A critical look at the reputation layer that quietly decides which mail gets through. By Evgeni Vatenfall.
An email blocklist (also called a DNSBL, RBL or "blacklist") is a database of IP addresses or domains with a bad reputation, published over DNS so any mail server can query it in milliseconds. The mechanism is a small standard, RFC 5782: reverse the octets of the sender's IP, append the blocklist's zone, and do an ordinary DNS lookup. So checking 198.51.100.7 against zen.spamhaus.org means querying 7.100.51.198.zen.spamhaus.org. An answer of 127.0.0.2 means "listed"; the last octet encodes which sub list and why, and a companion text record spells out the reason and a removal link. No answer at all means "not listed". The returned value is a flag, never a real address.
Listings come from spam traps (addresses that should never receive mail, so anything hitting them is spam), honeypots, automated heuristics, and human complaints. Removal is where the models diverge sharply: some lists expire a listing automatically once the bad behaviour stops, some let you remove yourself for free, and some ask for money.
The landscape is smaller than it looks. A handful of operators carry almost all the weight, and they are a mix of a non profit, several private companies, and at least one outfit whose business model is openly contested.
| Blocklist | Who runs it | Delisting |
| Spamhaus (SBL, XBL, PBL, CSS, DBL, ZEN) | The Spamhaus Project (non profit, Andorra) plus Spamhaus Technology Ltd (commercial, UK) | Free, self service. Always. |
| UCEPROTECT (Levels 1, 2, 3) | Private, run out of Germany | Auto expire in days, or pay 89 to 449 CHF to leave now |
| Barracuda (BRBL) | Barracuda Networks (owned by KKR since 2022) | Free request form |
| SpamCop (SCBL) | Cisco | Auto expire (about 24h) |
| Invaluement, SURBL, URIBL | Independent (subscription and free tiers) | Free removal; pay for the feed |
| SORBS | Was Proofpoint, shut down June 2024 | Gone (a reminder that these are mortal) |
Note that the two biggest gatekeepers, Google and Microsoft, publish no public blocklist at all. They score reputation internally (SmartScreen, Postmaster Tools, SNDS) and filter inside the mailbox. That is a hint about where this is heading.
Blocklists are not charities, even the one run by a non profit. There are three honest ways to monetise reputation data, and one contested one.
Sell the feed, not the listing. Spamhaus is the reference here. The data comes from a non profit, The Spamhaus Project, and the commercial arm, Spamhaus Technology Ltd, sells access to it. Casual DNS lookups are free, but production mail systems and vendors pay for a rate limited Data Query Service or an rsync data feed. You pay for reliable access to the data. Crucially, getting removed is always free. Spamhaus states it plainly: "There is never any charge or fee associated with removing any Spamhaus listing," and "Any offer from anyone to remove any Spamhaus listing for a fee is a scam." The incentive is to be accurate, because customers pay for a feed they can trust, not for the power to trap someone.
Sell certification and placement. Validity, which absorbed Return Path, publishes a free Sender Score but sells a paid certification programme that helps accredited senders reach the inbox. Return Path's last public price sheet ran from about 1,275 euros a year for a small sender to over 76,000 euros a year at the top tier. Here the reputation data is the funnel into a premium service.
Bundle it into an appliance. Barracuda and Cisco give their blocklists away because the real product is the security gateway, the filtering appliance, the subscription. The list is a feature, not the revenue.
And then, sell the way out. This is the model that gives the whole industry a bad name.
Some operators list aggressively and then offer to remove you faster, or exempt you entirely, for a fee. UCEPROTECT is the textbook case. Its Level 1 lists a single misbehaving IP, which is defensible and clears itself for free in about a week. But Level 2 escalates to the sender's entire network allocation, and Level 3, which it openly calls "Draconic," escalates to the whole autonomous system. In UCEPROTECT's own words, Level 3 "has been created for HARDLINERS. It can, and probably will cause collateral damage to innocent users." One spammer on a shared network can drag millions of neighbouring IPs onto that list.
