DNS Blocklist Monitoring
A blocklisted domain or sending IP can quietly destroy your email deliverability and traffic. ZoneWatcher continuously checks your zones against the major email-reputation, malware-filtering, and family-content blocklists, and alerts you the moment something changes.
Overview
Once enabled for your team, ZoneWatcher checks every monitored zone against 23 curated blocklists across 5 categories. Each result is recorded per zone, kept current on a daily cadence, and surfaced in the "Blocklists" tab on the zone view.
When a zone transitions from clean to listed (or vice versa), we send a notification through every channel you've configured for that zone — email, Slack, Microsoft Teams, Discord, webhooks, Jira, or GitHub Issues — including the listing reason and a direct link to the blocklist's delisting tool when one is available.
How we check
We use three different techniques depending on the type of blocklist:
IP-based DNSBLs
For email-reputation lists like Spamhaus and Barracuda, we take the apex A records already synced from your DNS provider, reverse the IPv4 octets, append the blocklist's lookup zone (e.g. 5.113.0.203.zen.spamhaus.org), and look up the resulting hostname. An answer in the 127.0.0.0/24 range means the IP is listed; the exact value tells us why.
Domain-based DNSBLs
For URI/domain reputation lists like Spamhaus DBL, SURBL, and URIBL, we append your zone's domain to the blocklist's lookup zone (e.g. example.com.dbl.spamhaus.org) and run the same lookup. The same 127.0.0.x answer scheme tells us the listing reason.
Filtering DNS resolvers
For services like Cloudflare 1.1.1.2, Quad9, and OpenDNS, we query the resolver directly and look at how it responds. A block can show up as NXDOMAIN, REFUSED, or a known sinkhole address (e.g. 0.0.0.0 from AdGuard, 146.112.61.x from OpenDNS). We always run a control query against an unfiltered resolver first, so we don't false-positive on domains that simply don't exist.
Email Reputation (IP)
Detects whether the zone's sending IP addresses are listed on email reputation blocklists used by mail receivers to reject inbound mail.
| Blocklist | Endpoint | Description | Delisting |
|---|---|---|---|
| Spamhaus ZEN |
zen.spamhaus.org
|
Combined Spamhaus list (SBL + XBL + PBL + CSS). The most widely consulted email reputation blocklist. | Lookup tool ↗ |
| Spamhaus SBL |
sbl.spamhaus.org
|
Spamhaus Block List — manually curated spam sources. | Lookup tool ↗ |
| Spamhaus XBL |
xbl.spamhaus.org
|
Spamhaus Exploits Block List — exploited hosts and open proxies. | Lookup tool ↗ |
| Spamhaus PBL |
pbl.spamhaus.org
|
Spamhaus Policy Block List — IP ranges that should not be sending mail directly. | Lookup tool ↗ |
| Barracuda Reputation |
b.barracudacentral.org
|
Barracuda Reputation Block List for inbound mail filtering. | Lookup tool ↗ |
| SpamCop |
bl.spamcop.net
|
SpamCop Blocking List — auto-expiring listings derived from user reports. | Lookup tool ↗ |
| SORBS Aggregate |
dnsbl.sorbs.net
|
SORBS aggregate DNSBL covering spam sources, exploited hosts, and dynamic IP space. | Lookup tool ↗ |
| UCEPROTECT Level 1 |
dnsbl-1.uceprotect.net
|
UCEPROTECT Level 1 — strict per-IP listing of confirmed spam sources. | Lookup tool ↗ |
Email Reputation (Domain)
Detects whether the zone's domain is listed on URI/domain reputation blocklists used to filter spam, phishing, and abusive content.
| Blocklist | Endpoint | Description | Delisting |
|---|---|---|---|
| Spamhaus DBL |
dbl.spamhaus.org
|
Spamhaus Domain Block List — spam, malware, and phishing domains. | Lookup tool ↗ |
| SURBL Multi |
multi.surbl.org
|
SURBL multi-zone — domains found in spam, malware, phishing, and abuse messages. | Lookup tool ↗ |
| URIBL Multi |
multi.uribl.com
|
URIBL multi-zone — black, grey, and red zones for spam URI domains. | Lookup tool ↗ |
Malware Filtering DNS
Detects whether the zone's domain is being blocked by public security-focused DNS resolvers as malware, phishing, or otherwise unsafe.
| Blocklist | Endpoint | Description | Delisting |
|---|---|---|---|
| Cloudflare Security (1.1.1.2) |
1.1.1.2
|
Cloudflare 1.1.1.2 resolver — blocks malware and phishing domains. | Lookup tool ↗ |
| Quad9 |
9.9.9.9
|
Quad9 9.9.9.9 resolver — blocks malicious domains via threat-intel partners. | Lookup tool ↗ |
| OpenDNS Umbrella |
208.67.222.222
|
OpenDNS / Cisco Umbrella — blocks phishing and malware domains. | Lookup tool ↗ |
| CleanBrowsing Security |
185.228.168.9
|
CleanBrowsing Security filter — blocks malicious domains. | Lookup tool ↗ |
| AdGuard DNS Default |
94.140.14.14
|
AdGuard DNS Default — blocks ads, trackers, and known malware. | Lookup tool ↗ |
| DNS0.eu |
193.110.81.0
|
DNS0.eu — EU-hosted resolver blocking malware and phishing. | Lookup tool ↗ |
Family Filtering DNS
Detects whether the zone's domain is being blocked by family-focused DNS resolvers as adult, gambling, or otherwise restricted content.
