You set up your email server. SMTP works. SPF, DKIM, DMARC — all configured. Test emails arrive in your inbox. Everything looks perfect.
Two weeks later, your sales team asks why prospects aren't responding. Your support team wonders why customers claim they never received replies. Your marketing campaign has a 2% open rate.
Your email server is working. Your emails are being sent. They're just not arriving.
Welcome to the world of IP reputation, where your perfectly configured server means nothing if the IP address it's sending from has a bad history.
The Invisible Scorecard
Every IP address on the internet has a reputation. It's not posted anywhere. You can't look it up in a single place. But it exists — distributed across dozens of blacklists, reputation services, and the internal scoring systems of every major email provider.
When your server sends an email, the receiving server doesn't just check if your DKIM signature is valid. It asks a more fundamental question: should I trust this IP address?
Gmail checks it. Microsoft 365 checks it. Yahoo checks it. Your prospect's corporate email server checks it.
If your IP is on a blacklist — any blacklist — the answer might be no.
How IPs Get Blacklisted
Here's the uncomfortable truth: your IP can be blacklisted through no fault of your own.
Shared hosting. If you're on a VPS or shared server, you share an IP range with other customers. One of them sends spam, the whole range gets flagged. You wake up blacklisted because someone you've never met made bad decisions.
Previous tenants. Cloud IPs get recycled. You spin up a new server, get assigned an IP address, and inherit the reputation of whoever had it before. Maybe they were legitimate. Maybe they ran a botnet.
Compromised accounts. A single compromised email account sending spam can get your entire mail server blacklisted within hours. The spammer moves on; you're left with the cleanup.
Overzealous filters. Some blacklists are aggressive. Send too many emails too fast? Flagged. Send to too many invalid addresses? Flagged. Have recipients mark you as spam instead of unsubscribing? Flagged.
Network-level blocking. Some blocklists target entire IP ranges from certain providers or countries. Fair? No. But it happens.
The frustrating part: you often don't know it happened until the damage is done.
The Deliverability Death Spiral
Blacklisting creates a feedback loop that's hard to escape.
It starts small. A few emails bounce. Maybe 5% of your sends don't arrive. You don't notice because most emails are working.
But email providers are watching. When your emails bounce, it signals low quality. When recipients don't open your emails (because they're in spam), engagement drops. Low engagement signals spam. More emails go to spam. Fewer opens. Lower reputation. More spam filtering.
By the time you realize there's a problem, you might be on multiple blacklists, your domain reputation is damaged, and digging out takes weeks.
I've seen companies lose months of customer communication before someone thought to check their IP reputation.
The Blacklist Ecosystem
There isn't one blacklist. There are dozens, each with different criteria and influence.
Spamhaus is the big one. Their SBL (Spamhaus Block List) and XBL (Exploits Block List) are used by most major email providers. Getting listed here is serious. Getting delisted requires proving you've fixed the problem.
Barracuda maintains their own list, widely used by corporate email systems. If your B2B emails aren't arriving, check here.
SORBS, SpamCop, UCEPROTECT — each has their own criteria and removal processes. Some are automated; some require manual appeals.
Then there are the private lists. Gmail doesn't publish their blacklist. Neither does Microsoft. They use the public lists as signals, combined with their own proprietary reputation scoring.
Being clean on public blacklists doesn't guarantee inbox delivery. But being on public blacklists almost guarantees spam folder or outright rejection.
Checking Your IP Reputation
Here's the code to check if your mail server IP is blacklisted:
async function checkMailServerIP(ip) {
const response = await fetch(
`https://api.apiverve.com/v1/ipblacklistlookup?ip=${ip}`,
{ headers: { 'x-api-key': 'YOUR_API_KEY' } }
);
const { data } = await response.json();
if (data.inbound) {
console.log('WARNING: IP is on inbound threat lists');
console.log('Email deliverability will be affected');
} else {
console.log('IP is clean on major blacklists');
}
return data;
}
The inbound flag indicates whether your IP appears on lists used for incoming threat filtering — exactly what email providers check when receiving your mail.
Run this check regularly. Daily, if you're sending significant volume. The earlier you catch a listing, the less damage it does.
The Proactive Monitoring Approach
Reactive monitoring means finding out about blacklisting when emails stop arriving. Proactive monitoring means catching it before your users notice.
Set up automated checks:
import requests
from datetime import datetime
def monitor_mail_ips(mail_server_ips):
alerts = []
for ip in mail_server_ips:
response = requests.get(
'https://api.apiverve.com/v1/ipblacklistlookup',
params={'ip': ip},
headers={'x-api-key': 'YOUR_API_KEY'}
)
data = response.json()['data']
if data['inbound']:
alerts.append({
'ip': ip,
'timestamp': datetime.now().isoformat(),
'severity': 'critical'
})
if alerts:
send_ops_alert(alerts)
return alerts
# Run every hour via cron
# 0 * * * * python monitor_mail_ips.py
The goal is simple: know about blacklisting before it affects your business.
