Help

Registration

• Go to the home page, enter the email address for the server you want to test, and click “Access Portal.”

• We send a verification email to your registered email address.

• The verification email contains a link to log in. You can use this link to access the portal as many times as you want.

• If you aren’t receiving a verification email, we provide some diagnostics of the mail delivery attempt. To view these, click “View delivery details.”

Testing

• Once you’ve accessed the test page, you can run tests on either the Data Query Service or the Public Mirrors.

• Select which of the following tests you would like to complete: SMTP test emails, Content test emails, or both, and click on “Run Test.”

• The DNS mail exchanger (MX) records identify the servers which accept mail for a domain. The BLT finds all MX hosts for the email address and repeats the same test sequence for each one.

• The BLT will execute an MX Probe test. The probe sends the following SMTP commands but does not deliver an email: EHLO, MAIL FROM, RCPT TO, QUIT.

• If the MX Probe can confirm that the host is responsive and accepting messages for the email address, the outcome is “good,” and BLT continues with a series of blocklist tests.

Reports

• The “Blocklist test report” will take some time to complete. However, you can see each test email result update in real time.

• Where you want further detail on a result, click on the icon, and this will take you to the “Test email” page, which outlines the SMTP exchange for that particular test.

The BLT is a tool for testing email servers to determine if they are correctly configured to use Spamhaus blocklists. To test a server, a user accesses the BLT using an email address on the server they want to test. The BLT sends a series of test emails to this address, and generates a report summarizing the results along with classifications (good, bad, inconclusive). If the server is correctly configured to use Spamhaus blocklists, BLT detects rejected test emails and shows a “good” result.

For information on configuring your mail servers to use blocklists, please see:

• Best Practice: DNSBLs and email filtering
• DNSBL Datasets
• DNSBL Configuration Examples

To access the BLT, enter an email address and click Access Portal on the main page. The BLT will send a verification email to this address, containing a link to enter the portal. You can save this email and use the same link to re-enter the portal later.

There are some domains we don’t allow testing for, for example gmail.com. If you try to test an email at one of these domains you’ll get an error saying it’s not allowed.

The verification email may take a few minutes to reach you. If you are wondering about the delivery status, you can click View delivery details to see diagnostic information about the delivery.

Once inside the BLT portal, you will see your email address in the upper right header. You can click the icon of the person to end the session, or delete the previous test history.

The BLT tries to deliver emails to your server, and supports both the Data Query Service (DQS) and Public Mirrors. Choose the type of service which matches the configuration of your mail server.

For example: if your mail server is configured to block mail based on DQS zones, choose a DQS Test. For SMTP tests, the BLT will then attempt to deliver mail to your server by connecting from IP addresses which are listed (blocked) by DQS. Your server should then reject these emails.

With either service, you can run either SMTP tests, Content tests, or both.

SMTP tests are designed to test SMTP-level filtering, where a malicious email will be rejected before it can be delivered.

Content tests are meant for filters such as SpamAssassin, which analyze the header and body contents after SMTP-level delivery is complete.

For an overview of the different Spamhaus blocklists and which parts of an email they can be applied to, see: Where to apply Spamhaus blocklists for effective email filtering.

When you are ready to run the tests, click the Run button corresponding to either DQS or Public Mirror. You will be taken to the Blocklist Testing Report showing a report of all individual test emails sent to the target address. This report might take some time to update as results are gathered. Tests may take anywhere from a few seconds to several minutes to fully complete.

The BLT performs tests for each Mail Exchanger (MX) found for your domain. As a result, you may receive duplicate test emails coming through each MX.

To see the results of earlier tests, click View test result history from the bottom of the test page. You will see a summary of all earlier tests since this email address was first used to access the portal.

This tests services at <DQS key>.<blocklist>.dq.spamhaus.net

If you are a DQS subscriber, you can enter your DQS Key and run DQS tests. BLT will only test the blocklists which you are currently subscribed to. The following tests are supported:

If your server is configured to use ZEN, this includes PBL+SBL+XBL and you should see these three tests all succeed.

