How to Delist from Spamhaus ZEN
InboxRadar grades your email deliverability free and emails you when it changes. Check your domain.
Your IP is listed. Stop sending for a minute.
A Spamhaus ZEN hit can make receiving mail servers reject your message during the SMTP handoff, before the inbox placement fight even starts. The fastest fix is usually the slow-looking one: find the exact Spamhaus list, fix the reason, then ask for removal.
ZEN is a combined IP blocklist. Spamhaus uses it to publish results from SBL, CSS, XBL, and PBL through one DNSBL lookup. So you do not delist from ZEN as a separate database. You look up the sending IP in the Spamhaus IP and Domain Reputation Checker, read which list is behind the ZEN hit, and follow that list's removal path.
Do this before you submit anything. If the IP is still sending bad mail, a removal request can fail or the IP can come back on the list. Pause campaigns, stop bulk mail from that IP, and keep transactional mail to the smallest safe level until you know the cause.
Check the listing and identify the real list
Start with the IP that connects to the recipient's mail server. That is often your ESP's shared IP, your cloud server, or your own mail gateway. It is not always the same as your website IP.
- Look up the sending IP at Spamhaus Reputation Checker.
- Write down the component list: SBL, CSS, XBL, or PBL. The fix depends on this.
- If you use a shared ESP IP, open a support ticket with the ESP. You may not have authority to request removal yourself.
- If the listing is PBL, check whether this IP should send direct-to-MX mail at all. Many residential, dynamic, and customer access ranges belong on PBL. Use authenticated SMTP or a proper outbound relay instead.
- If the listing is SBL or CSS, treat it as a serious abuse signal. Look for spam traps, purchased lists, compromised accounts, snowshoe sending, bad forwarding, or mail from a customer you host.
- If the listing is XBL, look for a compromised host, bot, open proxy, malware, or a machine sending mail without your normal mail system.
Spamhaus says there is no fee to remove a listing. Be careful with anyone selling guaranteed Spamhaus removal. The right path is to fix the abuse or policy problem and use Spamhaus' own instructions.
Fix what caused the listing
A clean delisting request is short because the work happened before it. Your logs should show what changed.
- Find the first bad send. Check mail logs, ESP event logs, bounce logs, web app password resets, and queue spikes.
- Lock compromised mailboxes and API keys. Rotate passwords. Remove old SMTP credentials from apps and devices.
- Close open relays, open proxies, and web forms that can mail without rate limits or proof of user intent.
- Stop sending to scraped, purchased, or old lists. High bounces, spam traps, and complaints can lead to a repeat listing.
- Warm back up slowly after removal. Sudden volume from a newly cleaned IP still looks risky to mailbox providers.
- For a shared IP, get the ESP to confirm the bad sender is gone. If they cannot say that, ask for a clean dedicated IP or a different pool.
Keep the evidence plain. Spamhaus and your provider do not need a speech. They need to know the source stopped, how it was stopped, and why it should not happen again.
Repair authentication before you ask
Blocklist removal gets mail accepted again. SPF, DKIM, and DMARC help keep it out of spam after that. Gmail and Outlook weigh authentication, alignment, complaints, sending history, content, and IP reputation together.
SPF is a TXT record that says which servers may use a domain in the SMTP MAIL FROM or HELO identity. Publish one SPF record for that domain. Use the includes your provider gives you. Stay under the SPF 10 DNS-lookup limit from RFC 7208. End with ~all while you are proving the setup, or -all when you are sure every real sender is covered. Avoid +all.
DKIM signs each message with a private key and publishes the public key under a selector, often as a TXT or CNAME record. Make sure your ESP or mail server is signing real outbound mail instead of only showing a DNS record. A selector can exist while messages still leave unsigned.
DMARC lives at _dmarc.yourdomain. It checks whether SPF or DKIM passes and aligns with the visible From domain. Start with p=none and a rua address so you can read aggregate reports, then move to p=quarantine or p=reject after real senders pass. If RUA files are hard to read, use the free DMARC report reader.
