Popular topics: Spam blocklist Abuse Contact ValidationPolicy blocklistWelcome listCombined blocklistDomain blocklistPotentially compromised accountsExploit blocklistRspamdWhat is XARF?

Policy blocklist

IP policy blocklist (dynamic.mail.abusix.zone)

Status: Production
Type: IPv4 only
Cloud DNS namespace: <key>.dynamic.mail.abusix.zone.
Rsync File: lists/dynamic.zone
Return Codes:,
Test Points:,,
Listing Duration: Indefinitely


This is our email "Policy” blocklist which aims to list all IP addresses that should not be connecting directly to external SMTP servers, but should instead be using their ISP or mail providers smarthost to relay messages using some form of SMTP authentication.

This list is designed to preemptively list any IP that does not appear to be suitable for use with an SMTP server, this is to catch newly compromised hosts, hijacked IP space etc. immediately without requiring trap hits for listings.

It is built by constantly scanning the entire IPv4 range and applying a policy that states:  

  • An IP address MUST have rDNS.
  • rDNS must not be 'templated' e.g. two or more octets of the IP address MUST NOT appear (this can be in hex, decimal etc.) within the rDNS label (there are exceptions for static* mail* mx* smtp* etc.) and should reflect the hostname of the SMTP server.
  • Contiguous ranges of IP addresses MUST NOT have the same rDNS. is returned for hosts with generic rDNS. is returned for hosts with no rDNS.


This zone should only be used on border SMTP hosts, it should not be used on smarthosts or SMTP AUTH outbound servers as you could block your own customers.

This list should never be used for Received headers hops, or for anything other than checking IP addresses that hand-off to your mail server(s) as doing so will cause significant numbers of false-positives.


Anyone can request a delist from this zone and a semi-permanent exception will be created automatically.  Exceptions are only pruned when they are no longer necessary, but in the future we may require that Policy exceptions are revalidated once per year to prevent them from becoming stale.



We do not allow delists of CIDR ranges from the Policy list.   Only IPs that meet the policy requirements are delisted.

If you have updated your rDNS recently and would like us to re-scan it, then please contact us via our support channels and we will do this for you.

Note for rsync users

There is also a zone file called "policy.zone" which is now deprecated.  This was a stricter version of the Policy Blacklist which also included hosts which contained "static" within their rDNS labels.   Please check that you are using the correct zone file as "policy.zone" will be removed in the future to save bandwidth and confusion.

Example query:

$ host<key>.dynamic.mail.abusix.zone.<key>.dynamic.mail.abusix.zone has address<key>.dynamic.mail.abusix.zone has address

Was this article helpful?

Can’t find what you’re looking for?

Our award-winning customer care team is here for you.

Contact Support