The document discusses how organizations can get de-listed from email blacklists. It outlines the different severity levels for being blacklisted and provides a checklist of steps to take to get de-listed, including implementing due diligence practices. The document also notes that blacklist providers operate as a "black box" with limited transparency into their internal processes.
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
De list your organization from a blacklist - my e-mail appears as spam - part 16 of 17
1. De-list your organization from a blacklist | My
E-mail appears as spam | Part 16#17
Eyal Doron o365info.com
2. 2
• The great drama: My organization appears as “blacklisted”!
• The optional scenario for “blacklisted” and their level of severity.
• What do I need to do for getting “de-listed” from a blacklist?
• “De-list” checklist, from a blacklist
• Implement your due diligence
• Blacklist providers as Black box
AGENDA
Let’s start with a dramatic sentence: my organization appears as “blacklisted”!
Q1: What is the meaning of: “my organization” appears as blacklisted”?
Q2: What should I do in a scenario of: “my organization” appears as blacklisted”?
Q3: Is there a specific charter of the scenario: “my organization appears as blacklisted” in Office 365 and Exchange Online environment?
The meaning of – “my organization” appears as blacklisted
The term: ”my organization”, could be translated into one of the four following options:
1. Public domain name
A scenario, in which your organization, public domain name appears as blacklisted.
2. Mail server IP address
A scenario, in which your mail server IP address appears as: blacklisted.
As mentioned before – In an Office 365 and Exchange Online environment, the scenario in which your “formal Exchange Online IP address” appears as blacklisted is very rare.The most common scenario is a scenario in which that the IP address that appear as “blacklisted”, belong to the “special Exchange Online servers” that are classified as: “Higher Risk Delivery Pool”.
3. Specific E-mail message content
A scenario in which a specific E-mail message will be blocked because the content of the E-mail message. In this case, it’s not clear if the “spam filter” decides to block also the recipient who sent out the E-mail, the specific mail server that sent out the E-mail or, the complete domain name that is a part of the recipient E-mail address.
4. E-mail address of a specific recipient organization
The scenario in which the “issue” relates to a specific organization E-mail address is less common. In this scenario, a specific organization’s recipient is blacklisted.
A scenario in which mail that was sent by one of our organization users identified as spam mail and for this reason, blocked by the destination mail server or, sent to the junk mail folder as the destination external recipient, is not a desirable scenario.
The main question in this scenario is not if this scenario is desirable or not, but instead – what is the “factor”, that the destination mail infrastructure use for identifying the E-mail that was sent by one of our origination users as a spam\Junk mail.
Option 1: the organization domain name is blacklisted.
The “less preferred scenario” is – the scenario in which our domain name appears as Blacklisted.
This type of scenario described as: “less preferred” because, in this case, the “guilt” is upon the organization domain name. In this scenario, all of the organization users are affected and not only to a specific organization user.
The problem in which the mail that is sent from our origination is identified as spam\Junk mail is not related only to a specific “event” or a specific mail item that includes specific content but instead, to all the “outbound mail flow” of our organization users.
In the following diagram, we can see an example of this concept.
The cause of the problem is the Office 365 recipient domain name (the “right part” of the E-mail address). The destination mail server “refuse” to accept the E-mail message not because there is a problem with the E-mail message content but because – the E-mail message sent from a domain name that appears as blacklisted.
In this type of scenario in which our organization domain name appears on a blacklisted, we will need to contact the “blacklist provider” and ask him to be removed (remove our domain name) from the blacklist.
Option 2: mail server IP address is blacklisted.
The severity of this scenario depends on the specific mail infrastructure that we use.
Non-Office 365 and Exchange Online mail infrastructure
In case that your mail infrastructure is not based on the Office 365 and Exchange Online mail infrastructure, a scenario in which your mail server appears as blacklisted, consider also as critical scenario.
The level of the “criticality” depends on the structure of your mail infrastructure.In case that your organization has only one mail server, the “critical level” is very high because, all the organization mail is sent via a specific mail server and in case that this mail server is blacklisted, this is a major problem.
In case that the organization mail infrastructure is based on more than one mail server, the “critical level” is less severe because – there is an option to route all the rest of the organizational E-mail messages via the additional organization mail servers, until the problem with the specific mail server will be resolved.
Office 365 and Exchange Online mail infrastructure
In Office 365 and Exchange Online the organization is represented by the Exchange Online server and in a very specific scenario, in case that the E-mail message that was sent by the Office 365 users identified as spam\Junk mail by the EOP (Exchange Online protection) the specific E-mail message will be routed via the Exchange Online High Risk Delivery Pool.
