Home/IP Blacklist Check
[ E.8 — BLACKLIST ]

IP Blacklist Check

Check an IPv4 address against SpamCop and a curated set of commercial-OK blocklists. Listed results link straight to the operator's delisting page where one is published.

Last reviewed: June 2026

// look up an IPv4 address
Queries the active DNSBLs in parallel via Cloudflare DoH using the reversed-octet mechanism. RFC 5782 health-checks exclude dead lists automatically.
Try: 8.8.8.8 1.1.1.1 9.9.9.9

What is an IP blacklist?

A DNS-based Blocklist (DNSBL, or RBL — Realtime Blackhole List) is a published list of IP addresses flagged as sources of spam, abuse, or other unwanted traffic. Mail servers consult these lists at SMTP time to decide whether to accept, defer, or reject an incoming connection. A Tier 1 listing can get your outbound mail deferred or rejected by the mail servers that consult it.

This tool queries SpamCop and a curated set of commercial-OK lists, and adds refinements many DNSBL checkers skip:

  • Honest list selection — only blocklists that permit this use and answer reliably over a shared public resolver. Lists with non-commercial-only terms, resolver-registration requirements, or public-resolver blocks are left out rather than queried and silently failing.
  • Delisting links — a listing on a list that publishes a removal or lookup page links straight to it (for example, the SpamCop lookup).
  • Self-healing list set — every DNSBL is health-checked per RFC 5782 (a working list must resolve 127.0.0.2 and must not resolve 127.0.0.1). Lists that fail the test are excluded from your results so a dead zone never causes a false timeout or false clean.

How an RBL lookup works

The mechanism predates modern DNS-over-HTTPS by about three decades: reverse the IP's octets, append the list's domain, and ask for an A record. To check 192.0.2.50 against bl.spamcop.net, the query is 50.2.0.192.bl.spamcop.net. The answer:

  • NXDOMAIN — not listed. Clean.
  • 127.0.0.2 through 127.0.0.x — listed. The exact octet encodes which sub-category the list assigned the IP.
  • 127.255.255.254 — a rate-limit / over-quota signal (e.g. a public mirror refusing or throttling public-resolver queries); this is not a listing.

The deep-dive blog post walks through the original 1997 design — clever, hostile to authoritative servers, and still in use today because nothing simpler has emerged.

Why your IP might be listed

Most listings have nothing to do with you sending spam directly. The common causes:

  • Compromised device on your network — a router, IoT camera, or workstation running malware that proxies spam through your IP. The most common cause for residential listings.
  • Shared hosting reputation — if you share an IP with other tenants and one of them sends bulk mail, the whole IP gets listed.
  • Previous owner — IP addresses are recycled. A range that was used by a known spammer six months ago can still be carrying a listing today.
  • ASN-level listings — some lists flag entire ASNs or subnets when single-IP listings cluster, which can be unfair to individual users on a shared network.

What to do if you're listed

Three steps, in order. Don't skip step one.

Find the cause first. Run a port scan on yourself, check for malware, audit which devices on your network can reach the SMTP port outbound. If you don't fix the source, the listing will return within hours of any delisting request, and most lists make repeated delisting progressively harder.

Request delisting through the list's process. Each list runs its own form. Larger operators tend to have well-documented self-service paths; smaller lists can be slow, undocumented, or essentially abandoned.

Wait. Many lists auto-expire entries after 24 hours to 30 days of clean behaviour. If you've fixed the underlying issue and the list's delisting process is glacial, patience often beats persistence.

Not all blacklists are equal

This is the most important thing to understand about RBL checkers. Many aggregator sites treat every hit the same — a hit on a list the big providers consult and a hit on a one-person volunteer list both look like “listed”. That's misleading. The list that matters is the one your recipient's mail server actually consults.

Tier 1 — SpamCop. A widely consulted real-time blocklist; among the lists this tool can query under commercial-OK terms, a listing here is the one most likely to cause a real deliverability problem.

Tier 2 — PSBL, DroneBL, GBUdb Truncate, SpamEatingMonkey, Interserver, and JustSpam. Supporting signal, occasionally consulted by smaller mail servers, useful for triage but rarely the reason a big mailbox provider is bouncing your mail.

Why some well-known lists are absent. A blacklist checker is only honest if it can query its lists under terms that fit this site. Several widely-cited DNSBLs are deliberately not included: their public-mirror terms restrict free use to non-commercial sites, require registering the querying resolver, or block large public DNS resolvers outright — none of which works for a free, ad-supported tool querying through a shared resolver. Spamhaus is among them — its free Data Query Service is licensed for non-commercial use only — so we query only feeds that permit this use. The data sources page has the per-list reasoning.

Lists that have shut down

Several once-prominent DNSBLs went offline in 2024 and 2025. If you see a checker still flagging hits from these, it's reading stale or zero-data zones:

  • SORBS (all *.sorbs.net zones) — Proofpoint shut down the service on June 5, 2024. The zones still return DNS but no longer reflect current data.
  • NiX Spam (ix.dnsbl.manitu.net) — Heise Online shut it down January 16, 2025.

This tool removed both entirely rather than show stale results.