As IT budgets and resources are squeezed we understand you may have to shop around. Be it for hardware, software, or threat intelligence data, for that matter. But beware...not all email blocklists (DNSBLs) are equal.

False economy

Recently I was introduced to by a colleague – it’s simplicity and comedic value is genius, check-it out. Upon browsing through the archive, I happened upon this little gem:

Cheap GPS

This got me to thinking about a phrase my mother drilled into me as a child “Buy cheap, buy twice.” It turns out my mother was right (again), and despite knowing this, sometimes I still can’t resist a bargain. Recently I purchased a ‘reconditioned Apple BlueTooth keyboard’ at a fraction of the cost of a new one. However, over the past few months, I’ve watched the letters rapidly fade off the keys. It’s a good thing that I can touch type; otherwise, this article would have looked like ‘thod’ [sic].

But it’s not only cheap keyboards that are a false economy. If you’re currently reading this and considering a more ‘economical’ blocklist (DNSBL), make sure you’re comparing apples with apples; otherwise, you’ll soon have forgotten the ‘mark-down’ price, in light of the problems the poor quality of data, or service, is causing you.

Here are some questions you should be asking your blocklist provider to ensure you’re getting quality for less:

1. How many mailboxes do your blocklists protect?

A simple way to check how trusted the provider’s data sets are is to ask how many mailboxes their current blocklists/DNSBLs are protecting. As a benchmark, Spamhaus currently protects 3 billion mailboxes every day, 365 days a year.

2. What is your catch rate?

Find out the amount of email-borne threats that are blocked by the data sets you’re considering purchasing. Ensure an independent source verifies this figure; for example,  Virus Bulletin.*

3. How reliable is your service?

There’s no point in purchasing quality data if you’re going to have latency issues. Spamhaus has 80+ commercial mirrors distributed around the globe, ensuring our data is always available at low latency, no matter where in the world you are located.

4. What is your false-positive rate?

False positives create issues for your customer/user base. The knock-on effect is an increase in the amount of inbound traffic your help desk has to deal with. Ultimately this creates additional ‘noise’ for your team and pushes up your resource costs.

5. How are false positives remediated?

Establish what the process is for remediating a false positive, as and when it does occur. Does the process comply with the Internet Research Task Force’s (IRTF) best current practices, as detailed here. Is the cost borne by the block list provider or you?

6. How will I receive the blocklist data?

There are several ways data can be transferred from your provider to you. Ensure you will be receiving the updates in as near to real-time as possible.

7. How broad is the data from which the blocklists are compiled?  

Data sets should be based on a broad range of data from independent sources. These should include numerous sectors ranging from Internet Service Providers (ISPs) to Enterprise businesses, in addition to in-house spam traps and honey pots.

8. How is your data produced?

The threat landscape changes at an incredible speed, so one approach/system does not cut it. Your provider must have multiple engines backed up by a team of dedicated and experienced spam researchers. Techniques including machine learning, alongside heuristics and manual investigations should be utilized.

Remember; it’s quite easy to produce a blocklist. However, to do so for decades with consistently high catch rates and low false positives requires commitment, processes and people.

9. Are you going to be asked to purchase additional hardware or software leading to capital expenditure?

Some providers focus solely on supplying threat intelligence data. This data is plugged directly into your existing infrastructure, with no extra costs. However, others may require you to purchase additional hardware or software leading to capital expenditure.

10. Will the data be tailored to the specific campaigns targeting my company and customers/users? 

Ask your potential provider how they can make the data you receive from them more relevant to the threats you are being subjected to.

Happy shopping!


SpamAssassin and the Spamhaus Data Query Service (DQS) blocked 99+% email-borne threats in VB Tests.


Related Products

Data Query Service (DQS)

Spamhaus’ Data Query Service (DQS) is an affordable and effective solution to protect your email infrastructure and users.

Using your existing email protection solution, you will be able to block spam and other related threats including malware, ransomware, and phishing emails.

The service has never failed and utilizes the longest established DNSBLs in the industry.

  • Proactive & preventative
  • Save on email infrastructure & management costs
  • Actionable


Three months free data access for Cyren customers – no strings attached

3 February 2023


To take immediate pressure off affected Cyren customers and provide the gift of time to make informed decisions, our data will be offered for free, for 3 months. No strings attached.

Working together with FIRST for the good of the internet

23 May 2022


We’re thrilled to announce that Spamhaus is now an official member of the Forum of Incident Responders and Security Teams (FIRST). Find out about the importance of the membership and what's coming next.

Constant Contact keeps outbound email safe with Spamhaus’ domain data

12 May 2022

Case Study

Email software provider, Constant Contact, has a duty of care to their customers and email recipients alike to prevent malicious behavior via outbound email. See how they’re using our domain data to tackle this.