The scenario in which the “formal Exchange Online” IP address that represent the organization will appear is blacklisted is very rare.
The more likely scenario, is that in case that the E-mail message was sent via the Exchange Online High Risk Delivery Pool, the destination mail server will reject the E-mail message and notify us that “our mail server” is blacklisted.
In this scenario, the “guilt” is alleged upon the Exchange Online Higher Risk Delivery Pool.Office 365 spam filters, recognize that the office365 users try to send out an E-mail message that consider as “problematic”.
To avoid from a scenario in which all the organizations will be “stamped” as “problematic”, the specific E-mail message is routed via the mail server that was created for this type of E-mail messages – the Exchange Online Higher Risk Delivery Pool.
The basic assumption is that some of the IP address that are used by the Exchange Online- High Risk Delivery Pool, is already listed in some blacklists.
Conclusion
In Office 365 and Exchange Online environment the scenario which we describe as: “my mail server appears as blacklisted”, does not lead to the conclusion that the problem is related to the “Office 365 mail server”.Instead, the problem is related to the “element” to a specific Office 365 user and to a specific E-mail message content, which was sent by the Office 365 users, identified as spam by the EOP and routed via the Exchange Online- High Risk Delivery Pool.
The cause of the problem is a specific E-mail content to “lead” into a scenario in which the E-mail message sent via the Exchange Online Higher Risk Delivery Pool.
The “other side” classifies the E-mail message as spam\Junk mail, but this “classification” relates only to the specific session and only to the specific E-mail message.
In case that the Office 365 recipients will send a new E-mail message that doesn’t contain a problematic content, most of the chances that the E-mail message will successfully be sent to the destination external recipient.
Option 3: a specific E-mail address (organization user) is blacklisted.
This scenario could be realized, however, this scenario is less common. In some cases, the spam filter is listing a very specific E-mail address and not relate to the “whole domain part”.
Technically speaking, there are two ways in which your organization will be removed from a specific blacklist:
1. Self-service removal
A a process in which an organization representative should fill a request form, in which he asks to be de-listed from the blacklist and, lists the reason or explanations for his request.In simple words: the organization representative, should explain why his organization was recognized as an “element” the distribute spam mail by mistake.
2. Time-Based Removal
Some of the blacklist provider implements an automatic mechanism in which the domain name or the IP address of the domain that was registered at the blacklist, will be removed automatically after a specific time period.In simple words: if the origination will not make any more additional problem and, act as a “good boy” the reward is that – his detailed will be removed from the blacklist.The problem is that we as an organization, have no control over the process.
Yes, I know that this heading sounds a bit funny.
Verify that you understand the following parts and can answer the following questions:
The problem scope
Q: Did your organization is blacklisted by a specific blacklist or, by a couple of blacklist providers?
A: The first and most important steps is to verify, what the scope of the problem: does your organization appear as blacklisted in a very specific blacklist or a couple of blacklists.
You can get a quick answer to this question by using online services that will help you to check multiple blacklist providers from one place.
You can read more detailed information in the article: My E-mail appears as spam | Troubleshooting – Mail server | Part 15#17
Your organization mail infrastructure details
Q: When we say: “our organization is blacklisted” are you fully understand the meaning?
Q: Does your domain name is blacklisted?
Q: Does your mail server is blacklisted?Q: If you have more, then one mail server, do you have a list of all the existing mail servers who represent your organization?
Q: When you check for information about a scenario in which your mail server is blacklisted, and you have more than one mail server, did you check if the additional mail servers IP address appears as blacklisted?
A: Before you start the “de-list procedure” verify that you have all the required information in front of you.
The reasons that lead us to the scenario.
Q: Can you speculate regarding the reasons that lead us to the scenario in which your organization appears as blacklisted?
Q: Do you think that the “root cause” of the problem is related to: bulk mail, to a specific E-mail message content? To a specific user?
A: There is no point investing all efforts and energy in the “de-list” process and hoping to get “de-listed if the “element” that causes for this problem continue the specific behavior.
You find out that your organization appears as blacklisted in a specific blacklist. You feel the appearance of the bitterness emotional and the question that appears: why did you do such a thing?
Before we are pointing our finger to the “element that blacked listed” our organization and causes us grief, let’s take a moment and verify if this is a classic scenario of false-positive meaning: our legitimate E-mail was recognized as spam\junk mail by a mistake or….Maybe there is a reason that leads to the unwanted scenario, in which our organization appears as blacklisted.
