What are Email Blacklists? If I’m on one, how do I get off of it?

What are Email Blacklists and What Do They Do?

Public vs Private Blacklists

What Happens When an IP Address or Domain is Added to a Blacklist?

Why are Addresses Blacklisted?

How to Identify if an IP address has been Blacklisted?

How to Remove Your Mail Server’s IP address from a Blacklist

How to Protect Against Blacklisting in the Future

Email blacklists are critical tools in the fight against spam and malicious email content. In layman’s terms, they are long lists of IP addresses and domains that have been reported to be sending spam or other bad content out to people. Many mail services, such as Office 365 and Google, as well as numerous private mail servers, will subscribe to these lists in order to “know” whose mail should get dropped as soon as report is made, thus protecting the mail recipients they serve.

Note: Blacklists are occasionally referred to as “blocklists”. These terms refer to the same cybersecurity measure– databases that create lists to track suspicious senders and block them from email delivery. 

In this guide, we’ll present an overview of what blacklists are, their impact, and how to remediate being blacklisted. 

First, some basic definitions:

Blacklisting

Email blacklists are databases containing IP addresses or domains that have been flagged for sending spam or unwanted content. These lists serve as reference points for mail servers to determine the trustworthiness of incoming emails.

When an email is sent, the recipient’s server checks the sender’s IP address against multiple DNS blacklists. If a match is found, the message may be blocked or filtered– never reaching the intended recipient’s inbox. For this reason, it’s important for organizations to avoid being accidentally placed on blacklists. 

Whitelisting

Whitelisting, also known as “allowlisting”, is a restrictive approach that some organizations employ. When an organization uses whitelisting, only pre-approved senders are allowed to send messages to a recipient. Entities not on the whitelist will be denied access by default.

Organizations that mandate a strong cybersecurity posture, such as financial institutions and government agencies, may employ whitelisting. 

Graylisting

Graylisting is an intermediary approach between blacklisting and whitelisting. Under a graylisting framework, unknown entities are temporarily blocked or restricted until they can be verified.

When an email server receives a message from an unfamiliar source, it will respond with a temporary rejection error. Legitimate email senders will typically retry sending the message after a short delay, and will then be granted access. 

Now that we know what the different List types are, let’s talk about who runs them.

Email blacklists can be categorized into two main types: Public and Private. 

Public Blacklists

Public blacklists are openly accessible, non-commercial databases that are open for anyone to check and subscribe their mail filters to.

These lists are used by various Internet Service Providers (ISPs), email service providers, and anti-spam vendors to filter incoming emails. Well known Public Blacklists include SORBS, 0Spam (ZeroSpam), NordSpam and SpamHaus. 

Private Blacklists

Private blacklists are created and maintained by a single organization, such as Google or Microsoft.

These lists are not accessible to the general public, and outside individuals cannot directly check if they are blacklisted. Often, individuals won’t know they are blacklisted until they begin receiving bounces or notice deliverability errors when sending mail to the organization.

Being blacklisted can have severe consequences for email communications. 

• Reduced Deliverability: Emails may be blocked entirely or directed to spam folders, significantly decreasing the chances of reaching the intended recipient’s inboxes. 

• Increased Sender Complaints: Recipients are more likely to mark emails as spam, further damaging sender reputation. 

• Loss of Credibility: Getting blacklisted can erode trust within an organization’s audience or customer base, since it’s a pretty obvious suggestion that the company has been doing something wrong. This can cause long-term damage to valuable business relationships. 

• Impact on Business Operations: For businesses relying on email for marketing, sales, or customer support, blacklisting can disrupt critical operations and lead to lost revenue. 

Obviously, avoiding getting blacklisted, and if it has already occurred, getting off those blacklists, is imperative!

IP addresses or domains can be added to a blacklist for a multitude of reasons. One of the most devastating can be a Business Email Compromise (BEC) or impersonation attack. 

Business Email Compromise (BEC) Attacks

When Business Email Compromise (BEC) occurs, a user account is compromised and an attacker uses the account to blast out phishing links and spam. These emails appear to be sent from a verified sender, but may contain malicious content. 

As an example of a common BEC attack:

ACME Company falls victim to a BEC attack. The attacker use the CEO’s email account to send emails to ACME’s most trusted vendors, requesting an invoiced payment immediately. Because the email looks like it is coming directly from the CEO, several vendors complete the payment transaction.

