How It Works
1. IP Address Collection
DMARCeye collects all unique IP addresses that appear in your DMARC reports as sending sources. These are the actual IP addresses that connected to recipient mail servers and delivered (or attempted to deliver) email on behalf of your domain.2. Blacklist Lookup
Each discovered IP is checked against a comprehensive set of public DNSBL databases. These range from well-known lists such as the Spamhaus Block List (SBL) and DNSBL.dronebl.org to specialised feeds tracking spam networks, botnets, and open proxies — covering everything from the “Bad Guys List” to the “Internet’s Most Wanted.” The lookup is performed via DNS queries — a fast, standardised protocol used by virtually all DNSBL providers. For each IP, a reversed-octet query is sent to the DNSBL zone. A positive response (any DNS answer) indicates the IP is listed on that blacklist.3. Results Display
After checking all IPs, DMARCeye presents one of two outcomes:Scenario A — IPs Found on Blacklists
If one or more sending IPs are blacklisted, a results table is shown with the following columns:| Sender | IP | E-mails seen | Last seen | Blacklisted at |
|---|---|---|---|---|
| sparkpostmail.com | 156.70.4.153 | 241 | 27/11/2025, 08:49:14 | truncate.gbudb.net |
| hubspotemail.net | 158.247.28.6 | 51 | 22/03/2026, 15:10:39 | dnsbl.dronebl.org. |
- Sender — the domain or service used as the email-sending infrastructure (e.g. sparkpostmail.com, hubspotemail.net).
- IP — the specific IP address that has been blacklisted.
- E-mails seen — number of email messages observed from this IP in your DMARC data.
- Last seen — timestamp of the most recent email delivery attempt recorded from this IP.
- Blacklisted at — the name of the DNSBL registry where the IP is currently listed.
Scenario B — All IPs Clean
If none of your sending IPs appear on any blacklist, DMARCeye displays a confirmation screen with a green checkmark:✔ All of your IP’s are clean. Good job! — We’ve checked 88 IPs used addresses against all the blacklists out there, from the “Bad Guys List” to the “Internet’s Most Wanted.” And guess what? They’re all clean!
- Reject the message outright with a 5xx SMTP error.
- Tag the message as spam and route it to the junk folder.
- Silently discard the message (“silent drop”).
Supported Blacklist Sources
DMARCeye checks IPs against multiple industry-standard DNSBL providers simultaneously. Examples of sources queried include:- Spamhaus (SBL, XBL, PBL)
- DNSBL.dronebl.org — tracking DDoS drones, botnets, and compromised hosts
- Truncate / GBUdb — statistical spam IP scoring
- Barracuda Reputation Block List (BRBL)
- SpamCop Blocking List (SCBL)
- And many more specialist feeds
When Are Checks Performed?
Blacklist checks run automatically as part of DMARCeye’s regular data processing pipeline. Each time new DMARC aggregate reports are ingested and sending IPs are identified, those IPs are queued for blacklist verification. The results shown in the Blacklists section always reflect the most current data available based on your DMARC reporting window.Recommended Actions When a Blacklisting Is Detected
- Identify the sending service — use the Sender column to determine which ESP or infrastructure is responsible.
- Check the blacklist entry — visit the DNSBL website listed in the “Blacklisted at” column to understand the reason for listing and the delisting procedure.
- Contact your ESP — if the IP belongs to a third-party sending service, report the issue to their abuse/deliverability team.
- Request delisting — follow the DNSBL’s official delisting process. Most major blacklists provide a self-service lookup and removal form.
- Monitor for recurrence — after delisting, continue to watch the Blacklists section in DMARCeye for any re-listing events.