The reason for implementing this: “due diligence” is – that in a scenario which we indeed have a problem because we use a commercial mail that violates a common standard, we will continue to have problems not only with a specific blacklist provider but with many others.
Is “easy” to get on a blacklist, but the process of “getting out” from a blacklist is not easy.
An additional issue is our “integrity”. Before we are sending the request to be “removed from the blacklist” and we commit that – the process in which our mail infrastructure was classified as “problematic” is a mistake (false positive), I think that is fair to implement a little investigation and try to verify if our organization “do something” that lead us to a scenario in which “others” identified E-mail message that is sent from our organization as spam\junk mail.
sk to be removed (de-list) from a blacklist
In a scenario in which our organization mail infrastructure appears as blacklisted in a “well know blacklist providers”, it’s obvious that the only thing that we want is – to immediately be excluded from the blacklist because, the outcome is a serious disruption of our business activity.
In a perfect world, we will have to say specific magic words and… the problem will despair in two (or maybe 4) seconds.
In the real world, the process is not so easy!
I relate to the subject of – blacklist providers as a “Black box” because, the “vague nature” of the blacklist providers.
The main excuse for this “ambiguity”, is maybe the “security argument” which is used to explain why there is no option for providing a detailed information about the reason that a specific domain name or specific IP address of the mail server was added to a blacklist.
My opinion is that the “security argument” is not strong enough to answer additional questions and requirement such as – the ability to get a formal response from the blacklist providers.For example – approval that he got our request, update notification that will inform us if the de-list request was complete successfully or not, etc.
I know that this could be considered as a “generalization” and I am sure that there are significant differences between the different “blacklist providers” but, from my experience, the contrast between the business need to – urgently solve a problem in which the organization domain name appears in a blacklist verses the difficulty to get a response from “blacklist providers” could be very frustrating.
4 reasons for relating to “blacklist providers” as a Black box
In a scenario in which your organization appears a blacklisted, there are a couple of “parts” that are responsible for the “uncertainty” of the process.
1. The reason for adding your domain name\ mail server IP address
The Inability to get information about the specific reason\s that leads to the outcome in which our organization is blacklisted. The reason for ambiguity is that each of the “blacklist providers”, keeps in secret the algorithm and the methods, that he uses for identifying a specific E-mail item or specific organization as “entity” that sends spam\junk mail.
2. The formal way to implement a “de-list process”
Some of the “blacklist providers”, provide a very clear guide about how to implement the process of “asking to be removed from a blacklist” and some are not. I have also seen scenarios in which the specific “blacklist providers” request money for implementing the process of the “de-list”.
3. A contact person
Most of the “blacklist providers” will not provide a phone number, an E-mail address of a contact person.
The logic that is implemented by most of the “blacklist providers” is:
Fill in the request form, in which you ask to remove your organization name from the blacklist.
We will read your request.
Perform different checks
If we decide that you are “entitled” to be removed from the blacklist, we will remove the information about your organization from the blacklist.
4. Formal response
The section is based on the concept of “section 3”. Most of the “blacklist providers”, will not send an “update or a notification E-mail” in case that they decide to remove your organization from the blacklist. The responsibility for checking and verifying that your request to be de-list was “approved”, is your responsibility!You will need to access the “blacklist provider” website and re-check the information about your status.
Conclusions
Implement all the best practices and the preventive actions that you help your to avoid a future scenarios, in which your organization appears as blacklisted.
Try to get all the available information about the process or the procedure of de- listing your organization from the specific blacklist provider.
Take a deep breath, carry your eyes to the sky and hope for the best!
After you complete the de-list process, access the website of the “blacklist provider” and verify if your organization still appears as blacklisted.
Let’s assume that there was a reason for adding your organization to a blacklist and let’s assume that the “blacklist provider” was kind enough to remove your origination from the blacklist.Verify that you “fix” all the issues that lead to the problem in the first time. Don’t make the same mistake again because if the “next time” occurs, the blacklist providers will be less forgiving.
Additional reading
Request that a user, domain, or IP address be removed from a block list after sending outbound spam
Getting delisted by Microsoft delist@messaging.microsoft.com
How to Check Microsoft’s Blacklist
Request a delisting from a blacklist
blocked using Blocklist 1; To request removal from this list please forward this message to delist@messaging.microsoft.com
Help and support for EOP