How blacklists work behind the scenes

Every now and then we get an email from a user who wants to know why our Blacklist tool shows them as being on a blacklist but when they use the check tool on the blacklist’s web page, it shows them as being clear or vice versa. A little bit of background on how DNSRBLs work will explain why this happens and I hope you find it helpful when trying to troubleshoot blacklist problems.

Blacklist Results

Blacklist operators generate lists of IP addresses or domain names that they would like to share with the world. DNS is a great way to publish IP addresses and hostnames in a very lightweight, fast, distributed way. The operator creates a domain zone and publishes records on their DNS server. So let’s say we create a blacklist called Example. We announce it to the world and let everybody know we are going to publish it at rbl.example.com. For every IP Address that we want to add to our list, we publish an A record in our zone. Mail servers would attempt to resolve the IP at our domain and if an A record is returned they would know that the IP in question is “on the blacklist”. Domain based lists work similarly.

Just like with all other DNS records, you do not need to always ask the DNS server that actually host the zone for an answer. In fact most DNS queries are made against nearby DNS servers. Most people first query their ISPs DNS servers. Many business networks are setup with a local DNS server for security as well as performance reasons. This way once one person gets an answer for the IP address google.com additional queries are returned very quickly without having to traverse the internet. How long these cached results are stored is determined by the time to live (TTL) settings that are configured by the owner of the zone. This means that in addition to determining who they want to put on their list, blacklist operators determine how long you should remain listed even after they remove you from the zone. They could do this for policy reasons or for performance of their DNS servers. But what it means is that every person who finds out that you are on the list will consider you “listed” until that TTL expires.

So I think you can see now how you could get a different answer from our tool than from the blacklists own check tool. Either we got a negative answer recently and are caching that and showing you as not listed when you in fact are, or we have a legitimate listing record on our server that hasn’t expired yet and we will show you listed even after you have been taken off at the source. It is important to realize that we report these cached results for the reason that this is what other email servers in the wild will see. If you get a positive result on our tool, once you request delisting you should check with the provider’s own check tool to see if you have been removed. Then you can see from our tool how long your TTL is before you will appear clean again to the email server’s of the world.