Anti-Spam DNSBL

Spam filtering by DNS Blacklist
Spam filtering by DNS Blacklist

Email Anti-Spam filtering and DNSBL

All modern mail servers have a “DNSBL” feature (sometimes called “RBL Servers” or “Blacklist”). A DNSBL is a “Domain Name System Block List”: A list of IP address ranges or other information compiled and presented as a DNS zone. Information in DNS format is easy to query and transport, and its small answers are very “light” on bandwidth overhead. Which DNSBL to choose depends on what the desired outcome is, and whether it is for small-volume or professional use. 

What is a DNSBL?

Domain Name System Blacklists, also known as DNSBL’s or DNS Blacklists, are spam blocking lists that allow a website administrator to block messages from specific systems that have a history of sending spam. As their name implies, the lists are based on the Internet’s Domain Name System, which converts complicated, numerical IP address such as into domain names like, making the lists much easier to read, use, and search. If the maintainer of a DNS Blacklist has in the past received spam of any kind from a specific domain name, that server would be “blacklisted” and all messages sent from it would be either flagged or rejected from all sites that use that specific list.

Why use DNSBL?

Doing a DNSBL lookup on an email message during the SMTP connection is cheap in hardware cycles and system time. If the MTA already knows the incoming message is spam it can deny a spam message before having to take additional action; The DNS server may even have the results cached from previous attempts!

System costs:

  • Passing it to a mail-scanner (medium cost);
  • Using a Bayesian filter (medium)
  • Running it through a virus scanner (medium to expensive)
  • Doing SpamAssassin network tests that check blocklists, DCC, pyzor, razor, etc. (medium to expensive)

Mail rejected by a DNSBL during delivery is not silently discarded. A realtime DNSBL rejection creates a delivery status notification (DSN) to the sender identifying the cause of the rejection, allowing troubleshooting on the sender’s end.

Realtime rejection avoids the backscatter problem of some spam filters which accept delivery, close the connection, and then try to return the mail after it is determined to be spam.

Most spam and all viruses have forged sender addresses, and so the bounce would be sent to an innocent third party (if it is deliverable at all). This can be extremely disruptive to the third party!

Picking the right kind of Blacklist and Wisely the DNSBL provider, or a combined group (recommended), rejects a large amount of spam and virus mail with very low “false positive” rejections of legitimate mail.

Is a private DNS server required?

It is not necessary, but it is worth considering.

There can be issues with using some consumer oriented ISPs and many “open” or “public” DNS services. Some of them use NXDOMAIN hijacking to monetize null DNS answers. Other public DNS servers are blocked from querying DNSBL. Some public DNS providers provide non-hijacked responses for known DNSBL zones, but such servers can be risky to use to answer DNSBL queries.

To avoid this, it is recommended to use DNS servers that query directly the internet ROOT DNS servers like having your own DNS servers properly configurated. Otherwise, most ISPs, hosting and DNS service providers are very careful about providing highly accurate DNS results. As long as legitimate DNS servers are used, DNSBL zones will provide accurate answers and mail filtering will work correctly.

How DNSBL works?

DNSBL data can be accessed and used through the global Domain Name System (DNS). DNS traffic itself carries the questions and answers regarding the (DNSBL listed/not-listed status) of IP addresses and domains;

Normally one or more DNS servers (typically two) are configured in an operating system.
Those are the IP addresses of the servers that will negotiate all the DNS requests made by your applications, and therefore those DNS servers will be the vehicle for your DNSBL requests, too.

There are several ways to access DNSBL data:
For many small, low-volume users’ mail servers, DNSBL providers data are available free of charge. These low-volume mail servers issue a DNS query via the locally specified DNS server. That DNS server could be operated locally on the same computer, on the same network as the mail server, operated by a hosting ISP or other outsourced DNS provider, or it could be an “open” or “public” DNS server that answers anyone who queries it. Typical volume for free DNSBL provider (as of june 2021) are around 5,000 DNS request a day. For higher-volume clients which exceed a query volume threshold, open account and fees may apply. In some case, commercial DNSBL may authorize your own DNS server to transfer their DNS ZONE locally to your DNS servers.

Query and return code from DNSBL

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.