Once ACME realizes what has happened, the damage is already done: vendors have lost tens of thousands of dollars, and relationships with these business partners have soured. 

These impersonation attacks can lead to immediate blacklisting, through no fault of the account owner. Organizations that fail to set up properly configured SPF, DKIM, and DMARC protocols are particularly at risk for BEC attacks. 

Other Blacklisting Causes

Other reasons that an IP address or domain may be added to a blacklist include: 

1. High Spam Complaints: If recipients frequently mark an organization’s emails as spam, it signals to Internet Service Providers that the content is unwanted. 

2. Using a Shared IP address: Shared IP addresses are used by multiple users or websites simultaneously, especially mass marketing platforms like SendGrid, Constant Contact and MailChimp. If one user from the IP address is identified as a spammer, all users may be subject to the same blacklisting measures. 

3. Poor Email List Hygiene or Using Purchased Email Lists: Failing to clean email lists regularly can lead to sending messages to non-existent or inactive addresses, increasing bounce rates. High bounce rates flag email activity as spam. 

4. Overusing Spam Words: Emails with overly promotional language, irrelevant content, or spam trigger words can activate email filters. 

5. Sudden Increase in Email Volume: A dramatic spike in the number of emails sent can be seen as suspicious behavior, suggesting compromised accounts that will get subsequently filtered by recipient mail services.

6. Technical Issues: Server misconfigurations, especially around Transport Layer Security (TLS) standards, security certificates or sharing an IP address with known spammers can negatively impact your email deliverability. 

Check Public Blacklists: Well-known public blacklist checkers, like MXToolbox, are free to access and review. Check these resources to search for a specific IP address or domain. 

Monitor Email Deliverability: If email marketing managers detect a sudden drop in engagement, this can be the “canary in the coal mine” indicating possible blacklisting. Many email marketing providers provide dashboards to track email health and deliverability– utilize these resources to monitor any downward trends. 

Keep an eye out for: 

• Decreased deliverability

• Decreased click rates

• Rejected or bounced emails

• Increased bounce rates

Pay Attention to Warnings: Stay informed of notifications or warnings from email service providers and ISPs regarding deliverability errors. Receiving “abuse” notifications is a serious advisory of trouble and often requires immediate rectification to prevent an ISP from temporarily halting services to your organization.

Once on a blacklist, here are the recommended steps that organizations can take to repair their email reputation. 

1. Try to Identify the Source: Use tools like online lists or an email service provider dashboard to determine which blacklist the IP address/domain has been added to. 

2. Understand the Root Cause: Identify why the IP address/domain was blacklisted in the first place. Common reasons include high spam complaints, sudden spikes in email volume, poor email list practices, and more. 

3. Make Necessary Adjustments: Address the root cause of the blacklisting. This may include cleaning email lists, improving content, or adjusting sending practices. 

4. Complete the Delisting Process: Contact the blacklist operator and follow their delisting process. Often, email security providers will help perform the delisting process. It can typically take 1-2 weeks to be successfully “delisted” from a blacklist. Avoid paying any sort of blacklist operator for delisting, as reputable ones will not charge money for it and paying for a delist without resolving the root cause will simply mean getting added back on shortly thereafter, with that payment effectively being money thrown away.

Monitor Deliverability: Post-removal, closely track email performance to ensure the sender reputation remains in good standing.

It’s always easier to prevent a problem than to solve it. 

Taking preventative measures to protect against blacklisting is a critical part of any organization’s communication strategy. 

Key strategies for preventing blacklisting include: 

• Implementing Email Authentication Protocols: Ensure that authentication protocols like DMARC, SPF, and DKIM are properly configured. These protocols help establish trust with email providers, reducing the risk of being flagged as spam. 

• Maintain Good Email Practices: Regularly clean email lists, avoid “spammy” words, and include a visible “unsubscribe” link in each email. Be sure to only email recipients who have “opted in” to receive communications. 

• Use a Dedicated IP Address: Rather than a shared IP address, dedicated IP addresses provide extra control over an organization’s sender reputation. 

Regularly Monitor Sender Reputation: When a decrease in engagement or deliveries occurs, take swift action to identify and resolve the cause.

If you’re looking for ways to enhance your email security, outbound email filtering can help detect BEC situations and DMARC implementation can go a long way to improving deliverability. Tangent can help with these, and more; just let us know.