Home / Blogs

The Spamhaus Whitelist

John Levine

For several months I have been working with the Spamhaus project on a whitelist, which we announced to the public this week. While this is hardly the first mail whitelist, our goals are somewhat different from other whitelists. Think of e-mail as ranging from inky black to pearly white, like this:

Spamhaus' SBL and its other current lists identify mail from the inky black end, sources of mail so consistently unwanted that recipients can reject or discard it without even looking at it. The goal of the Spamhaus whitelist is to identify mail at the other end of the spectrum, sources of mail so consistently wanted that recipients can deliver it without looking at it. This leaves a large grey area in between of mail sources which are neither consistently wanted nor unwanted; this isn't a magic bullet, and recipients will still have have to use other techniques to filter that.

Two categories of mail qualify for the Whitelist:

  • What we call mail from staff, mail sent by individuals who have are employees of or otherwise have a relationship with the operator of the mail system beyond being customers.
  • Transactions, mail directly related to a specific action by the recipient, or reporting the status of an account set up by the recipient. Typical examples would be order acknowledgements, and bank account statements.

There's a lot of other wanted mail that doesn't qualify. Mail sent for third parties, such as mail from ISPs' customers doesn't qualify, nor does any sort of mailing list or bulk mail, no matter how wonderfully opt-in.

The reason for these limits is quite practical — the risk of unwanted mail of these other kinds is significantly greater than for staff mail or transactions, and as anyone familiar with the e-mail business can confirm, it is impossible to tell by looking at mailing list mail whether the recipient asked for the mail, and frequently difficult to tell even with access to logs and business records. So we're sticking to the kinds of mail that are highly wanted and easy to recognize.

For now, as we ramp up, anyone can use the whitelist (details here), but listings are by invitation only.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: Email, Spam


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


No matter how wonderfully opt-in Alessandro Vesely  –  Oct 16, 2010 9:59 AM PDT

Unfortunately, it seems not so straightforward to automatically determine whether a message is a transaction or from the staff.  Does a local part of postmaster or info in the "From" header indicate that?

On the other hand, opt-in procedures could be strengthened quite easily by engaging some third party, such as the subscriber's mailbox provider or a reputation tracker.  Given that DKIM can provide a workable definition of message stream, complaints about unsolicited mail could be solved in a breeze.  Whitelisting those who play correctly would reward and dignify their activity, consolidate the tools, and improve delivery.  Would such white shine less?

Does a local part of postmaster or John Levine  –  Oct 16, 2010 12:08 PM PDT

Does a local part of postmaster or info in the "From" header indicate that?

No, of course not. If you could tell staff mail or transactions from spam with a mechanical test, you wouldn't need a whitelist, you could just do perfect filtering.

We're building a network of spamtraps and feedback loops to check compliance.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Mobile Internet

Sponsored by Afilias Mobile & Web Services

DNS Security

Sponsored by Afilias


Sponsored by Verisign

IP Addressing

Sponsored by Avenue4 LLC

Promoted Posts

Buying or Selling IPv4 Addresses?

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»

Industry Updates – Sponsored Posts

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Port25 Announces Release of PowerMTA V4.5r5

New Case Study: Jobtome.com Replaces 30 Postfix Servers with a Single PowerMTA

An Update on Port25 and the Future of PowerMTA - One Year Later​

Encrypting Inbound and Outbound Email Connections with PowerMTA

V12 Group Sustains Customer Satisfaction by Deploying PowerMTA for Launchpad Platform

PowerMTA Now Offers Scheduled Delivery Control

DKIM for ESPs: The Struggle of Living Up to the Ideal

Reactivation Campaign: Shared vs. Dedicated IPs

To Where are Bounce Messages Sent?

An Open Source Perspective on Commercial MTAs

Five Essential PowerMTA Configuration Tips

What's New With Port25's PowerMTA v4.5

New Feature in PowerMTA v4.5: IP Based Rate Limiting

Case Study: Emergency Response Systems Rely on Timely Messaging Through PowerMTA

Port25 Announces Next Major Release of Its Email Delivery Solution, PowerMTA

Case Study: How PowerMTA Transparent Deliverability Metrics Paves Way for Email Service Provider

Case Study: MailChimp Achieves Efficient Execution and Reliability with PowerMTA

Case Study: Emma Swaps Its SMTP Infrastructure for PowerMTA to Handle Growing Mail Volume