Are you currently using the Spamhaus Project's DNS Blocklists (DNSBLs)? Do you access them via the Public Mirrors, for example, query "sbl.spamhaus.org"? Do you use Cloudflare's DNS? If you've answered "yes" to all three of those questions, you need to make some changes to your email infrastructure. These changes are quick and easy to make, but if you fail to make them, you could find that at some point in 2022, all or none of your email is blocked!

The headlines for those in a hurry

The Spamhaus Project’s Terms of Use state that it doesn’t allow users to query via DNS resolvers where there is no attributable reverse DNS; this includes Cloudflare (we’ll explain why later in this article).

To provide a clear signal to these users that these blocklists are not protecting their email, Spamhaus will return an error code; 127.255.255.254. If you haven’t set up your email servers to accept this error code, all emails could be rejected and bounced back to their sender.

To prevent any issues with your email stream, stop accessing Spamhaus’ free blocklists via the Public Mirrors and start accessing the blocklists via our free Data Query Service (DQS), which you can sign up for here.

Once you’ve verified your email address, you will get access to a “DQS key” to include in your configuration. These config changes take only minutes; see our technical docs for more detail.

Why isn’t the Spamhaus Project allowing Cloudflare users to query its public blocklists?

The blocklists that the Spamhaus Project makes freely available via its Public Mirrors are for small-scale, non-commercial use. To ensure these users have a good quality of service, usage is monitored and measured against the Project’s Terms of Use.

Cloudflare masks organizations’ queries to the Project’s Public Mirrors, so the team can’t attribute usage to individual entities. They have no way of establishing the number of queries a single organization is making.

To provide transparency, these free blocklists can be accessed via the free DQS.

How is the free DQS different from the free Public Mirrors?

How to access the free DQS

  1. Sign up for an account
  2. Verify your email address
  3. Log in to your account and access your DQS key
  4. Update your email configuration. We have config guides for mainstream MTAs.

How will Cloudflare users be prevented from querying Spamhaus’ free DNSBLs?

To ensure its Terms of Use are adhered to, the Spamhaus Project will block queries from a specific IP address outside the policy. It also returns an error code. In the case of querying via an open/public resolver, i.e., Cloudflare, the error code is 127.255.255.254.

If your MTA can’t correctly parse these error codes, serious issues can occur, including bouncing all emails back to their senders and your emails not being queried against the blocklists. Here’s how to properly configure your MTA to process these error codes, if you continue to use the Spamhaus Project’s DNSBLs.

When will the Spamhaus error code for Cloudflare DNSBL users be introduced?

This year, the Spamhaus Project will slowly implement the error code across Cloudflare IP space, commencing from Tuesday, February 15th, 2022.

Please don’t delay – take action now and move to the free DQS.

What if I don’t want to use the free DQS?

  1. Use DNS resolvers with attributable DNS to continue being protected by Spamhaus’s IP and domain reputation.
  2. If you no longer wish for your mail stream to be protected for free by Spamhaus’ blocklists, remove all associated configurations from your email infrastructure.

Further details

Additional information for Spamhaus Project’s DNSBLs users having issues due to error codes is detailed here.

Previous communications that were sent in relation to these changes can be found here:

Any questions?

Not a problem – reach out to us via Twitter @spamhaustech or our contact form, and we’ll try and answer any question you have or failing that we’ll pass it onto the Spamhaus Project for a response.

Related Products

Help for Spamhaus Public Mirror Users

If you are using the Spamhaus Project’s Public Mirrors and are suddenly experiencing issues with your email stream, it is likely that you are having issues parsing newly introduced error codes.

We have collated all the information you need to help you understand what you need to do to fix the problem and find out why these error codes have been introduced.

  • What has happened to impact your email stream?
  • Why were these measures implemented?
  • What can you do to quickly resolve the issue?

Data Query Service (DQS)

Spamhaus’ Data Query Service (DQS) is an affordable and effective solution to protect your email infrastructure and users.

Using your existing email protection solution, you will be able to block spam and other related threats including malware, ransomware, and phishing emails.

The service has never failed and utilizes the longest established DNSBLs in the industry.

  • Proactive & preventative
  • Save on email infrastructure & management costs
  • Actionable

Resources

Are you using the most effective Spamhaus Blocklist service?

1 April 2022

Blog

If you've been using Spamhaus Project's free DNSBLs you need to be aware this is a legacy service. With an easy config change you could be getting more value from the Spamhaus data.

Hostnames coming to Spamhaus Domain Blocklist (DBL) for increased accuracy

17 November 2021

News

Users of the Spamhaus Domain Blocklist will soon have the added accuracy of hostnames being used for the abused-legit section. Get further information and also find out how you can get your hands on the beta version.

Successfully accessing Spamhaus’ free blocklists using a public DNS

4 July 2018

Blog

If you're using the Spamhaus free public mirrors and Google's public DNS then it's likely your spam isn't being blocked. Here's what you need to do.