DNS Blocklists (DNSBL): How They Work

Understand how DNS-based blocklists identify spam sources, how to check your IP reputation, and how to get delisted.

How DNSBL reverse-IP lookups work

A DNS-based blocklist (DNSBL, also called RBL or DNSRBL) is a database of IP addresses published via DNS. Mail servers query the blocklist in real time during the SMTP transaction to decide whether to accept, reject, or flag a message based on the sending IP's reputation.

The lookup mechanism uses a reversed IP address appended to the blocklist's zone. To check whether IP 198.51.100.42 is listed on a blocklist at bl.example.com:

Reverse the IP octets: 198.51.100.42 becomes 42.100.51.198.
Append the blocklist zone: 42.100.51.198.bl.example.com.
Query for an A record at that name.
If the query returns a result (typically 127.0.0.x), the IP is listed. If it returns NXDOMAIN, the IP is not listed.

The specific 127.0.0.x return code indicates the listing category. For example, Spamhaus uses 127.0.0.2 for SBL (direct spam sources), 127.0.0.4 for XBL (exploited hosts), and 127.0.0.10 for PBL (policy block list -- dynamic/residential IPs that should not be sending mail directly).

Many blocklists also publish a TXT record at the same name, containing a human-readable reason for the listing and a URL for more information.

IPv6 DNSBL lookups

IPv6 addresses follow the same reverse pattern but use nibble format. The address 2001:db8::1 is expanded to its full 32-nibble form and reversed, with each nibble separated by dots:

1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.bl.example.com

Not all blocklists support IPv6 lookups yet, but coverage is increasing as IPv6 adoption grows.

Major blocklists

Spamhaus ZEN

Spamhaus is the most widely used blocklist provider. Their ZEN zone (zen.spamhaus.org) combines four lists into a single lookup:

SBL (Spamhaus Block List) -- known spam sources, verified spam operations, and snowshoe spam ranges.
XBL (Exploits Block List) -- IPs of compromised machines: open proxies, botnets, malware-infected hosts. Sourced from CBL (Composite Blocking List) data.
PBL (Policy Block List) -- IP ranges that should not be sending mail directly. Includes residential ISP ranges and dynamic-IP blocks. Being listed on PBL is not an accusation of spam -- it means the IP is not a legitimate mail server.
CSS (Spamhaus CSS) -- IPs involved in low-reputation activities but not confirmed as spam sources.

Spamhaus requires a Data Query Service (DQS) key for high-volume use. Free queries are rate-limited and intended for testing only.

Barracuda (b.barracudacentral.org)

Barracuda maintains a blocklist based on spam trap data and customer-reported spam. It is widely used by organizations running Barracuda email security appliances, but also queried by other mail servers. Listings are typically based on direct spam activity from the IP. Barracuda offers a self-service lookup and removal request tool.

SpamCop (bl.spamcop.net)

SpamCop is a user-driven blocklist. Users submit spam reports, and SpamCop traces the message back to the sending IP. Listings are automatic based on report volume and decay over time if reports stop. SpamCop listings typically expire within 24-48 hours if the spam stops. This makes it a responsive but sometimes aggressive list -- legitimate senders with temporarily compromised accounts may get listed briefly.

Other notable lists

SORBS (dnsbl.sorbs.net) -- multiple zones for different categories (spam, open relays, dynamic IPs). Widely used but has been criticized for slow delisting.
UCEPROTECT -- three levels from individual IPs (Level 1) to entire ASNs (Level 3). Level 2 and 3 listings are controversial because they block entire networks based on aggregate behavior.
Spamhaus DBL (dbl.spamhaus.org) -- a domain blocklist rather than IP blocklist. Checks the domain in the message body and headers against known spam domains.

Checking IP reputation manually

You can check any IP against a DNSBL using dig. Reverse the IP octets and query the blocklist zone:

# Check 198.51.100.42 against Spamhaus ZEN
dig +short 42.100.51.198.zen.spamhaus.org A
# No output = not listed
# 127.0.0.2 = SBL listing
# 127.0.0.4 = XBL listing
# 127.0.0.10 = PBL listing

# Get the reason for listing (if listed)
dig +short 42.100.51.198.zen.spamhaus.org TXT

To check against multiple blocklists at once, you can script it:

#!/bin/sh
IP="198.51.100.42"
REVERSED=$(echo "$IP" | awk -F. '{print $4"."$3"."$2"."$1}')

for BL in zen.spamhaus.org b.barracudacentral.org bl.spamcop.net dnsbl.sorbs.net; do
  RESULT=$(dig +short "$REVERSED.$BL" A)
  if [ -n "$RESULT" ]; then
    echo "LISTED on $BL: $RESULT"
  else
    echo "CLEAN on $BL"
  fi
done

Check your MX server IPs

To check the reputation of your own mail servers, first find their IPs:

# Find MX records
dig +short MX example.com
# 10 mail.example.com.
# 20 mail2.example.com.

# Resolve MX to IP
dig +short A mail.example.com
# 203.0.113.10

# Check that IP against blocklists
dig +short 10.113.0.203.zen.spamhaus.org A

Delisting process and timeline

Getting listed on a blocklist is usually automatic; getting delisted requires action. The process varies by blocklist:

Before requesting delisting

Fix the underlying problem -- if your IP was listed because of spam, compromised accounts, or an open relay, fix that first. Requesting delisting without fixing the cause will result in immediate re-listing.
Check all your MX IPs -- you may have multiple mail servers, and some may be listed while others are not.
Verify authentication -- ensure SPF, DKIM, and DMARC are correctly configured. Blocklists consider the overall hygiene of your mail setup.

Delisting by provider

Spamhaus SBL/XBL -- use the Spamhaus Blocklist Removal Center. SBL removals require demonstrating that the spam source has been remediated. XBL removals require showing the compromised host has been cleaned. Timeline: 24 hours to several days depending on severity and history.
Spamhaus PBL -- PBL listings are policy-based (dynamic IPs). If you run a legitimate mail server on a PBL-listed IP, you can request removal through the PBL portal. Your ISP may also need to update their PBL delegation.
Barracuda -- self-service removal at their lookup tool. Typically processed within 12-24 hours. Repeat listings extend the cooling-off period.
SpamCop -- listings expire automatically within 24-48 hours after reports stop. There is no manual removal process. If you are persistently listed, the issue is ongoing spam reports.
SORBS -- offers self-service delisting for some zones. Historically slow; expect days to weeks for some categories.

Preventing re-listing

Monitor your IP reputation regularly -- do not wait for delivery failures to discover a listing.
Implement rate limiting on outbound mail to contain compromised-account damage.
Use dedicated IPs for transactional mail vs. marketing mail so a marketing issue does not affect transactional delivery.
Set up FCrDNS (Forward-Confirmed Reverse DNS) for all mail server IPs -- the PTR record should resolve back to the IP. Missing or mismatched rDNS is a red flag for many blocklists and spam filters.

Using beacon for automated multi-blocklist checks

The netray.info beacon tool automates DNSBL checking as part of a comprehensive email security audit. When you check a domain with beacon, it:

Resolves your MX records to find all mail server hostnames.
Resolves each MX hostname to its IP addresses (both A and AAAA).
Checks each IP against multiple major blocklists in parallel.
Reports which IPs are listed, on which blocklists, and the listing category.

This is significantly faster than manual dig queries, especially when you have multiple MX servers with multiple IPs across several blocklists.

Beacon also checks FCrDNS (Forward-Confirmed Reverse DNS) for each MX IP, which is a common factor in blocklist evaluation and spam filtering decisions.