🚫

Your domain's on a blocklist. Which ones actually matter?

"A blacklist checker lit up red and you're panicking. Most of those listings never touch your mail. Here's which blocklists actually gate delivery, and how to get delisted."

You ran a blocklist check, and it came back with a wall of red. Eight, ten, fifteen lists you've never heard of, all flagging your domain or your sending IP. Your stomach drops. You start googling delist forms for every one of them.

Stop. Most of that red is noise. There are dozens of DNS blocklists (some people count over a hundred), and the number that meaningfully decide whether your mail reaches an inbox is closer to three. Being on a list nobody consults is not a problem. Being on one specific list is an emergency. Which blacklists actually matter is the only question worth asking, and a red row on a checker doesn't answer it on its own.

Short answer: if you're listed on Spamhaus, drop what you're doing and fix it. If you're listed on some list you had to look up to identify, and Spamhaus is clean, you can almost certainly ignore it. The rest of this post is how to tell those two situations apart, and what to actually do about the first one.

Why are you on a blocklist you've never heard of?

Because anyone can run a DNS blocklist, and plenty of them list aggressively to stay relevant.

The classic example is UCEPROTECT. Their Level 1 list is fair enough, it names the specific IP that misbehaved. Level 2 escalates to the whole /24 the IP sits in, all 256 addresses, and Level 3 escalates again to the entire ASN, which can be thousands or millions of IPs, because a fraction of them sent spam. Rent a VPS from a big provider and you can land on UCEPROTECT Level 3 on day one, having sent nothing, purely because you share an ASN with someone who did. Then they offer a paid express-delisting option. Serious mailbox providers stopped consulting those lists years ago, precisely because a list that flags you for your neighbour's behaviour is useless for filtering decisions.

That's the pattern to recognise. A list that lights up red but that Gmail, Outlook and the big filters don't actually query has no effect on your delivery. It just makes a checker look alarming.

Our take: the number of blocklists you're on is a meaningless metric. One listing on a list receivers trust outweighs a dozen on lists they ignore. Count the reputation of the lists, not the lists.

Which blocklists actually gate delivery?

A short list. The blocklists that gate real delivery are Spamhaus (via its combined Zen list), Barracuda's BRBL, and Invaluement. Monitor those and you've covered the ones that move mail. Everything else is largely background noise.

Spamhaus is the one that matters most, by a wide margin. It runs several lists that big receivers query on nearly every inbound message:

  • Spamhaus SBL (Block List): IP addresses Spamhaus has identified as spam sources.
  • Spamhaus CSS: an automated list, published in the same zone as the SBL, that catches snowshoe senders and compromised or low-reputation IPs. This is the one people get quietly caught by, because it lists on sending behaviour rather than a manual report, and you often don't know why.
  • Spamhaus XBL: infected machines, open proxies and exploited hosts.
  • Spamhaus PBL (Policy Block List): IP ranges that shouldn't be sending mail directly at all, like residential and dynamic address space. Being on the PBL is normal for a home connection. It only bites if you're trying to send mail straight from an IP that was never meant to.
  • Spamhaus DBL (Domain Block List): the domain one. This lists domains, not IPs, and it's the reason a domain with a spotless sending IP can still get filtered.

Zen is Spamhaus's combined IP list (SBL, CSS, XBL and PBL in one query), and it's what most mail servers actually check. Beyond Spamhaus, a couple of lists carry real weight with specific receivers: Barracuda's BRBL is consulted by Barracuda gateways, and Invaluement is a paid list used by some enterprise filters.

Worth saying plainly: SORBS, which used to appear on every checker, was shut down by its owner Proofpoint in June 2024 and no longer lists anything. If a tool still shows you a SORBS result, the tool is out of date, not your domain.

How does a domain end up listed, not just an IP?

This is the part that catches self-hosters and lab setups off guard, and it's the live pain on Reddit right now: "my lab domain got added to a DNS blocklist and broke my whole setup."

Most blocklists list IP addresses. The Spamhaus DBL lists domain names, and it does it based on where the domain shows up, not where it sends from. If your domain appears as a link inside spam messages, or it's a brand-new registration behaving like a throwaway spam domain, or its nameservers and hosting pattern match known-bad infrastructure, it can land on the DBL without ever having sent a single email itself.

For a self-hosted or lab domain the usual triggers are: it's freshly registered (new domains carry a "prove yourself" penalty everywhere), it's hosted on an IP range with a bad neighbourhood, or a URL on it got scraped into a spam run somewhere. The DBL has "abused-legit" sub-categories exactly for domains that aren't malicious but are being treated with suspicion.

