Status:  Production
IPv4 only

Cloud DNS:  <key>
Rsync File
:  lists/

Return Codes:,
Test Points

Listing duration:  Indefinitely


This is our email "Policy” blacklist which aims to list all IP addresses that should not be connecting directly to external SMTP servers, but should instead be using their ISP or mail providers smarthost to relay messages using some form of SMTP authentication.

It is built by constantly scanning the entire IPv4 range and applying a policy that states:  

  • An IP address MUST have rDNS.
  • rDNS must not be 'templated' e.g. two or more octets of the IP address MUST NOT appear (this can be in hex, decimal etc.) within the rDNS label (there are exceptions for static* mail* mx* smtp* etc.) and should reflect the hostname of the SMTP server.
  • Contiguous ranges of IP addresses MUST NOT have the same rDNS. is returned for hosts with generic rDNS. is returned for hosts with no rDNS.

Anyone can request a delist from this zone and a semi-permanent exception will be created automatically.  Exceptions are only pruned when they are no longer necessary, but in the future we may require that Policy exceptions are revalidated once per year to prevent them from becoming stale.

NOTE: This zone should only be used on border SMTP hosts, it should not be used on smarthosts or SMTP AUTH outbound servers as you could block your own customers.

NOTE: Do not use this list for Received headers hops, or for anything other than checking IP addresses that handoff to your mail server(s) as doing so will cause significant numbers of false-positives.

Example query:

$ host<key><key> has address<key> has address

Note for rsync users

There is also a zone file called "" which is now deprecated.  This was a stricter version of the Policy Blacklist which also included hosts which contained "static" within their rDNS labels.   Please check that you are using the correct zone file as "" will be removed in the future to save bandwidth and confusion.

Did this answer your question?