DBL and ZRD are domain listings that are only meaningful if you have configured your mail server to apply domain-based (or RHSBL) tests.

For more comprehensive coverage, consider subscribing to all of the below. These datasets are described in detail here.

• IP address lists: PBL, SBL, XBL, AuthBL
• Domain lists: DBL, ZRD
• Hashes: HBL (content testing only)

The following tests are performed:

If your server is configured to use ZEN, this includes PBL+SBL+XBL and you should see these three tests all succeed. Note, however, that DBL is a domain-based list which must be configured separately.

Whether or not these tests are relevant to you depends on how you have configured your mail server. For example, if your mail server is only configured to reject mail using the SBL, then you can expect to see a successful SBL test, and failures for the rest of the tests.

Unlike the SMTP tests, which should result in messages being blocked before they can be delivered, content tests are meant to exercise a SpamAssassin or Rspamd installation to help you determine if certain rules are being triggered. These messages may not be blocked, but they should at least be flagged in the subject line or headers by a correctly configured system.

Content tests with Public services are:

Content tests with DQS services are:

For information about using content filtering, please see Best Practice: DNSBLs and email filtering and the plugins linked at the end of that article.

For details of HBL listings, please see the description of HBL content.

The BLT shows the Blocklist Testing Report to summarize all tests performed in one testing session. Each SMTP or Content test appears in a row, and each mail exchanger (MX) for the server appears in a column.

The sections of this report are:

• Summary: A count of each test outcome status.

• Service Tier: Whether this is a Public or DQS test.

• Zones for DQS Key (DQS only): Shows the service zones you are able to query with your DQS subscription.

• MX Probes: BLT probes each MX of your domain before starting blocklist testing. See the section on MX Probes.

• SMTP Test Emails: a variety of SMTP-based tests performed for each MX host of the target domain. See the list of Public tests and DQS tests.

• Content Test Emails: These tests are informational, to help you test your content filters. It is often not possible to determine success or failure. See the list of Content tests.

Each individual test is categorized by BLT and shows a status in the table of results. Clicking any status icon will show additional detail of this particular delivery test. The possible status outcomes are:

• “Good”: we think your server is correctly configured for this test
• “Bad”: we think your server failed this test; fix your configuration and run a new test
• “Unexpected”: something went wrong; check your configuration and run a new test
• “Inconclusive”: we can’t classify this test; check the classification for this test email on your end

For example: the pbl-pub-ip test (a Public Mirror test) attempts to connect to your server from an IP address which is blocked by the PBL. If the BLT is able to successfully deliver an email to one of your MX hosts, then this test is shown as “Bad” because the server did not reject the connection, and the message was delivered. Clicking on the status will show the details of how BLT connected and delivered mail to the MX host.

In addition to the results shown in this table, it is also strongly recommended that you open and read the test emails from the failed tests.

The DNS “mail exchanger” (MX) records identify the servers which accept mail for a domain. BLT finds all MX hosts for the email address, and repeats the same test sequence for each one.

Before starting the blocklist tests, BLT first tries an MX Probe test. If the MX Probe is able to confirm that the host is responsive and accepting messages for the email address, the outcome is “good” (shown in green). BLT requires a “good” probe before it can interpret the results of subsequent tests.

The MX Probe might show an “unexpected” status if the host is misconfigured. For example, if the host is denying all mail due to a configuration mistake, the MX Probe and all other tests will be denied. In this case, all results will show “unexpected” status because BLT cannot be confident that mail was rejected due to correct use of blocklists.

If the MX Probe was “good”, the BLT will also interpret an immediately dropped connection as successful mail rejection. Some mail servers will close connections from blocked IPs.

The probe sends the following SMTP commands, but does not deliver an email: EHLO, MAIL FROM, RCPT TO, QUIT

The BLT test emails may appear in your inbox if they are not blocked. It is normal to see some test emails get through, since BLT tests a wide range of Spamhaus capabilities that your mail server might not be configured to use.

Each test email contains details that can help you diagnose the type of test performed. We recommend that you read each test email.