The Other Side: Validating Recipients
Blacklists are about your sending reputation. But deliverability has another dimension: who you're sending to.
Send to invalid addresses, and bounces hurt your reputation. Send to spam traps, and you're almost certainly getting blacklisted. Send to disposable email addresses, and your engagement metrics tank.
The solution: validate email addresses before they enter your system.
async function validateEmailAtSignup(email) {
const response = await fetch(
`https://api.apiverve.com/v1/emailvalidator?email=${encodeURIComponent(email)}`,
{ headers: { 'x-api-key': 'YOUR_API_KEY' } }
);
const { data } = await response.json();
if (!data.isValid) {
return { accepted: false, reason: 'Invalid email address' };
}
if (data.isDisposable) {
return { accepted: false, reason: 'Disposable emails not accepted' };
}
if (data.isRoleAccount) {
// info@, support@, etc. - higher bounce risk
return { accepted: true, warning: 'Role account - may have lower engagement' };
}
return { accepted: true };
}
Every invalid email you reject at signup is a bounce you prevent later. Every spam trap you avoid is a blacklisting you prevent.
The Warm-Up Problem
New IPs have no reputation. That's not the same as good reputation — it's no reputation, which email providers treat with suspicion.
If you spin up a new mail server and immediately send 10,000 emails, you're going to have a bad time. Email providers see sudden high volume from an unknown IP and assume the worst.
IP warm-up is the practice of gradually increasing send volume over weeks. Start with 50 emails per day. Increase to 100. Then 200. Then 500. Each successful delivery builds reputation.
During warm-up:
- Send to your most engaged recipients first (people who open and click)
- Avoid sending to old or inactive addresses
- Monitor bounces and complaints closely
- Check blacklists daily
The warm-up period is when you're most vulnerable. One mistake — a spam complaint spike, a batch of invalid addresses — can set you back to zero.
When You're Already Blacklisted
It happens. Maybe you inherited a bad IP. Maybe an account got compromised. Maybe you're reading this article because your emails are already going to spam.
Here's the recovery playbook:
Step 1: Identify which lists you're on. Use our IP Blacklist API to check against major blacklists. You need to know the scope of the problem.
Step 2: Find and fix the root cause. Blacklists don't care about promises; they care about behavior. Are you sending to invalid addresses? Stop. Is there a compromised account? Secure it. Are you on shared hosting with bad neighbors? Move.
Step 3: Request delisting. Each blacklist has its own removal process. Spamhaus has a web form. Barracuda has theirs. Some automatically delist after the offending behavior stops; others require manual appeals.
Step 4: Wait. Reputation takes time to rebuild. Private blacklists at Gmail and Microsoft don't have removal forms — they adjust based on observed behavior over time. This can take weeks.
Step 5: Monitor continuously. Once you're off the lists, stay off. Implement the proactive monitoring described above.
The Architecture of Email Reliability
Building reliable email delivery isn't just about avoiding blacklists. It's about architecting your systems to maintain good reputation automatically.
Separate transactional and marketing email. Your password reset emails shouldn't be affected by a marketing campaign that gets spam complaints. Use different IPs or different providers.
Implement feedback loops. Major ISPs offer feedback loops that notify you when recipients mark your email as spam. Subscribe to all of them. When complaints come in, stop sending to those addresses immediately.
Use dedicated IPs for volume sending. Shared IPs from email services are convenient but risky. For serious email operations, dedicated IPs give you control over your reputation.
Monitor everything. Bounce rates, complaint rates, open rates, blacklist status. If any metric moves in the wrong direction, investigate before it becomes a crisis.
The Cost of Ignoring This
Let's do some math.
Your sales team sends 100 emails per day. If 20% land in spam due to poor IP reputation, that's 20 missed opportunities daily. Over a month, 600 prospects never saw your message.
If even 1% would have converted, that's 6 lost deals per month. Multiply by your average deal value.
Now add support emails that customers never receive. Password resets that fail. Invoices that bounce. Order confirmations marked as spam.
The cost of poor email deliverability isn't measured in bounce rates. It's measured in lost revenue, frustrated customers, and damaged relationships.
Meanwhile, checking your IP reputation costs essentially nothing. A few API calls per day. A few lines of monitoring code.
The Bottom Line
Your email server configuration is table stakes. SPF, DKIM, DMARC — necessary but not sufficient. The emails that actually reach inboxes are sent from IPs with good reputation to valid addresses with engaged recipients.
Most developers treat email as solved infrastructure. Set it up once, forget about it. That works until it doesn't, and when it fails, the failure is silent. No error messages. No stack traces. Just emails disappearing into the void.
Email deliverability requires ongoing attention. Monitor your IP reputation. Validate recipient addresses. Respond to issues before they become crises.
Your server is sending the emails. Make sure they're arriving.
Ready to check your email infrastructure? IP Blacklist Lookup API tells you if your sending IPs are on major blocklists. Email Validator API catches invalid addresses before they hurt your reputation. Start monitoring before your next campaign goes to spam.
Originally published at APIVerve Blog
Top comments (0)