← All articles
Monitor types · 7 min read

How to Monitor Email Blacklist Status (Spamhaus, SORBS, and Others)

A pile of letters and envelopes stacked on a wooden desk.

Landing on an email blacklist is one of the most invisible operational failures in the industry. Your outbound emails stop reaching inboxes, your customers do not get password resets or notifications, your support team starts fielding tickets from people who claim they never got the email, and nothing in your own logs explains why. The mail leaves your server. The recipient never sees it. This guide covers how to monitor for blacklist listings, which lists actually matter, and what to do when one fires.

Why blacklist listings are silent failures

When a recipient mail server rejects your email because of a blacklist listing, it returns a 5xx code that names the blacklist. Your sending infrastructure records the failure. Your application code never sees it. The customer never receives the email and never knows.

The result is a slow-moving incident that can run for days before someone notices. The first signal is usually a single customer support ticket, then a pattern of password-reset complaints, then someone in marketing notices that open rates have collapsed. By the time the issue is recognised, reputation damage is real and recovery takes weeks.

The blacklists that actually matter in 2026

There are hundreds of DNSBL lists. Most receive minimal traffic from real mail servers. Five lists do the bulk of the rejection work and are worth monitoring.

  • Spamhaus ZEN (zen.spamhaus.org). The most widely-consulted blacklist by major providers. A listing here cuts deliverability by a large margin.
  • SpamCop (bl.spamcop.net). Volunteer-driven but consulted by many mail servers.
  • Barracuda Reputation Block List (b.barracudacentral.org). Used by Barracuda's products and by some independent mail servers.
  • SORBS (dnsbl.sorbs.net). Older, slower to delist, but still consulted by enterprise mail servers.
  • SURBL (multi.surbl.org). Focuses on URLs in email bodies. Listings here mean the link destinations are flagged, not the sending IP.

How a blacklist monitor works

A blacklist monitor performs a DNS lookup. For each list, the monitor reverses your sending IP, prepends it to the list's domain, and looks up the resulting hostname. If the lookup returns an A record, your IP is listed. If it returns NXDOMAIN, your IP is clean.

Example: to check whether 192.0.2.1 is on Spamhaus ZEN, the monitor looks up 1.2.0.192.zen.spamhaus.org. A returned A record means listed. A NXDOMAIN means clean. The lookup is fast and cheap. Run it hourly per IP per list and alert on the first listed result.

Which of your IPs to monitor

Monitor every IP that sends mail on your behalf. Forgetting one is the common mistake.

  • Your transactional sender (Postmark, Postal, SendGrid, etc.). Most have shared pools; if you have a dedicated IP, monitor it.
  • Your marketing sender (Mailchimp, Customer.io, etc.). Same logic: dedicated IPs need monitoring; shared pools are the provider's responsibility.
  • Your own mail server if you operate one. The most likely candidate for accidental listing.
  • Any cron-driven sender that writes directly to SMTP from your application. Easy to forget; common source of listings from spammy retry behaviour.

What to do when an alert fires

A listing is recoverable, but only if you act on it within hours, not days. Three steps cover the common case.

First, identify what changed. Was there a recent campaign with high complaint rates? A spike in bounces? A configuration change that disabled SPF or DKIM? The cause determines the fix. Second, follow the blacklist's delisting process. Most provide a self-service form. Be honest about the cause; deception extends the listing. Third, throttle outbound mail to recover sending reputation gradually. Burning hard after a delisting often causes re-listing within hours.

Habits that keep you off blacklists

Three habits prevent most listings. Authenticate every outgoing email with SPF, DKIM, and DMARC; missing or broken auth is the most common trigger for spam classification. Keep complaint rates below 0.1%; most providers will list you above 0.3%. Watch bounce rates; a spike of hard bounces signals stale list usage and triggers automatic listing on several DNSBLs. Together, those three habits plus hourly blacklist monitoring catch and prevent the slow-moving listing incident before it eats your deliverability.

Try MonitorAH free

Three monitors, alerts in under a minute, no credit card. Cover one website and one cron job in the time it takes to read this paragraph.

Start monitoring

Related articles

A glowing padlock icon overlaying a stream of network data.
Monitor types · 8 min read

SSL Certificate Monitoring: a Practical Guide for 2026

How to monitor SSL certificate expiry, what to alert on, and the operational habits that stop browser warnings in their tracks.

A wall of analog clocks at slightly different times in a modern office.
Monitor types · 8 min read

Cron Job Monitoring with Heartbeats: a Practical Tutorial

How heartbeat monitoring catches the cron jobs that fail silently, with concrete examples in bash, Python, and Node.

A code editor showing API request and response in a dark theme.
Monitor types · 8 min read

How to Monitor a REST API for Uptime and Response Time

What to check in a REST API monitor, the right thresholds, and how to catch the silent failures that ping checks miss.