Home / Blogs

The Spamhaus Whitelist

John Levine

For several months I have been working with the Spamhaus project on a whitelist, which we announced to the public this week. While this is hardly the first mail whitelist, our goals are somewhat different from other whitelists. Think of e-mail as ranging from inky black to pearly white, like this:

Spamhaus' SBL and its other current lists identify mail from the inky black end, sources of mail so consistently unwanted that recipients can reject or discard it without even looking at it. The goal of the Spamhaus whitelist is to identify mail at the other end of the spectrum, sources of mail so consistently wanted that recipients can deliver it without looking at it. This leaves a large grey area in between of mail sources which are neither consistently wanted nor unwanted; this isn't a magic bullet, and recipients will still have have to use other techniques to filter that.

Two categories of mail qualify for the Whitelist:

  • What we call mail from staff, mail sent by individuals who have are employees of or otherwise have a relationship with the operator of the mail system beyond being customers.
  • Transactions, mail directly related to a specific action by the recipient, or reporting the status of an account set up by the recipient. Typical examples would be order acknowledgements, and bank account statements.

There's a lot of other wanted mail that doesn't qualify. Mail sent for third parties, such as mail from ISPs' customers doesn't qualify, nor does any sort of mailing list or bulk mail, no matter how wonderfully opt-in.

The reason for these limits is quite practical — the risk of unwanted mail of these other kinds is significantly greater than for staff mail or transactions, and as anyone familiar with the e-mail business can confirm, it is impossible to tell by looking at mailing list mail whether the recipient asked for the mail, and frequently difficult to tell even with access to logs and business records. So we're sticking to the kinds of mail that are highly wanted and easy to recognize.

For now, as we ramp up, anyone can use the whitelist (details here), but listings are by invitation only.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: Email, Spam

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


No matter how wonderfully opt-in Alessandro Vesely  –  Oct 16, 2010 8:59 AM PST

Unfortunately, it seems not so straightforward to automatically determine whether a message is a transaction or from the staff.  Does a local part of postmaster or info in the "From" header indicate that?

On the other hand, opt-in procedures could be strengthened quite easily by engaging some third party, such as the subscriber's mailbox provider or a reputation tracker.  Given that DKIM can provide a workable definition of message stream, complaints about unsolicited mail could be solved in a breeze.  Whitelisting those who play correctly would reward and dignify their activity, consolidate the tools, and improve delivery.  Would such white shine less?

Does a local part of postmaster or John Levine  –  Oct 16, 2010 11:08 AM PST

Does a local part of postmaster or info in the "From" header indicate that?

No, of course not. If you could tell staff mail or transactions from spam with a mechanical test, you wouldn't need a whitelist, you could just do perfect filtering.

We're building a network of spamtraps and feedback loops to check compliance.

To post comments, please login or create an account.

Related Blogs

End-to-End Email Encryption - This Time For Sure?

Coordinating Attack Response at Internet Scale

Who Is Sending Email As Your Company?

When DNSBLs Go Bad

Email Vendors: Time to Build in DMARC

Related News


Industry Updates – Sponsored Posts

Non-English "IDN Email" Addresses Are Finally Working!

A Look Inside Dyn's 1.2 Billion Monthly Email Delivery Statistics

Dyn to Host Email Analytics Webinar With Ongage

Dyn Adds Claudia Santoro, Dave Connors and Andrew Sullivan to Technical Team

Dyn Receives $38M Investment from North Bridge

Nominum Launches Comprehensive Suite of DNS-Based Security Solutions for Russian Service Providers

Nominum Sets New Record for Network Speed and Efficiency

DNS on Defense, DNS on Offense

Managing Outbound Spam: A New DNS-based Approach For Stopping Abuse (Webinar)

MarkMonitor Fraud Intelligence Report, Q4 2011

MarkMonitor Fraud Intelligence Report Released for Q2 2011

Dyn Releases New Powerhouse in Enterprise Class Email Delivery

The Botnet-Counterfeit Drugs Connection

Global Company Leads the Pack as One of the First Microsoft Partners to Offer Exchange 2010

Dyn Inc. Acquires Email Delivery Provider SendLabs

Afilias and .JO Registry Bring Native Language E-mail to Arabic Internet Users

New Monthly Fraud Intelligence Report Now Available

MarkMonitor to Highlight Importance of Cross-Functional Approach to Brand Protection

Preventing Your DNS Account from Being Hacked

Paid Search Ads Can Lead to Fake Goods

Sponsored Topics



Sponsored by
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines

DNS Security

Sponsored by


Sponsored by