Also check MX and identity basics. Your domain should have the right MX records for inbound mail. Your sending IP should have a sensible PTR record, and the mail server's HELO or EHLO name should match the host you control. These do not replace SPF, DKIM, and DMARC, but broken names make a cleaned IP look careless.
If you want a quick outside view, run the domain through the free InboxRadar domain scorecard. It reads live SPF, DKIM, DMARC, and MX records and shows the highest-impact fixes first.
Request Spamhaus delisting
Once the cause is fixed, go back to the Spamhaus checker and follow the exact removal flow shown for that IP and list.
- Use the removal link or instructions shown in the checker result. Do not hunt for a generic form.
- Use an email address tied to the domain or network when Spamhaus asks for verification.
- Explain the root cause in one or two sentences. Name the fix. Do not blame the recipient or the blocklist.
- For PBL, request removal only if the IP is meant to send direct mail and you control the IP or have the provider's approval.
- For SBL, CSS, or XBL, include the cleanup facts: account locked, malware removed, open relay closed, customer suspended, bad list removed, or volume stopped.
- After removal, watch bounces and logs for at least a few days. A repeat hit means the real source is still active or the IP owner has a wider problem.
Do not test by blasting a campaign right after delisting. Send a small amount of wanted mail first. Watch hard bounces, deferrals, complaint signals, and mailbox placement. If Gmail or Outlook still route mail to spam, fix the domain and sender behavior before you raise volume.
Make your fix visible to AI search too
If your public help center explains a mail incident, DNS change, or abuse policy, make sure search and AI answer engines can read it. Some buyers now ask AI tools whether a sender looks trustworthy.
The crawlers that decide whether you appear in AI answers are OAI-SearchBot for ChatGPT search, Claude-SearchBot for Claude, PerplexityBot for Perplexity, Googlebot for Google AI Overviews because they ride the normal Search index with no separate opt-out crawler, and Applebot for Apple Intelligence. Disallowing these in robots.txt removes you from that engine.
GPTBot, ClaudeBot, CCBot, Google-Extended, and Applebot-Extended are training or opt-out controls. Blocking them does not affect live AI-search visibility. Google-Extended and Applebot-Extended are robots-only control tokens with no separate crawl user-agent.
robots.txt is a site's stated policy, not proof of behavior. Perplexity-User and Bytespider are reported to ignore it, so use server logs carefully and do not claim a bot did something unless your own logs show it. Googlebot documents JavaScript rendering. For the other AI crawlers, client-side-only content may be invisible, so put key facts in server-rendered HTML. You can test this with the free AI visibility checker.
Common questions
How long does Spamhaus ZEN delisting take?
It depends on the component list and the evidence. Some removals can happen quickly after email verification. Others need Spamhaus or the IP owner to review the fix. Do not promise a time. Submit after the cause is fixed and watch the checker.
Can I delist an IP I use but do not own?
Often, no. If the IP belongs to your ESP, host, or ISP, they may need to act. Send them the Spamhaus result, your logs, and the cleanup you performed. Shared IP listings are usually the provider's job.
Does DMARC remove a Spamhaus listing?
No. DMARC does not remove a listing by itself. It helps prove that your mail is controlled and aligned after cleanup. Use p=none to monitor, read RUA reports, then move to quarantine or reject when all real senders pass.
Why is my mail still going to spam after delisting?
Delisting means one blocklist signal was removed. Mailbox providers can still filter mail because of weak authentication, poor IP history, high complaint rates, spam traps, sudden volume, bad content, or low engagement. Check SPF, DKIM, DMARC, MX, PTR, and sending behavior next.
Should I use ~all or -all in SPF?
Use ~all while you are finding every real sender. Move to -all when the SPF record is complete and passing. Keep one SPF record and stay under 10 DNS lookups.