The point is that domain reputation and IP reputation are two separate ledgers. You can pass every blocklist check on your IP and still be filtered because your domain is listed, and a lot of people burn a day looking at the wrong ledger.

I'm on Spamhaus. How do I actually get off?

Fix the cause first, request removal second. Do it in that order or you'll be back on within a day.

A Spamhaus listing is a symptom. Something on your side sent spam, got compromised, or looked enough like a spammer to trip an automated list. If you request delisting without finding and fixing that, Spamhaus relists you, and repeated listings dig the hole deeper because the pattern itself becomes the reason.

  • SBL / CSS (your IP): find what sent the spam. A compromised account, an open relay, a script blasting a stale list, a forwarded stream carrying spam through you. Shut it down, confirm it's actually stopped, then use the removal form at check.spamhaus.org. CSS often auto-delists once your sending pattern cleans up, but you can request a review to speed it.
  • PBL (your IP): this one's usually not a problem to solve, it's a signal you're sending from the wrong place. If it's a static IP you legitimately control and want to send from, Spamhaus has a self-service removal. But the better answer is often to relay through a proper smarthost instead of sending direct from an IP the internet expects to stay quiet.
  • DBL (your domain): stop whatever got the domain listed, which usually means removing the spammy content or securing whatever was abused, then request removal through the same Spamhaus portal. A newly-registered domain sometimes just needs to age out of the suspicion window.

The delisting itself is free and fast on Spamhaus. It never charges for removal, so anyone selling you "guaranteed Spamhaus delisting" for a fee is either lying or charging you for something Spamhaus does for nothing. (A deliverability consultant billing for the work of finding and fixing the root cause is a different thing, and can be worth it. Paying for the delisting click is not.) That's a useful line between the list that matters and the ones that monetise the panic.

How do I tell a real listing from noise?

Read which lists flagged you, not how many.

Run your domain and your sending IP through TamingDNS's blacklist checker (the /rbl route is the same tool). It checks both against the lists that actually gate delivery and tells you which specific list hit, so you can see at a glance whether Spamhaus is in the red or whether it's just a scatter of vanity lists. A clean Spamhaus result with three obscure lists lit up is a good day dressed up to look like a bad one.

If your IP is the problem, two more checks tell you why. The reverse-DNS lookup confirms your sending IP has a valid PTR record with matching forward and reverse DNS, which is the single most common reason a legitimate self-hosted server gets treated as suspicious. And IP info shows you the network and ASN your IP sits in, so you can see whether you've rented space in a bad neighbourhood before you invest a week warming it up.

A hundred blocklists exist and about three decide your mail's fate. The skill isn't checking more lists, it's knowing which red actually costs you delivery.

So what do I actually do about it?

When a checker lights up red, work it in this order:

  • Check Spamhaus specifically, on both your domain and your sending IP. This is the yes/no that matters. Everything else is secondary.
  • If Spamhaus is clean and only obscure lists are red, note it and move on. You don't have a delivery problem, you have an alarming-looking checker.
  • If Spamhaus is red on your IP, find what sent the spam, shut it down, confirm it stopped, then submit the free removal at check.spamhaus.org.
  • If Spamhaus is red on your domain (DBL) but your IP is clean, you're looking at the wrong ledger, fix the domain-side cause and delist the domain.
  • Check your PTR / reverse DNS if you self-host. A missing or mismatched PTR gets you filtered with every blocklist green, and it's a five-minute fix with your host.
  • Never pay to delist. The lists that matter remove you for free. The ones that charge are the ones you can ignore.

Being on a blocklist feels like an emergency because the tools present every listing with the same red. It isn't. Read the names, check Spamhaus, and most of that wall of red turns out to be nothing that was ever going to touch your mail.

Try it: see which lists actually flag you, not just how many. Run a free blocklist check on your domain and IP, confirm your reverse DNS is clean if you self-host, and check the network your IP sits in. No login, no sales call.

If the red turns out to be real and mail is landing in spam even with Spamhaus clean, the problem is reputation rather than a listing, and our piece on why mail passes every check and still lands in spam is the next place to look. And if you're running your own mail server, the reverse-DNS and IP-neighbourhood traps above are only the start of the deliverability gauntlet, which is a post of its own, coming shortly.

Run a free blocklist check on your domain.

← Back to all articles