The exit conveniently costs money. Express delisting runs 89 CHF for a single IP, 249 CHF for a netblock, and 449 CHF for a whole autonomous system. Or you can buy an annual "whitelisting" subscription, roughly 25 to 90 CHF per IP, that pre exempts you from the collateral Level 2 and Level 3 listings before they ever happen. Two details make the model hard to defend: the free automatic expiry means you are often paying to escape a listing that would clear itself in days, and the mailbox providers that actually decide inbox placement, Gmail, Outlook and Yahoo, do not use Level 2 or Level 3 at all. So the payment frequently buys removal from a list that was not affecting real delivery in the first place. Industry guidance from MXToolbox to InMotion is uniform: never pay.
This is not a fringe opinion. The internet standards body itself drew the line. RFC 6471 warns that charging a listed party to be delisted "steers perilously close to notions of extortion, blackmail, or a 'protection racket'", says such blocklists must not charge for delisting, and recommends they simply not be used. The key distinction is clean: charging the people who query your data is a business; charging the people you listed to make you stop is something else.
Here is the part that rarely gets said out loud. A blocklist works at the gate. When it fires, the receiving server rejects the message before accepting it, and whatever the sender is told, the intended recipient never sees the mail at all. A legitimate invoice, password reset or reply is simply gone. Even a genuinely infected IP sends real mail too; the standards body notes that "even an entry demonstrably infected with email spam or virus emitting malware may emit non abusive email." That good mail dies with the bad.
With range and autonomous system level listings, the victim is usually not even the spammer. UCEPROTECT once listed roughly 2.4 million IP addresses of a single large host over a claim of about 937 spam messages in a week. The person who actually pays is the small business a few addresses away, sharing a subnet, who did nothing wrong and has no idea why half their mail stopped arriving. They carry the cost for someone else, and the only fast fix on offer may be a payment to a list they never agreed to be judged by.
Contrast that with filtering at the mailbox. There, the mail is accepted and then sorted. A false positive lands in the spam folder, not the void. The recipient can still find it, mark it "not spam", and train the system. The cost of a mistake is an annoyance, not a silent loss, and the person who bears it is the one who can actually fix it. That difference, gate versus mailbox, binary versus probabilistic, is the whole argument.
There is a quieter version of this debate happening at the network layer, and OVH sits on the interesting side of it. Almost every large cloud provider blocks outbound port 25 by default, so their customers cannot send mail directly at all unless they ask and qualify. AWS blocks it and makes you file a request with root credentials, per region. Google Cloud blocks it to any external destination and an allow rule will not override it. Azure blocks it on most subscription types with no unblock offered. DigitalOcean, Oracle Cloud and Vultr all block it by default too. Every one of them gives the same reason: prevent spam and protect the shared reputation of their IP ranges. It is pre emptive blocking, and everyone is treated as a potential spammer until proven otherwise.
OVH takes the opposite stance. It does not pre block: port 25 stays open, and OVH acts only when its systems actually detect spam leaving your IP, at which point it blocks that IP, tells you why, and lets you unblock yourself once you have fixed the problem. The cost lands on the actual offender, not on every customer in advance. It is the same principle that separates a good blocklist from a bad one: respond to proven bad behaviour, do not punish an entire population on the assumption that some fraction of them are guilty. It is a minority position among the big hosts, and it is the right one.
Blocklists will not disappear, and they should not. But they are a coarse, first generation tool, and the mail world has quietly moved past treating them as the main defence. The modern stack looks like this.
Prove identity instead of guessing reputation. SPF, DKIM and DMARC, standardised as RFC 7208, 6376 and 7489, let a sender cryptographically prove who they are, and let a receiver reject forgeries with precision instead of blunt IP reputation. BIMI and ARC extend the same idea. Authentication answers "is this really you", which is a better question than "has your neighbourhood been trouble lately". After Google and Yahoo made authentication mandatory for bulk senders in 2024, Google reported the number of unauthenticated messages its users receive fell by 75 percent.
