Email Blocklists Explained: DNSBL, RBL, and How They Protect Inboxes
Understand how email blocklists work, the difference between DNSBL and RBL, major blocklist providers, and how blocklists affect your email deliverability.
Last updated: 2026-02-06
Every email you send passes through blocklist checks before it reaches an inbox. If your IP or domain appears on a blocklist, your message gets rejected or filtered. Understanding how blocklists work at a technical level helps you prevent listings and fix them fast when they happen.
What is a Blocklist?
A blocklist is a database of IP addresses, domains, or URIs associated with spam, malware, or abuse. Mail servers query these databases in real time to decide whether to accept, filter, or reject incoming messages.
You will see several terms used for the same concept:
- Blocklist -- the modern, preferred term
- Blacklist -- the legacy term, still widely used
- DNSBL -- DNS-based Blocklist (or DNS Block List), the technical name for any blocklist queried via DNS
- RBL -- Real-time Blackhole List, originally a specific MAPS product, now used generically
The shift from "blacklist" to "blocklist" started in the early 2020s as the tech industry moved toward more inclusive language. The IETF, Spamhaus, and major providers now prefer "blocklist." The underlying technology is identical. Only the terminology changed.
Terminology note
This article uses "blocklist" as the primary term. Older documentation, RFCs, and some providers still use "blacklist." They mean the same thing. Our what is email blacklisting guide covers the broader concept.
How DNSBL Works at a Technical Level
A DNSBL uses the Domain Name System -- the same infrastructure that resolves domain names to IP addresses -- to serve blocklist data. This is the key design choice that made blocklists practical at scale. Mail servers already know how to make DNS queries. No special protocol or software is needed.
Here is exactly what happens when a mail server checks an IP against a DNSBL.
The DNS Query Process
Suppose a mail server receives a connection from IP address 198.51.100.42 and wants to check it against a DNSBL at dnsbl.example.org.
Step 1: Reverse the IP octets. The IP 198.51.100.42 becomes 42.100.51.198.
Step 2: Append the DNSBL zone. The query becomes 42.100.51.198.dnsbl.example.org.
Step 3: Perform an A record lookup. The mail server sends a standard DNS A query for that hostname.
Step 4: Interpret the response.
- NXDOMAIN -- the IP is not listed. The mail server continues processing normally.
- 127.0.0.x -- the IP is listed. The specific address in the 127.0.0.0/8 range indicates the listing reason.
The entire lookup takes milliseconds. A single mail server can check dozens of blocklists per incoming connection without meaningful delay.
DNSBL Return Codes
Each DNSBL defines its own return codes within the 127.0.0.0/8 range. These codes tell the receiving server why the IP is listed.
For example, Spamhaus ZEN returns:
127.0.0.2-- SBL (direct spam source)127.0.0.3-- SBL CSS (snowshoe spam)127.0.0.4through127.0.0.7-- XBL (exploited systems)127.0.0.10through127.0.0.11-- PBL (policy block)
Most DNSBLs also publish a TXT record at the same query name. This TXT record contains a human-readable explanation or a URL pointing to details about the listing. Mail servers can include this text in bounce messages, making it easier for senders to understand why their mail was rejected.
Zone File Structure
Internally, a DNSBL is a DNS zone file. Each listed IP gets a record:
42.100.51.198 A 127.0.0.2
42.100.51.198 TXT "Listed for spam. See https://example.org/lookup?ip=198.51.100.42"
Large blocklists contain millions of records. Operators use specialized DNS servers optimized for high query volumes and rapid updates.
Types of Blocklists
Not all blocklists work the same way. Different types target different threat vectors.
| Blocklist Type | What It Lists | Query Method | Example Providers |
|---|---|---|---|
| IP-based DNSBL | Sending IP addresses | Reversed IP + zone lookup | Spamhaus SBL/XBL, Barracuda, SpamCop |
| Domain-based DNSBL | Sending domains (RHSBL) | Domain + zone lookup | Spamhaus DBL, SURBL |
| URI DNSBL | URLs/domains in message body | Extracted domain + zone lookup | SURBL, Spamhaus DBL, URIBL |
| Hash-based blocklist | Message content hashes | Hash + zone lookup | Razor, Pyzor, DCC |
IP-Based Blocklists
The most common type. They list IP addresses observed sending spam or associated with abuse. Your mail server's IP is checked during the SMTP handshake, before the message body is even transmitted. This makes IP-based blocklists extremely efficient at stopping spam at the connection level.
