How to avoid the Spamhaus’ blacklist to maintain email deliverability

I get a lot of questions about Spamhaus. I mean a lot. Seriously.

But it's cool. Spamhaus seems shrouded in mystery, and our Return Path service team wants to be sure that they are giving the best advice to clients to ensure they are following best practices and not mistaken for spammers.

In fact, everyone in deliverability needs to understand how Spamhaus and other important "spamtrap" honeypot networks work. As such, the leaders in the anti-abuse industry talk to Spamhaus, collect what facts they can, compare those facts against what they are seeing from their networks and their clients, and fill in the blanks. It's the "fill in the blanks" part that causes me some heartburn, because extrapolations and assumptions are often presented as fact, which is not always in the best interest of the email sender. When it comes to Spamhaus, one thing is for certain – there is a lot of misinformation out there.

Today I want to address one piece of information that I keep seeing on various mailing lists and forums – that simply removing inactive recipients will keep you from being listed on the Spamhaus Spam Block List (SBL). I have seen this stated several different ways, but in the end, the message is clear – remove "inactives" within 12 months and you will not have traps on your list because Spamhaus conditions traps for one year.

Like many proffered "facts" in this world, this is partly true, but doesn't tell the whole story and sets you up for failure if you rely too heavily on it. What you need to remember is this: To avoid sending mail to people that don't want it, you need both consent and engagement.

Removing inactives is a form of engagement management. Managing engagement is one way of ensuring that you stop emailing users who no longer want your mail. A side effect of removing users who are no longer engaging with your mail is you also remove addresses from your list that may have become traps.

Whenever the topic of engagement comes up, I inevitably receive this comment: "But I heard spamtrap administrators sometimes engage with email, so even if I'm removing inactives, they are sabotaging my efforts." It is true that from time to time, Spamhaus and other spamtrap administrators will engage (opens/clicks) with an email in the course of their research. However, this is very unusual and would not cause a sender to get blacklisted.

Spamhaus won't list you based on one trap hit. As someone from Spamhaus told me, "Spamhaus knows that everybody leaks, and the SBL makes allowances for minor leakage." And again, this type of engagement (an open or click) is not the same as consent.

In other words, engagement management is only part of the story -- it doesn't prevent you from acquiring bad addresses. Email address acquisition is the method by which you collect and confirm email addresses, and thereby establish consent. If you collect addresses poorly or do not confirm that the owner of that address is the one that asked for the mail, you do not truly have consent from the recipient to send your mail, and you are at risk of acquiring spamtraps. If you have a strong engagement management policy, you can reduce your risk, but even with a strict engagement policy, consent is still king.

So the statement that removing inactives will keep you from getting listed on the SBL is simply not true. I've seen many cases where senders with poor acquisition practices (such as point of sale acquisition without confirming the address, or requiring an address to enter a website, thereby encouraging people to enter false information) are hitting traps and getting listed on a DNS-based Blackhole List (DNSBL). These senders often have aggressive engagement management practices to try to keep spamtraps off their list, but the root of their issue is at the point of collection, and that's the process that needs to be addressed.

Whenever I hear a sender say something like, "I remove inactives at 30 days, so I don't understand why I'm hitting so many traps", it's immediately clear to me that there is something very broken with the acquisition process. If you're not getting true consent to send your email, a strict engagement policy won't be enough to give you a good list.