Email blacklists: what they are and how to check yours

Among the systems silently deciding whether your email arrives, blacklists are the bluntest. A spam filter weighs dozens of signals and reaches a nuanced verdict; a blacklist is a register - your domain or your sending server’s address is on it or it is not - and for many receiving servers, “on it” simply ends the conversation.

Most businesses on a blacklist have no idea. Nobody writes to inform you; mail just starts bouncing or vanishing into junk folders, customer by customer, until someone joins the dots. Here is how the system works, how businesses end up listed, and how to check your status in one pass.

What blacklists are

Blacklists - also called blocklists or DNSBLs (Domain Name System blocklists) - are shared databases of IP addresses and domains associated with sending spam or malicious mail. Dozens of significant ones exist, operated by independent organisations: some venerable and widely trusted (Spamhaus chief among them), some niche, some aggressive to the point of eccentricity.

Receiving mail servers consult them in real time. When a message arrives, the receiver checks the sending server’s address - and often the sender’s domain - against one or more lists. A hit, depending on the receiver’s configuration, means outright rejection, junk-folder placement, or a heavy negative mark in the wider filtering decision covered in Why your emails are going to spam.

The crucial nuance for a small business: lists track sending infrastructure as well as domains. Your mail typically leaves through servers you share - your mail provider’s, your newsletter platform’s, your web host’s. Reputation is communal property on shared infrastructure, which cuts both ways, as we are about to see.

How domains and senders get listed

The common routes, in rough order of frequency for UK small businesses:

A compromised mailbox. A criminal obtains a password, quietly sends thousands of spam messages through the genuine account, and the spam traps and complaint systems that feed blacklists do their job. The business discovers the compromise via the listing - often the first symptom.

A compromised website. An out-of-date plugin lets an attacker turn the web server into a spam cannon. Since many small-business websites send legitimate mail (contact forms, order confirmations), the listing catches that too.

Marketing missteps. Sending to bought lists, to old lists full of dead addresses, or without working unsubscribe mechanisms generates the bounce rates and spam complaints that listings are made of. Enthusiasm plus a spreadsheet of “contacts” from 2017 has blacklisted many an innocent firm.

Bad neighbours. On shared hosting, another customer of the same server misbehaves and the shared IP address is listed - your mail suffers for someone else’s spam. You did nothing; you carry the consequence until the host resolves it or you move your sending elsewhere.

What it costs you, and how delisting works

The damage is silent and uneven: some recipients get your mail, some do not, depending on which lists each receiving server consults. Invoices unpaid because they never arrived, quotes that “must have gone to spam”, candidates who never got the offer - blacklisting presents as a string of small unexplained failures rather than one loud one.

Delisting follows a standard shape, with varying friction. First, fix the cause - delisting without remediation is a revolving door, and the major lists treat repeat offenders harshly. Then, request removal via the list’s own process: the reputable lists provide lookup and removal request pages, and respond in hours to days once the underlying problem is genuinely resolved. Some minor lists expire entries automatically; a few operate slowly or idiosyncratically. Beware of third parties selling “express delisting” - the legitimate processes are free, and no paid intermediary can shortcut Spamhaus.

One scope note, honestly stated: identifying the cause and fixing it - cleaning a compromised mailbox or website, changing sending practices - is remediation work for you or your IT supplier. SealedMail’s role is detection and explanation: telling you that you are listed, where, and what that means, in plain English.

Checking your status - and why once is not enough

Checking any single blacklist is straightforward; the catch is the plural. Meaningful coverage means querying your domain and sending infrastructure against the set of lists that receivers actually consult - and doing it regularly, because listings happen at any time and the silence afterwards is total.

Blacklist status is one of the seven checks in SealedMail’s Free Domain Health Check: your domain is screened against the major registers alongside SPF, DKIM, DMARC, MTA-STS, TLS-RPT and BIMI, with the results scored and explained in a plain-English certificate, by email, free, no sign-up. For subscribers, the same screening runs as part of every weekly report - so a new listing surfaces within days, with an explanation of what it is and what it implies, rather than months later via a customer’s puzzled phone call. (Authentication and reputation travel together: a domain with broken SPF is both more spoofable and more listable, which is why the checks come as a set - see What is SPF?.)