An overview
To stop its Public Mirror infrastructure from being abused, the Spamhaus Project will block queries if usage is outside their Fair Use Policy, e.g. if they come via a public/open resolver, or a user makes an excessive number of queries.
The Project is introducing two error codes to provide a clear signal that there is an issue to users. Users will experience problems if their email infrastructure isn’t set up correctly to parse error codes.
- Why are you suddenly having issues with your email infrastructure?
Spamhaus has introduced the following error codes; 127.255.255.254, and 127.255.255.255. Your MTA needs to be configured to correctly parse them.
- Why have these error codes been introduced?
To make sure that users of the Project's legacy blocklists, who are querying via a public resolver or making an excessive number of queries, know that their email stream isn't protected with Spamhaus' blocklist data.
- What can be done to resolve the issue?
Sign up for the Data Query Service. You get access to all the same blocklists, along with additional ones and the data is delivered in real time. Re-configuration will only take minutes.
If you’re using Spamhaus’ free legacy blocklists and suddenly experiencing problems with your email, start by answering the questions below and follow the step-by-step guidance.
Which email error code is affecting your mail stream?
Before troubleshooting, identify the error code that’s causing delivery issues:
Error Code 127.255.255.254– how to fix this error.
Error Code 127.255.255.255 – how to fix this error.
Error code 127.255.255.254 is causing problems for my email stream
Answer these two questions:
Are you using blocklists available via the Spamhaus Project’s free Public Mirrors?
Are you querying the blocklists via a public/open resolver, e.g., OVHCloud or Cloudflare? If the answer is “yes” to both, you are likely getting an error code because you are using a resolver with non-attributable DNS. Keep reading below to find out how to fix the problem.
If the answer is “no” to #2, then skip to Error code 127.255.255.255 is causing problems for my email stream.
Spamhaus doesn’t allow queries via public/open resolvers
The Project’s Public Mirrors exist to help small independent businesses, schools, and non-profit organizations safely filter their email at no cost. See their Fair Use Policy.
Unfortunately, some users take advantage of a public resolver’s anonymity and use the Public Mirrors for large-scale queries. As a result, queries made via a public/open server may be blocked, returning the result: “NXDOMAIN” (non-existent domain), i.e., no query you run via a public resolver returns a “listed” result.
For further information, read Successfully accessing Spamhaus’ free blocklists using a public DNS.
The reason for introducing error codes:
Many users are unaware their email stream isn’t protected when querying via a public/open resolver. To provide a clear signal of an issue, the Project is introducing the error code: 127.255.255.254.
If users don’t have their email infrastructure set up to parse error codes correctly, they will experience problems with their email stream.
How was this communicated?
The Spamhaus Project has been planning this for some time and has published several articles introducing these error codes.
- Spamhaus DNSBL return codes: technical update
- Using our public mirrors? Check your return codes now. The Project Team has been slowly rolling out the introduction of these error codes to ensure they can assist users who are struggling with their email configuration.
How to fix the problem:
You have two options:
If you want to continue querying using a public/open resolver, use the FREE Spamhaus Data Query Service (DQS).
If you want to continue querying the Public Mirrors and not move to the DQS, your queries must come from a dedicated IP with attributable reverse and forward DNS.
To understand how functionality compares between the different Spamhaus DNSBL offerings, take a look at this table.
How to move to the free Data Query Service:
- Ensure you can receive your welcome email once you’ve signed up for the DQS:
- Sign-up using an address that isn’t currently experiencing issues with receiving email, or
- Correctly configure your MTA to accept error codes with these Public - Mirror Config Guides for commonly used MTAs, or
- Remove the blocklist configuration from your MTA.
Sign-up using this form.
Follow the instructions in your ‘welcome’ email from Spamhaus; log into the Customer Portal and get your unique Data Query Service key.
Reconfigure your MTA using these DQS Config Guides. Reconfiguring should only take a matter of minutes.
How to keep using the Public Mirrors
Remember: To successfully query the Public Mirrors, your queries need to come from a dedicated IP with attributable reverse and forward DNS. Use these Config Guides for the Public Mirrors to configure your MTA to parse error codes correctly.
Error code 127.255.255.255 is causing problems for my email stream
Answer these two questions:
Are you using blocklists available via the Spamhaus Project’s free Public Mirrors? Are you regularly making a large number of queries to the Public Mirrors?
If the answer is “yes” to both, you are likely getting an error code because you are making an excessive number of queries to the Public Mirrors. Keep reading below to find out how to fix the problem.
If you don’t believe that either of these newly introduced error codes is why you are experiencing issues, contact the Spamhaus Project directly.
Spamhaus doesn’t allow large volumes of queries via the Public Mirrors.
The Project’s Public Mirrors exist to help small independent businesses, schools, and non-profit organizations safely filter their email at no cost. They are not suitable for commercial organizations or large query volumes.
Where users take advantage of this free service and are regularly outside the Fair Use Policy, the Spamhaus Project may return “NXDOMAIN” (non-existent domain), i.e., none of your queries will return “listed” result.
The reason for introducing error codes:
Many users are unaware their email stream isn’t protected when they’re outside the Fair Use Policy. To provide a clear signal of an issue, the Project is introducing the error code: 127.255.255.255.
If users don’t have their email infrastructure set up to parse error codes correctly, they will experience problems with their email stream.
How was this communicated?
The Spamhaus Project has been planning this for some time and has published several articles introducing these error codes.
The Project Team has been slowly rolling out the introduction of these error codes to ensure they can assist users who are struggling with their email configuration.
How to fix the problem:
You have two options:
If you want to continue querying at your current volumes, you can move to the commercial-grade Spamhaus Data Query Service (DQS).
If you want to continue querying the Public Mirrors, ensure you stay within the Spamhaus Project’s Fair Use Policy.
To understand how functionality compares between the different Spamhaus DNSBL offerings, take a look at this table.
How to move to the Data Query Service:
You can trial the blocklists for free for 30-days. You will get access to additional blocklists and all queries will be real time.
- Ensure you can receive your welcome email once you’ve signed up for the 30-day DQS trial:
- Sign-up using an address that isn’t currently experiencing issues with receiving email, or
- Correctly configure your MTA to accept error codes with these Public Mirror Config Guides for commonly used MTAs, or
- Remove the blocklist configuration from your MTA.
Sign-up using this form.
Follow the instructions in your ‘welcome’ email from Spamhaus; log into the Customer Portal and get your unique Data Query Service key.
Reconfigure your MTA using these DQS Config guides. Reconfiguring should only take a matter of minutes.
How to keep using the Public Mirrors
Remember: For continuous protection, stay within the Fair Use Policy and don’t make excessive queries.
Use these Config Guides for the Public Mirrors to configure your MTA to parse error codes correctly.