Domain-Based Blocklists (RHSBL)
RHSBL stands for Right-Hand Side Blackhole List. Instead of reversing an IP, the receiving server queries the sender's domain directly. For example, checking spamdomain.com against dbl.spamhaus.org produces the query spamdomain.com.dbl.spamhaus.org.
Domain-based blocklists catch spammers who rotate through IP addresses but keep using the same domains.
URI Blocklists
URI blocklists (also called SURBLs) scan the body of the email for URLs. Every domain found in a link gets checked. This catches messages that come from clean IPs but link to known spam or phishing domains. URI blocklists are particularly effective against phishing attacks where the sending infrastructure is disposable but the payload URL persists.
Hash-Based Blocklists
Hash-based systems like Razor and DCC compute a fingerprint of the message content. If many identical or near-identical messages are reported, the hash gets listed. This catches bulk spam regardless of sender IP or domain. The query mechanism varies -- some use DNS, others use custom protocols.
Monitor your blocklist status
Get alerted the moment your domain or IP appears on a major blocklist.
Major Blocklist Providers and Their Differences
Each provider has different listing criteria, data sources, and removal policies. Knowing the differences matters because a listing on one provider may be far more damaging than a listing on another.
Spamhaus is the most influential operator. Their ZEN combined list (SBL + XBL + PBL) protects an estimated 3 billion mailboxes. A Spamhaus listing has the broadest impact on deliverability. See our detailed Spamhaus guide for more.
Barracuda (BRBL) is heavily used by business email systems. Many organizations run Barracuda appliances that check this list by default. A BRBL listing can cut you off from corporate recipients.
SpamCop relies on user-submitted spam reports. Listings are automated and expire within 24-48 hours after complaints stop. It is reactive rather than proactive.
SORBS maintains separate lists for open relays, dynamic IPs, spam sources, and HTTP proxies. It casts a wide net but is less universally adopted than Spamhaus.
UCEProtect operates three escalating tiers: individual IPs (Level 1), IP ranges (Level 2), and entire ASNs (Level 3). Level 2 and 3 listings can affect innocent senders who share infrastructure with bad actors.
URIBL and SURBL focus exclusively on domains found in message bodies. They do not list sending IPs at all.
How Mail Servers Query Blocklists
In practice, mail servers combine multiple blocklist results to make filtering decisions. There are three common approaches.
Hard reject. The server checks one or more blocklists during the SMTP transaction. If the sender is listed, it returns a 5xx rejection code immediately. Simple and effective, but a false positive means lost mail.
Spam scoring. Filters like SpamAssassin assign points for each blocklist hit. A Spamhaus SBL listing might add 4 points. A minor list might add 0.5. The message is only blocked if the total score exceeds a threshold. This approach tolerates false positives better.
Weighted policy. Some systems combine blocklist results with other signals -- SPF authentication, DKIM signatures, DMARC alignment, sender reputation scores. A blocklist hit by itself might not trigger a block, but combined with a failed SPF check, it does.
Most production mail systems use a combination of these methods. The specific configuration varies by organization.
Impact of Blocklists on Your Deliverability
A listing on a major blocklist can drop your inbox placement rate to near zero for affected recipients. The severity depends on three factors:
Which blocklist. A Spamhaus listing is catastrophic. A listing on an obscure, poorly-maintained blocklist might not affect anyone.
How recipients use it. Some organizations hard-reject on any blocklist hit. Others only use blocklists as one input to spam scoring.
How quickly you respond. Catching a listing within hours and resolving it limits the damage. Discovering it weeks later means you have lost messages you cannot recover.
Blocklist damage compounds over time
Beyond direct rejection, a blocklist listing erodes your sender reputation across the entire email ecosystem. Even after delisting, mailbox providers like Gmail and Outlook may treat your messages with suspicion for weeks. Early detection is critical.
Proactive monitoring is the most effective defense. Automated daily checks against major blocklists give you early warning before a listing causes widespread delivery failures. Pair monitoring with proper email authentication and list hygiene to minimize the risk of getting listed in the first place.
Stay Off the Block Lists
Blocklists exist to protect inboxes. They are not going away. Your job is to ensure you never appear on one -- and to detect it fast if you do.
Authenticate your email with SPF, DKIM, and DMARC. Keep your sending lists clean. Secure your infrastructure against compromise. And monitor your blocklist status continuously.
Related Articles
Boring Tools builds simple, focused deliverability tools for teams that depend on email.
Never miss a blocklist listing
Monitor your domain and IP against major blocklists. Get alerts before deliverability suffers.
Start Monitoring