Filter at the mailbox, with or without AI. This is where the real work happens now. Open source engines like SpamAssassin and rspamd score each message on hundreds of signals against a threshold, and in rspamd's own words the outcome "is a recommendation to your MTA", not a hard gate. The large providers go much further with machine learning. Google says it blocks more than 99.9 percent of spam, phishing and malware, and stops nearly 15 billion unwanted messages a day. In late 2024 it added a large language model that, on its own, blocks 20 percent more spam than before. None of this rejects mail for everyone at the door. It decides, per person, whether a message lands in the inbox or the spam folder, and learns from what each user marks.
Score, do not just block. Google Postmaster Tools and Microsoft SNDS give senders a reputation gradient and a feedback loop rather than a binary verdict with no appeal. Microsoft's filter even stamps every message with a spam confidence level and sorts accordingly, inbox or junk, instead of refusing it outright. Reputation as a dial, not a wall.
The direction is clear. Move the decision from the gate, where it is binary, invisible and monetisable, to the mailbox, where it is contextual, reversible and owned by the person it affects.
Both, and it is worth being precise about which is which. Start with why any of this exists: spam still makes up close to half of all email, around 47 percent of global traffic in 2024. Without a shared reputation layer the inbox would be unusable, so the core function is not just legitimate, it is necessary.
The law has repeatedly sided with the lists. When the marketer e360insight sued Spamhaus, a procedural default first produced an eye watering 11.7 million dollar judgment. It was then cut to 27,002 dollars, and on final appeal in 2011 reduced to 3 dollars, one nominal dollar per claim, because the plaintiff could not show real damages. Spamhaus was never ordered to delist anyone, and e360 went out of business. US courts have also shielded the filterers downstream: under the Communications Decency Act's Good Samaritan clause, providers acting in good faith to block unwanted mail have been held immune. A reputation listing is treated as protected opinion.
So selling reliable access to well curated data, the Spamhaus model, is a clean and legally durable business. Bundling it into security products is ordinary commerce. What is borderline is the narrow but loud practice of listing broadly, including the innocent, and then charging for the exit. That is not spam fighting. That is a toll booth built on a road you were forced onto.
Querying most public blocklists is free for low volume, but the serious operators sell access. Spamhaus, for example, gives away casual DNS lookups yet routes commercial and high volume users to a paid Data Query Service. The list is free to consult; the reliable, rate limited feed is a product.
It depends on the list. Reputable ones like Spamhaus never charge to delist and remove you for free once the problem stops. Others, most notoriously UCEPROTECT, run a paid express delisting and a paid whitelisting subscription, which is exactly the model critics call a delisting racket.
Yes. Courts have generally treated a blocklist as protected opinion about who to accept mail from. In the landmark Spamhaus v. e360insight case, an 11.7 million dollar default judgment was ultimately reduced to 3 dollars on final appeal, and Spamhaus was never ordered to delist anyone. Downstream providers who filter in good faith are also shielded by law. Running a list is legal; charging aggressively to escape a listing is where the ethics get debated.
A blocklist blocks mail at the front gate, before it is accepted, based on the sender IP or domain reputation. A spam filter accepts the mail and then decides where it lands, usually the inbox or the spam folder, based on its content and signals. The gate is binary and gives the recipient no say; the filter is probabilistic and keeps the recipient in control.
No. Unlike most large cloud providers, which block outbound SMTP by default and make you request an exception, OVH leaves port 25 open and acts on actual abuse reports instead. It is a deliberate stance: punish proven abuse, not everyone in advance.
A layered approach: authenticate senders with SPF, DKIM and DMARC so identity is provable, then filter at the mailbox with content and machine learning models that sort per recipient rather than blocking for everyone. And verify addresses before you send, so you never trip a reputation system in the first place.
Related: Blocklist Checker · Authentication Checker · Deliverability Test · Email verifier · Email Infrastructure Index.