When you perform a health check of your custom from address (CFA), you may have noticed that some popular tools, such as MXToolbox, will indicate that there's an apparent issue with a couple of specific IP addresses.
These IP addresses are associated with all of our accounts. They're used by our inbound SMTP servers and are hosted in Microsoft Azure, our cloud-based service partner. They'll get flagged as being listed on Spamhaus' PBL (Policy Block List).
However, please don't be concerned. This doesn't negatively impact the sending of your email.
About Spamhaus' PBL
The Spamhaus PBL is an anti-spam measure maintained by the Spamhaus Project in conjunction with many ISPs, and it's used by network owners to enforce inbound email policies.
The PBL database lists end user IP address ranges that shouldn't be delivering unauthenticated email to any mail server except those provided specifically for that customer's use.
The PBL only lists IP addresses (not domains or individual email addresses). All of Microsoft's Azure IP spaces are listed in the Spamhaus PBL.
Why do these IP addresses get listed?
Firstly, it helps to understand the way in which we organise our outbound email flows in comparison to our inbound email flows.
Why is there 'inbound email'?
This is for our bounce and reply handling, which is the reason why our smtp-in IP addresses accept email. These smtp-in IP addresses have nothing to do with our transactional email service, by the way, which uses a different set of IP addresses.
By design, our outbound and inbound flows are separated. A key reason for separating them is for your protection - it means we keep our sending gateways under our control, with IP addresses which we 'own'.
- Outbound email goes through our sending gateways, which are located in several different countries. We have regionalised outbound mail for two reasons:
- it helps improve delivery times
- it also allows us to meet compliance and legislative requirements
- Inbound email is centralised and, as mentioned, Microsoft's Azure infrastructure is used to provide this service.
Due to the flexibility of public cloud service IPs and the potential for abuse, it's strictly prohibited to send any outbound email directly from servers hosted in Azure compute services.
For this reason, the Azure compute IP address blocks are added to public block lists (such as the Spamhaus PBL) in order to prevent abuse and stop them being used as email servers. Our SMTP inbound IP addresses are therefore deliberately placed on the Spamhaus PBL, to be sure no outbound email can be sent from them.
So I don't need to worry?
No, rest easy. These PBL listings don't in any way adversely affect the sending of your email. These listings are for our inbound-only services, and this is completely separate from our outbound email services.
For additional information, please see the following Spamhaus and Microsoft resources:
- Spamhaus' explanation of the PBL - https://www.spamhaus.org/pbl/
Microsoft's Support Team blog on sending email from Azure to external domains - https://blogs.msdn.microsoft.com/mast/2016/04/04/sending-e-mail-from-azure-compute-resource-to-external-domains/