Skip to main content
Explainer · operations

IP reputation and blocklists

Every IP carries a rolling reputation that mail servers, CDNs, and firewalls use to decide whether to trust it. If something on the internet is silently refusing your traffic, this is usually why — and here is how to find out for sure and recover.

What "reputation" actually is

Reputation isn't a number stored centrally; it's a collection of opinions held by different operators about a given address. Spamhaus has one opinion. Microsoft's mail servers have another. Cloudflare has a third. AbuseIPDB has a fourth. Each one is built from different signals, used for different decisions, and updated on a different timeline.

When something on the internet silently refuses your traffic — your email going to spam, a website challenging you with CAPTCHAs every page, a financial service declining to load — the most common explanation is one of these reputation systems, not a routing or DNS problem. The IP is reachable. It's just not trusted.

How reputation gets built

Different scorers use different signals, but a few inputs show up in almost every system:

The blocklists that actually matter

How to check whether you're listed

For an IP you control, run all the checks in parallel rather than one at a time — half the lists agree, the other half don't, and you want the whole picture.

Getting delisted — the right order to do things

  1. Fix the underlying cause first. A botnet-style listing means a machine on your network is compromised. Delisting before cleaning means relisting within hours. For mail, a "you're sending too much spam" listing means your mailing list has a stale or purchased subscriber problem.
  2. Confirm sender authentication. Run our email auth checker on your domain. Without SPF, DKIM, and DMARC properly configured, modern mail providers treat your mail as suspicious regardless of the IP's reputation. SPF alone is no longer enough.
  3. Submit the delisting request. Each blocklist has its own form. Spamhaus' is a same-day automated process for many listings; manual ones take 1–3 business days. CBL is fully automated. SORBS can take weeks. AbuseIPDB entries decay automatically (90-day TTL) but you can also request expedited removal with evidence.
  4. Warm up the IP carefully. A new sender (fresh VPS, new mail domain) starts with no reputation, which big providers treat as suspicious. Don't blast a 10,000-recipient newsletter on day one. Send small volumes (50–200/day) to engaged subscribers for the first 1–2 weeks, then ramp.
  5. Monitor DMARC reports. Once DMARC is set with rua=mailto:dmarc@yourdomain.com, you'll start receiving aggregate reports from receivers telling you who is accepting and who is rejecting. This is how you know the reputation is recovering before the blocklist site catches up.

The "should I just move?" question

Sometimes the cleanest fix isn't delisting — it's moving. A poisoned residential IP from a consumer ISP is essentially unusable for sending mail no matter what you do, because Spamhaus PBL will keep listing it for as long as the ISP says "this range is residential." A datacenter IP with a long history of bad neighbors will struggle forever. In both cases, the cheapest path is moving the relevant workload to a reputation-aware service:

Checking IP reputation with IPFerret

IPFerret surfaces a few reputation-adjacent signals on the home page when the geo-IP provider supplies them — the "privacy" flags from upstream cover VPN, proxy, Tor exit, hosting datacenter, and known relay status. For deeper investigation:

Related reading