Home / Blogs

Fine Grained Mail Filtering With IPv6

John Levine

One of the hottest topics in the email biz these days (insofar as any topic is hot) is how we will deal with mail on IPv6 networks. On existing IPv4 networks, one of the most effective anti-spam techniques is DNSBLs, blackists (or blocklists) that list IP addresses that send only or mostly spam, or whose owners have stated that they shouldn't be sending mail at all. DNSBLs are among the cheapest of anti-spam techniques since they can be applied to incoming mail connections without having to receive or filter spam. On my system about 85% of incoming IPv4 mail connections are handled by DNSBLS, and I gather that number is pretty typical.

On IPv6, DNSBLs can't work the same way.

The problem is that the IPv6 address space is much, much larger. The IPv4 address space has 232 (4 billion) addresses of which maybe half are in use. Two billion is a lot of data for people, but not a big deal these days for computers, so large mail systems track every IP address that sends mail and has an opinion (the jargon word is reputation) about what kind of mail each IP sends.

IPv6, on the other hand, has 128 bit addresses. Usually each individual network, such as a home LAN or a single customer at a hosting provider, is assigned a 64 bit prefix, which means that each LAN has 264 addresses, way too many to track individually on any plausible computers. On the assumption that all of the 264 addresses are under the same control, a common plan for DNSBL operators is to disregard the low 64 bits of an address and just filter on the high half. Unfortunately, that doesn't really help, for two reasons. One is that even the remaining addresses are way too big to track. Currently there is about 53 bits allocated IPv6 networks (disregarding the low bits), and 253 of anything is still way too big to track. The other is that some hosting providers have ignored the standard configuration advice, and have put multiple customers in the same 64-bit LAN, so the 64 bit rule will treat all those customers as one. (The providers claim their routers made them do it.)

The thinking is that since IPv4 mail will continue to work for a very long time, we can be pickier about IPv6 mail and only accept it if it has DKIM signatures or otherwise makes itself easy to recognize. While I expect I'll be doing that, it occurs to me that the vast IPv6 address space offers senders and receivers a lot more finegrained whitelist and blacklist opportunities than we had before.

If I were providing public mail server like Gmail or Yahoo or Hotmail, there's plenty of bits to give every user a unique IP in a single /64. A recipient can treat the whole /64 as a unit, or if they want, they can track individual addresses, maybe all of them, or maybe just ones that come to their attention via spam complaints or the like. Recipients can use IP addresses to block mail from senders with a bad history, or maybe slow it down, or send it to different servers.

For ESPs (bulk mail service bureaus), we can add an extra level and assign IP bits both to users and mail campaign per user, perhaps like this:


The high 64 bits is the network number, same as any other IPv6 address. The low half has 8 spare high order bits for future cleverness, 40 bits of user (a trillion users per provider should be enough), and 16 bits to identify the campaign. If you want to handle one campaign specially, block, delay, or reroute or whatever, it has a unique IP. If you want to handle all of the user's mail specially, just ignore the low 16 bits and do something with that user's block of IPs.

Maybe this particular bit setup isn't ideal, but it's definitely worth thinking about what to do with all those address bits, beyond ignoring most of them and recreating techniques from IPv4.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: Email, IPv6, Spam

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


The cost of fragmenting IP addresses per campaign Alessandro Vesely  –  Jan 29, 2014 2:06 AM PST

It is worth recalling the underlaying cost of using several addresses.  It forces an ESP to set up a sending strategy that is compatible with the user/campaign classification.  TCP and TLS connections cannot be kept alive across an IP change, so the latter might be seen as an overkill with respect to an (authenticated) originator email address change.

Besides technicalities, marketing campaigns —differently from discussion lists— tend to be short lived operations for some specific purpose.  The 16 bit campaign code has to match a moving target.  The difficulty of treating such identifier is similar to that of managing subscriptions.  A prospect buyer cannot subscribe to a campaign for the launch of a product that did not exist before, and a generic new products label is too broad of a mail stream identifier to be useful.  Perhaps, it would make sense to use something like the Global Industry Classification Standard codes, which would be independent of the issuing ESP.

To post comments, please login or create an account.

Related Blogs

Related News


Industry Updates – Sponsored Posts

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Non-English "IDN Email" Addresses Are Finally Working!

Dyn Adds Chris Griffiths As New VP of Labs

A Look Inside Dyn's 1.2 Billion Monthly Email Delivery Statistics

Dyn to Host Email Analytics Webinar With Ongage

Dyn Adds Claudia Santoro, Dave Connors and Andrew Sullivan to Technical Team

Dyn Receives $38M Investment from North Bridge

New Nixu Solution Slashes Cloud Application Delivery Times from Weeks to Milliseconds

Domain Name Registrations Pass 233 Million in the First Quarter Of 2012

Nominum selected as 2012 AlwaysOn Global 250 Top Private Company

Nominum Releases New Version of Carrier-Grade DHCP Software for Telecom Providers

Nominum Survey of World's Leading ISPs Shows Nearly 60% of ISPs Plan to Roll-Out IPv6 by End of 2012

Nominum Launches Comprehensive Suite of DNS-Based Security Solutions for Russian Service Providers

Nominum Sets New Record for Network Speed and Efficiency

Implementing a Cyber-Security Code of Conduct: Real-Life Lessons From Australia (Webinar)

Nominum and Nixu Software to Deliver Centralized DNS and DHCP Management Solution

DNS on Defense, DNS on Offense

Managing Outbound Spam: A New DNS-based Approach For Stopping Abuse (Webinar)

Nixu NameSurfer 7.2 Strikes Rich at Dojo

DotConnectAfrica Participates at ICANN 43 In Costa Rica, the "Rich Coast"

Sponsored Topics


DNS Security

Sponsored by


Sponsored by
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines


Sponsored by