Query the legacy DNSBLs via Microsoft? Move to Spamhaus Technology’s free Data Query Service

The headlines for those in a hurry

The fair use policy states that users cannot query via DNS resolvers or servers where there is no attributable reverse DNS; this includes Microsoft (we'll explain why later in this article). To provide a clear signal to users that these blocklists are not protecting their email, Spamhaus will return an error code; 127.255.255.254. If you haven't set up your email servers to accept this error code, all emails could be rejected and bounced back to their sender. To prevent any issues with your email stream, stop accessing the free blocklists via the Public Mirrors and start accessing the blocklists via Spamhaus Technology’s free Data Query Service (DQS), which you can sign up for here.

Once you've verified your email address, you will get access to a "DQS key" to include in your configuration. These config changes take only minutes; see the technical docs for more detail.

Why can’t Microsoft users query the public blocklists?

The blocklists that are made freely available via the Public Mirrors are for small-scale, non-commercial use. To ensure these users have a good quality of service, usage is monitored and measured against the fair use policy. Microsoft’s default reverse DNS masks organizations' unique identities to the Public Mirrors, so the team can’t attribute usage to individual entities. They have no way of establishing the number of queries a single organization is making.

To provide transparency, these free blocklists can be accessed via Spamhaus Technology's free DQS.

How is the free DQS different from the free Public Mirrors?

• Usage transparency - users register to access the free DQS and are provided with a key that records query volumes.
• Increased performance - blocklists are updated in real time.
• Additional protection - access to more blocklists, including Zero Reputation Domain Blocklist, Domain Blocklist with Hostnames, and Auth Blocklist.

How to access Spamhaus Technology's free DQS

1. Remove all legacy DNS Blocklist configurations in advance of signing up for an account with Spamhaus Technology. If you don't do this you may not be able to receive the account verification email.
2. Sign up for an account.
3. Verify your email address.
4. Log in to your account and access your DQS key.
5. Update your email configuration. We have config guides for mainstream MTAs.

How will Microsoft users be prevented from querying the free DNSBLs?

To ensure the fair use policy is adhered to, queries from IP addresses outside the policy will be blocked, and an error code will be returned. In the case of querying via an open/public resolver, i.e.,Microsoft, the error code is 127.255.255.254.If your MTA can't correctly parse these error codes, serious issues can occur, including bouncing all emails back to their senders and your emails not being queried against the blocklists. Here’s how to properly configure your MTA to process these error codes, if you continue to use the free Public Mirrors.

When will the error code for Microsoft DNSBL users be introduced?

The error code will be slowly implemented across Microsoft’s IP space, commencing from Wednesday, April 9th 2025.

Please don’t delay - take action now and move to the free DQS.

What if I don’t want to use Spamhaus Technology's free DQS?

1. Use DNS resolvers with attributable DNS to continue being protected by Spamhaus's IP and domain reputation.
2. If you no longer wish for your mail stream to be protected for free by the blocklists, remove all associated configurations from your email infrastructure.

Further details

Additional information for DNSBLs users having issues due to error codes is detailed here. Previous communications that were sent in relation to these changes can be found here:

• Spamhaus DNSBL return codes: technical update
• Using our public mirrors? Check your return codes now.

Any questions?

Not a problem – reach out to us via Twitter @spamhaus, LinkedIn @TheSpamhausProject or our contact form.