blog
If you query the legacy DNSBLs via Amazon Web Services' DNS move to Spamhaus Technology's free Data Query Service
Are you currently using Spamhaus’ free DNS Blocklists (DNSBLs) and use Amazon Web Services' DNS? If you've answered "yes" to both of these questions, you need to make some changes to your email infrastructure.
In this Blog
- Introduction
- The headlines for those in a hurry
- Why isn't Spamhaus allowing AWS users to query the public blocklists?
- How is the free DQS different from the free Public Mirrors?
- How to access Spamhaus Technology's free DQS
- How will AWS users be prevented from querying Spamhaus’ free DNSBLs?
- When will the error code for AWS DNSBL users be introduced?
- What if I don’t want to use Spamhaus Technology's free DQS?
- Further details
- Any questions?
Jump to
Are you currently using Spamhaus’ free DNS Blocklists (DNSBLs)? Do you access them via the Public Mirrors, for example, query “sbl.spamhaus.org”? Do you use Amazon Web Services’ (AWS) DNS? If you’ve answered “yes” to all three of those questions, you need to make some changes to your email infrastructure. These changes are quick and easy to make, but if you fail to make them, you could find that at some point soon, all or none of your email is blocked!
The headlines for those in a hurry
Our Terms of Use state that we do not allow users to query via DNS resolvers where there is no attributable reverse DNS; this includes AWS (we’ll explain why later in this article).
To provide a clear signal to these users that these blocklists are not protecting their email, we will return an error code; 127.255.255.254. If you haven’t set up your email servers to accept this error code, all emails could be rejected and bounced back to their sender.
To prevent any issues with your email stream, stop accessing the free blocklists via the Public Mirrors and start accessing the blocklists via Spamhaus Technology's free Data Query Service (DQS), which you can sign up for here.
Once you’ve verified your email address, you will get access to a “DQS key” to include in your configuration. These config changes take only minutes; see our technical docs for more detail.
Why isn't Spamhaus allowing AWS users to query the public blocklists?
The blocklists that we make freely available via our Public Mirrors are for small-scale, non-commercial use. To ensure these users have a good quality of service, usage is monitored and measured against the Project’s Terms of Use.
AWS masks organizations’ queries to the Public Mirrors, so the team can’t attribute usage to individual entities. We have no way of establishing the number of queries a single organization is making.
To provide transparency, these free blocklists can be accessed via Spamhaus Technology's free DQS.
How is the free DQS different from the free Public Mirrors?
- Usage transparency – users register to access the free DQS and are provided with a key that records query volumes.
- Increased performance – blocklists are updated in real time.
- Additional protection – access to more blocklists, including Zero Reputation Domain Blocklist, Domain Blocklist with Hostnames, and Auth Blocklist.
How to access Spamhaus Technology's free DQS
- Sign up for an account
- Verify your email address
- Log in to your account and access your DQS key
- Update your email configuration. We have config guides for mainstream MTAs.
How will AWS users be prevented from querying Spamhaus’ free DNSBLs?
To ensure our Terms of Use are adhered to, we will block queries from a specific IP address outside the policy. We also return an error code. In the case of querying via an open/public resolver, i.e., AWS, the error code is 127.255.255.254.
If your MTA can’t correctly parse these error codes, serious issues can occur, including bouncing all emails back to their senders and your emails not being queried against the blocklists. Here’s how to properly configure your MTA to process these error codes, if you continue to use the free DNSBLs.
When will the error code for AWS DNSBL users be introduced?
This year, we will slowly implement the error code across AWS’ IP space, commencing from Tuesday, Oct 18th, 2022.
Please don’t delay – take action now and move to the free DQS.
What if I don’t want to use Spamhaus Technology's free DQS?
- Use DNS resolvers with attributable DNS to continue being protected by Spamhaus’s IP and domain reputation.
- If you no longer wish for your mail stream to be protected for free by Spamhaus’ blocklists, remove all associated configurations from your email infrastructure.
Further details
Additional information for free DNSBLs users having issues due to error codes is detailed here.
Previous communications sent in relation to these changes can be found here:
Any questions?
Not a problem – reach out to us via Twitter @spamhaus and we'll get back to you with a response.