| Blocklist | Endpoint | Description | Delisting |
|---|---|---|---|
| Cloudflare Family (1.1.1.3) |
1.1.1.3
|
Cloudflare 1.1.1.3 resolver — blocks malware plus adult content. | Lookup tool ↗ |
| OpenDNS FamilyShield |
208.67.222.123
|
OpenDNS FamilyShield — blocks adult content plus malware. | Lookup tool ↗ |
| CleanBrowsing Family |
185.228.168.168
|
CleanBrowsing Family — strictest family filter, also forces SafeSearch. | Lookup tool ↗ |
| AdGuard DNS Family |
94.140.14.15
|
AdGuard DNS Family — blocks ads, trackers, malware, and adult content. | Lookup tool ↗ |
| DNS0.eu Kids |
193.110.81.1
|
DNS0.eu Kids — blocks adult content plus malware. | Lookup tool ↗ |
| Mullvad Family |
194.242.2.6
|
Mullvad DNS Family — privacy-focused resolver blocking adult content. | Lookup tool ↗ |
Decoding listing reasons
When a DNSBL flags your zone, the answer it returns (a 127.0.0.x address) encodes the reason. We decode those values into human-readable explanations on every result. Here's the full mapping for the lists where we know it:
Spamhaus ZEN
| Answer | Meaning |
|---|---|
127.0.0.2
|
SBL — confirmed spam source |
127.0.0.3
|
SBL CSS — snowshoe / compromised |
127.0.0.4
|
XBL — exploited host (CBL) |
127.0.0.9
|
SBL DROP / EDROP — hijacked or leased to spammers |
127.0.0.10
|
PBL — ISP-maintained, should not send mail directly |
127.0.0.11
|
PBL — Spamhaus-maintained, should not send mail directly |
Spamhaus SBL
| Answer | Meaning |
|---|---|
127.0.0.2
|
SBL — confirmed spam source |
127.0.0.3
|
CSS — snowshoe / compromised |
127.0.0.9
|
DROP / EDROP — hijacked or leased |
Spamhaus XBL
| Answer | Meaning |
|---|---|
127.0.0.4
|
XBL — exploited host |
Spamhaus PBL
| Answer | Meaning |
|---|---|
127.0.0.10
|
PBL — ISP-maintained |
127.0.0.11
|
PBL — Spamhaus-maintained |
Barracuda Reputation
| Answer | Meaning |
|---|---|
127.0.0.2
|
Listed on Barracuda Reputation Block List |
SpamCop
| Answer | Meaning |
|---|---|
127.0.0.2
|
Listed on SpamCop |
SORBS Aggregate
| Answer | Meaning |
|---|---|
127.0.0.2
|
HTTP / SOCKS / misc proxy |
127.0.0.3
|
Spam source |
127.0.0.4
|
Vulnerable formmail / smtp |
127.0.0.5
|
Open SMTP relay |
127.0.0.6
|
Spam-supporting service |
127.0.0.7
|
Web server with vulnerability |
127.0.0.8
|
Hijacked netblock |
127.0.0.9
|
Hijacked / SOCKS hijack |
127.0.0.10
|
Dynamic IP space |
127.0.0.11
|
Bad config / no rDNS |
127.0.0.12
|
Should not deliver mail |
127.0.0.14
|
Compromised / zombie host |
UCEPROTECT Level 1
| Answer | Meaning |
|---|---|
127.0.0.2
|
Listed on UCEPROTECT Level 1 |
Spamhaus DBL
| Answer | Meaning |
|---|---|
127.0.1.2
|
Spam domain |
127.0.1.4
|
Malware domain |
127.0.1.5
|
Phishing domain |
127.0.1.6
|
Botnet C&C domain |
127.0.1.102
|
Abused legit spam |
127.0.1.103
|
Abused spammed redirector |
127.0.1.104
|
Abused legit phish |
127.0.1.105
|
Abused legit malware |
127.0.1.106
|
Abused legit botnet C&C |
127.0.1.255
|
IP queries prohibited |
SURBL Multi
| Answer | Meaning |
|---|---|
127.0.0.8
|
Phishing |
127.0.0.16
|
Malware |
127.0.0.64
|
Abuse / cracked |
127.0.0.128
|
Spam |
URIBL Multi
| Answer | Meaning |
|---|---|
127.0.0.2
|
Black — confirmed spam URI |
127.0.0.4
|
Grey — likely spam URI |
127.0.0.8
|
Red — newly observed URI |
Notifications
The first time a zone shows up on a blocklist, we fire a Zone Listed on Blocklist notification through every channel you've configured for that zone. When the listing later clears, we fire a Zone Removed from Blocklist follow-up. Both events flow through the same notification subscriptions you already use for DNS changes, certificates, and WHOIS.
Each alert includes the blocklist's display name, category, the decoded listing reason, and a direct link to that blocklist's delisting / lookup tool when one is available.
Limitations and caveats
- IP-based checks use your synced apex A records. If your zone uses a CDN that only proxies through its own IPs, those IPs are what we'll check — not your origin server. A future release will let you supply an explicit origin IP override.
- Spamhaus rate-limits public resolvers. If a check returns inconclusive results because of upstream throttling, we'll mark the entry as an error and retry on the next run rather than reporting a false clean.
- Daily cadence by default. Most blocklists update on the order of hours-to-days, so re-checking more aggressively offers no real signal and risks getting our resolvers blocked.
- Apex records only, for now. We currently check the apex A records (not subdomains or MX targets). If you need MX-target reputation monitoring, get in touch — we'll prioritize it.