When you get a call, you look up the number. DNSBLs work the same way — mail servers look up a sender’s IP address in a DNS-based list to decide whether the message is likely spam or legitimate, all in milliseconds using normal DNS queries.

Why This Exists

Spam filtering requires real-time reputation data about sending IP addresses and domains. Before DNSBLs, each organization had to maintain its own blocklist. This does not scale — there are billions of IP addresses and thousands of mail servers that need the same information.

DNS-based lists solve this by publishing reputation data as DNS records. Any mail server can query them during an SMTP transaction with near-zero latency, using the same DNS infrastructure it already relies on. RFC 5782 documents how these lists work, covering:

The DNS query format for looking up IP addresses and domains
How return codes encode listing reasons
The difference between blacklists (DNSBLs) and whitelists (DNSWLs)
Operational expectations for list operators

How It Works

To query a DNSBL, the receiving mail server reverses the octets of the sender's IP address and appends the list's zone name, then performs a DNS A record lookup.

IP Address Lookup

To check whether 203.0.113.42 is listed on zen.spamhaus.org:

Query:   42.113.0.203.zen.spamhaus.org  A
Answer:  127.0.0.2

The octets are reversed (just like in-addr.arpa PTR records). A response in the 127.0.0.0/8 range means the IP is listed. The specific return value encodes the listing reason. An NXDOMAIN response means the IP is not listed.

Return Code Meanings (Spamhaus Example)

Return Code	Spamhaus List	Meaning
`127.0.0.2`	SBL	Direct spam source, verified
`127.0.0.3`	SBL CSS	Spam source identified by automated systems
`127.0.0.4`	XBL (CBL)	Exploited host (malware, botnet, open proxy)
`127.0.0.10`	PBL	End-user IP range, should not send mail directly

TXT Record for Details

A corresponding TXT lookup returns a human-readable explanation and often a URL for delisting:

Query:   42.113.0.203.zen.spamhaus.org  TXT
Answer:  "Listed at https://www.spamhaus.org/query/ip/203.0.113.42"

Domain-Based Lookups

Some lists (like Spamhaus DBL or SURBL) list domain names rather than IPs. The domain is prepended directly to the list zone:

Query:   baddomain.example.dbl.spamhaus.org  A
Answer:  127.0.1.2  (spam domain)

Key Technical Details

Major DNSBLs Used in Email

List	Type	What It Lists
Spamhaus ZEN	IP blocklist	Combined SBL + XBL + PBL (most widely used)
Spamhaus DBL	Domain blocklist	Domains found in spam content and headers
Barracuda BRBL	IP blocklist	IPs sending spam to Barracuda honeypots
SpamCop	IP blocklist	IPs reported by SpamCop users (auto-expires)
SURBL	URI blocklist	Domains found in spam message bodies
dnswl.org	IP whitelist	Verified legitimate mail senders (DNSWL)

Query Mechanics

Response in 127.0.0.0/8 — IP is listed. The specific address encodes the reason.
NXDOMAIN — IP is not listed. This is the expected response for clean IPs.
SERVFAIL / timeout — List is unreachable. Must be treated as "not listed" to avoid blocking all mail during outages.
127.255.255.254 — Some lists return this for test queries to confirm your DNS is working.

IPv6 Support

IPv6 addresses are expanded to full 32-nibble form, reversed nibble-by-nibble, and appended to the zone. For example, 2001:db8::1 becomes:

Query:   1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.zen.spamhaus.org  A

Common Mistakes

Blocking mail on DNS failure. If a DNSBL query times out or returns SERVFAIL, the correct action is to treat the IP as not listed. Blocking mail because the list is unreachable will cause massive false positives during list outages.
Not checking your own IPs proactively. If your sending IP lands on Spamhaus or Barracuda, you will not get a notification. Monitor your IPs regularly with automated checks.
Ignoring PBL listings. The Spamhaus PBL lists IP ranges designated for end-user access (residential broadband, mobile). Being on the PBL does not mean you are a spammer — it means you should be sending via an authorized mail relay, not directly.
Using too many DNSBLs simultaneously. Each list has different policies, accuracy, and false-positive rates. Using obscure or poorly maintained lists increases false positives. Stick to well-established lists.
Not requesting delisting after resolving the issue. Most DNSBLs require you to submit a delisting request after fixing the underlying problem. Some (like SpamCop) auto-expire, but others (like Spamhaus SBL) require manual action.

Deliverability Impact

DNSBL listings are deliverability emergencies. A Spamhaus SBL listing will cause immediate rejection at most major mailbox providers and enterprise gateways. A listing on a major DNSBL is the single most impactful negative event for your sending infrastructure.
Multiple lists compound the effect. Many spam filters use a scoring system: listed on one DNSBL adds points, listed on two or three may push you over the spam threshold even if one listing alone would not block you.
DNSWLs provide positive reputation. Being listed on dnswl.org or similar whitelists gives you a positive reputation signal. Some receiving systems use these to fast-track delivery for known good senders.
Shared IPs amplify risk. If you send from shared IP addresses, another sender's bad behavior can get the IP listed, affecting your deliverability. This is a key advantage of dedicated sending IPs for high-volume senders.
Monitoring is non-negotiable. Check your sending IPs against major DNSBLs daily. Many deliverability monitoring services automate this. Catching a listing early — within hours — limits the damage.