What Is a DNSBL (DNS Blocklist)?
By Nathan Cole, Security Researcher · Updated 2026-06-02Part of our guide to Domain Reputation Explained: Blocklists, Spam, and Trust.
A DNSBL, short for DNS-based blocklist, is a list of IP addresses or domains tied to spam and abuse that mail servers can query over regular DNS. When a message arrives, the receiving server checks the sender against one or more of these lists in a fraction of a second. If the sender is listed, the mail can be rejected outright or dropped into a spam folder before a human ever sees it. Reputation lists like these are one of the oldest and most widely used defenses against junk mail, and they sit at the center of domain reputation explained.
The reason DNSBLs exist is volume. A busy mail server cannot afford a slow lookup for every connection, and DNS is already fast, cached, and distributed worldwide. By piggybacking on the DNS infrastructure that every server already uses, a blocklist operator can answer millions of queries cheaply. That efficiency is also why blocklist status feeds so directly into domain reputation explained: a single listing can quietly suppress an entire domain's email deliverability.
How a DNSBL query actually works
The mechanics are defined in RFC 5782, which documents the de facto standard that operators follow. For an IP-based list, the server takes the sending IPv4 address, reverses the order of its four octets, and appends the blocklist's zone name. An address of 192.0.2.5 checked against a zone called example-bl.org becomes the query name 5.2.0.192.example-bl.org.
The server then asks for an A record under that name. The answer is the verdict:
| Query result | Meaning |
|---|---|
| A record returned (in 127.0.0.0/8) | The address is listed |
| NXDOMAIN (no record) | The address is not listed |
| 127.0.0.2 (common code) | Listed for spam, the typical "hit" code |
| 127.0.0.x variations | Coded sub-categories, defined per operator |
| TXT record present | Human-readable reason or a link to details |
The returned 127.0.0.x address is not a real host; it is a coded answer. Operators use the final octet to signal why the entry was added, so 127.0.0.2 might mean direct spam while another value flags an open proxy or a compromised host. RFC 5782 also describes how a separate TXT query returns a plain-text explanation, which is what mail logs and bounce messages often quote back to a sender.
IP-based lists, domain-based lists, and allowlists
Not every blocklist works on IP addresses. A domain-based list, often called a DBL, checks the domains found inside a message: the sender domain, links in the body, and similar identifiers. Spamhaus, one of the better-known operators, runs both styles and publishes guidance on each through its site. Domain lists are useful because spammers rotate IPs quickly but tend to reuse the cheap throwaway domains they advertise.
The mirror image of a blocklist is a DNSWL, a DNS-based allowlist (sometimes called a whitelist). It uses the identical reversed-IP query format, but a hit means "this sender is known and trusted," nudging a message toward the inbox rather than the junk pile. Receiving servers often weigh allowlist and blocklist results together rather than treating either as an absolute yes or no.
What a listing causes, and the false-positive problem
Being listed has real consequences. Depending on the receiver's policy, your mail may be rejected at the SMTP connection with a 5xx error, accepted but filed as spam, or silently delayed. Because most major providers consult several lists, one listing on a widely trusted zone can cut deliverability sharply.
False positives are the unavoidable cost of any blocklist. A shared hosting IP can be listed because of a noisy neighbor; a newly assigned address may inherit a prior tenant's bad history; an aggressive automated rule can catch a legitimate sender. Reputable operators publish clear delisting paths and avoid listing broad ranges without cause, but no list is perfect, which is why senders should monitor their own status rather than wait for complaints.
To dig deeper into one major operator, read Spamhaus explained. When you are ready to test your own address, see how to check if your domain or IP is blacklisted.
Curious whether your domain is already flagged? Check any domain's reputation free at DomainIntel and see its blocklist status in seconds.
Frequently asked questions
What is a DNSBL?
A DNSBL is a DNS-based blocklist of IP addresses or domains associated with spam or abuse. Mail servers query it over ordinary DNS to decide whether to accept, reject, or flag a message.
How does a DNSBL work?
A mail server reverses the sending IP, appends the blocklist zone, and makes a DNS A-record query. An answer (typically in the 127.0.0.0/8 range) means the address is listed; NXDOMAIN means it is not.
What is the difference between a DNSBL and a DNSWL?
A DNSBL is a blocklist that flags bad senders, while a DNSWL is an allowlist (whitelist) that vouches for known-good senders. Both use the same DNS query mechanism but carry opposite meaning.