Spam Resource Newsletter

Spamhaus is not blocking Gmail


A friend warned me of a scenario that could have the potential to freak people out, if misunderstood. It looks like this:

  1. This person is using Spamhaus to filter inbound mail.
  2. They seem to be rejecting mail from Gmail due to a Spamhaus listing.
  3. The Spamhaus website DOES suggest there might be an SBL entry (a blocklisting) for Gmail.

So...Spamhaus is blocking Gmail? NO, no no. Gmail is not blocklisted by Spamhaus. Promise. Here's what's actually happening.

  1. Using Spamhaus is good, but querying Spamhaus using open/public DNS resolvers is bad. Spamhaus is actually rejecting those queries -- they're not blocking mail from Gmail. The person running into this problem needs to switch over to using the Spamhaus DQS (Data Query Service), and that ought to just flat out fix things.
  2. As noted above, the rejections are actually because the email administrator of the mailbox provider or mail server in question has configured Spamhaus in a way that is no longer allowed -- you simply can't use Spamhaus with open or public DNS servers any longer.
  3. Gmail does have SBL entries on the Spamhaus website (here's an example). BUT, open the "more information" part of the entry and you'll see that it says this, clear as day: "This SBL record is informational ONLY. The listing is not active, and will not result in any email being blocked. We are publishing this as an alert to the owner of the network." Informational SBL records are well known to those of us in deliverability-land. They're a warning that Spamhaus is indeed seeing spam from that IP address or network range, but they're holding back on blocking -- very much because they don't want to block legitimate mail carelessly.

Thus, no, Spamhaus has not blocklisted Gmail.

How to tell? Query an SBL "test entry" directly against DNS. Type "host 2.0.0.127.zen.spamhaus.org" in your Linux command line from that mail server. Or better yet, append the IP address of your DNS server to the end of it. (If you were using Cloudflare public DNS, that would be 1.1.1.1.) So, type "host 2.0.0.127.zen.spamhaus.org 1.1.1.1" and see what the results are.

  • A result of "2.0.0.127.zen.spamhaus.org has address 127.255.255.254" then your queries are being blocked because you're using an open or public DNS server.
  • A result with multiple responses, usually "127.0.0.2, 127.0.0.4, 127.0.0.10" means the query actually worked properly.
  • A result with "not found" or "NXDOMAIN" likely means something else is wrong and you might need to investigate further.

If/when you configure your mail server to query Spamhaus using their DQS (Data Query Service), your queries will actually look like "2.0.0.127.(code).zen.dq.spamhaus.net" where (code) is a unique code assigned to you.

And for what it's worth, I use Spamhaus to block inbound mail from IPs listed on their blocklists, and I am receiving mail from Gmail users just fine.

If you're having trouble with all of this and need assistance, here's where to go to ask for help.

This isn't actually that new; Spamhaus has been warning of blocking these types of queries for more than a year now, and Spamhaus made a particular point of warning about querying their blocklists from AWS or via Cloudflare.

Post a Comment

Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.

Previous Post Next Post