All articles
DNS blacklists (RBL): what they are and how to check your domain reputation
Security Tips

DNS blacklists (RBL): what they are and how to check your domain reputation

DNS blacklists (RBL/DNSBL) decide whether the internet trusts mail from your IP addresses and your domain name - and a single listing can quietly send your messages straight to spam.

Your mail can be perfectly configured - clean SPF, valid DMARC, TLS everywhere - and still land in the spam folder. The culprit is usually reputation: the receiving server checked your sending IP address or domain name against a DNS blacklist and rejected it. Blacklist listings are among the most common and least visible causes of mail delivery failure.

What is a DNS blacklist?

A DNS blacklist (DNSBL), also called a real-time blocklist (RBL), is a published list of IP addresses with poor reputation - sources of spam, compromised hosts, open relays, or dynamic address space unsuitable for direct mail delivery. Mail servers query these lists in real time to decide whether to accept, filter, or reject incoming messages.

A second family, the RHSBL or domain blacklist (DBL), lists domain name reputation instead of IP reputation. A DBL entry means the domain itself - not just a sending host - has appeared in spam, malware, or phishing URLs.

Both operate over standard DNS. There is no special protocol or API to integrate. A receiving mail server simply asks a DNS question; the response indicates whether the address or name is listed. This simplicity lets the mechanism scale to billions of lookups daily.

How a DNSBL lookup works

The query format is defined in RFC 5782. To check an IPv4 address against a blacklist zone, you reverse the octets and prepend them to the zone name. Checking 192.0.2.10 against bl.example-dnsbl.net becomes a lookup for:

10.2.0.192.bl.example-dnsbl.net

The response is encoded as:

  • An A record in the 127.0.0.0/8 range means the address is listed. The specific value (such as 127.0.0.2) indicates the reason.
  • NXDOMAIN (name does not exist) means the address is not listed.

IPv6 works the same way but reverses the 32 nibbles of the fully expanded address. Domain blacklists are simpler still: the domain name is prepended to the zone without any reversal, so example.com against dbl.example-dnsbl.net becomes a lookup for example.com.dbl.example-dnsbl.net.

RFC 5782 also defines a self-test every conforming zone must pass: 127.0.0.2 must always be listed, and 127.0.0.1 must never be listed. This test lets clients verify a zone is answering correctly before relying on its verdicts.

Why blacklist reputation matters

A listing on a widely enforced blacklist has immediate, measurable impact: many receivers block or defer mail from the listed address, or drop it into spam. Unlike a broken DNS record, your systems won't report the failure - rejection happens at the receiver, and you notice only when recipients stop replying.

Reputation damage is often not your direct fault. You might inherit a bad IP address from a previous tenant, share a subnet with a spammer, or have a host briefly compromised and abused. Listings are fixable, though. Once you remediate the underlying cause, you can request delisting and reputation recovers.

Not every list carries equal weight, and reading a result correctly means knowing which kind you're looking at.

Common mistakes and misreadings

Treating every list as equal. A listing on a mainstream, carefully curated blacklist is a serious signal. A listing on an aggressive list that blocks entire subnets or autonomous systems by policy usually reflects your network's classification or a neighbor's behavior, not yours. Reacting the same to both wastes time.

Panicking at a policy listing. Some lists flag dynamic or end-user address space as policy - "this IP should not be sending mail directly" - rather than as evidence of abuse. If that address really is a legitimate mail server, the fix is proper reverse DNS and registration with the network operator, not a frantic cleanup.

Ignoring the domain name. People check their sending IP and stop there. But a parked domain with no mail service can still be listed on a domain blacklist if its name shows up in spam or phishing URLs. Domain reputation is separate from IP reputation and deserves its own look.

Misreading error responses as clean. Some major lists refuse queries from cloud and public resolvers, returning special error codes (Spamhaus uses the 127.255.255.0/24 range). Those codes signal a refused query, so reading them as "not listed" gives false confidence. A correct check filters them out rather than scoring them.

How SecRift checks DNS blacklists

SecRift runs the RBL check as a dedicated reputation assessment. It collects your domain's public IP addresses - the web addresses from your apex and www records, plus every MX host resolved to an IP - discards non-public addresses, then queries each against a large set of blacklist zones. Before trusting a zone, it runs the RFC 5782 self-test (127.0.0.2 must be listed, 127.0.0.1 must not) and drops zones that answer unreliably. This filters out rate-limit and cloud-block responses so they never become false listings.

IP scope reports which public IP addresses were collected and their source. It never scores; it determines whether the IP-based findings run. If the domain has no public addresses, the four IP findings are skipped, but the check itself always runs.

Mainstream blacklists carries the heaviest weight. It flags any public IP listed on widely enforced, low-false-positive lists like Spamhaus SBL/XBL/ZEN, SpamCop, or Barracuda. Spam or exploit listings here are high severity; policy listings on end-user or dynamic address ranges are medium, since policy doesn't prove abuse.

Secondary blacklists includes reputable but narrower-enforcement lists like Mailspike, PSBL, SpamRATS, and Blocklist.de. A listing warrants investigation but carries lighter weight than mainstream.

Aggressive blacklists includes policy-driven lists covering whole netblocks, residential ranges, or entire autonomous systems - UCEPROTECT Level 2/3 and similar. Weight is deliberately low; worst status is medium, because listings usually reflect your network's classification, not individual abuse.

Domain blacklist checks your domain name against RHSBL/DBL lists like Spamhaus DBL and SURBL. This finding always runs - it queries the name, not an IP - so domains with no public addresses are still checked. A listing is serious (high), because the domain name itself has been tied to spam, malware, or phishing.

Run a free scan

Blacklist reputation depends on your mail hygiene - a clean MX configuration and enforced SMTP TLS defend against the delivery damage a listing causes.

Run a free scan at secrift.com to check your IP and domain reputation in seconds.