DNS / RBL Zone
Query the ReportedIP community blacklist as a DNS blocklist (DNSBL / RBL) directly from your mail server or firewall. Each subscription provisions a private, token-authenticated zone string that you add to Postfix, Rspamd, a BIND RPZ, or any RBL-capable software.
Your zone string
After subscribing, your dashboard shows a token. Your zone string is:
<your-token>.bl.reportedip.deA mail server prepends the reversed client IP. For example, checking 1.2.3.4 queries
4.3.2.1.<your-token>.bl.reportedip.de and reads the answer.
IPv6 is supported the same way, using the reversed nibble form (as in ip6.arpa): the 32 hex nibbles of the fully expanded address, least-significant first, followed by .<your-token>.bl.reportedip.de. Most mail servers build this automatically.
Return codes
| A record | Meaning | Suggested action |
|---|---|---|
127.0.0.2 | Listed — high confidence (≥ 90) | Reject |
127.0.0.3 | Listed — medium confidence (75–89) | Reject or score |
NXDOMAIN | Clean (or not in the requested category) | Accept |
127.255.255.251 | Daily query quota reached | Add another token / upgrade |
127.255.255.252 | Token invalid / subscription inactive | Check token & billing |
Test point (per RFC 5782): looking up 127.0.0.2 — i.e. querying the reversed form 2.0.0.127.<your-token>.bl.reportedip.de — always returns 127.0.0.2, so you can verify your setup without a real listed address. The same test address over IPv6 is its mapped form ::FFFF:7F00:2 (queried as reversed nibbles), which also returns 127.0.0.2. The test point is exempt from the daily quota and rate limit.
Beyond these A-record answers, a query that exceeds the per-token rate limit is answered with REFUSED rather than an address (see the Limits and caching section below).
Add it to your mail server
554 reply the sending server receives) and into your mail log. That exposes the token to every blocked sender and to anyone with log access. Always override the reject text with a static message that does not contain the zone string, as shown below. If your token is ever exposed, rotate it from your dashboard.Postfix
Add the zone to your restrictions as a plain entry — do not append the reject text
inline (Postfix would read it as another restriction and fail with
unknown smtpd restriction: "554"). The custom reply belongs in a separate directive.
The single reject_rbl_client directive covers both IPv4 and IPv6 senders — Postfix builds the reversed query for either family automatically (no separate config). IPv6 DNSBL lookups require Postfix 2.6 or newer, i.e. every currently supported release.
# main.cf
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_rbl_client <your-token>.bl.reportedip.de=127.0.0.[2..3],
...Recommended — per-zone reply. Most servers query more than one blocklist, so use
rbl_reply_maps: it overrides the text for this zone only and keeps your token out of
the bounce and the log, while Spamhaus & co. keep their own default replies.
# main.cf
rbl_reply_maps = texthash:/etc/postfix/rbl_reply
# /etc/postfix/rbl_reply (texthash: needs no postmap)
<your-token>.bl.reportedip.de 554 5.7.1 Blocked - your IP is listed at reportedip.deReload with postfix reload. The sender (and your log) then show only
554 5.7.1 Blocked - your IP is listed at reportedip.de — the token never appears.
Only blocklist? If ReportedIP is the only DNSBL you query, the global one-liner
default_rbl_reply = 554 5.7.1 Blocked - your IP is listed at reportedip.de does the same job.
Avoid it when you run several blocklists — it would give them all this same reply.
Rspamd
# local.d/rbl.conf
rbls {
reportedip {
rbl = "<your-token>.bl.reportedip.de";
ipv4 = true;
ipv6 = true;
returncodes {
REPORTEDIP_HIGH = "127.0.0.2";
REPORTEDIP_MEDIUM = "127.0.0.3";
}
}
}Rspamd only adds a symbol (e.g. REPORTEDIP_HIGH) to the score, so the token is not sent to
the sender. Keep it out of your own records too: avoid logging the resolved RBL hostname at debug level and
do not expose it in custom X-Spam-* headers.
Category sub-zones
Filter by threat type by inserting a category slug before the zone:
<reversed-ip>.<your-token>.<slug>.bl.reportedip.deSlugs: spam, brute-force, cms-login, web-attacks,
malware, ddos, fraud, infrastructure, apt.
A hit is returned only if the IP is listed in that category.
Limits and caching
Each token includes 100,000 DNS queries per day (resets at 00:00 UTC). When the limit
is reached the token returns 127.255.255.251 and stops resolving until the next reset, so
subscribe to an additional token if you need more capacity for more mail servers.
A per-token rate limit of about 50 queries per second guards against bursts; sustained
spikes above it are answered with REFUSED. In normal operation you will not hit either limit,
because your resolver caches answers: a listed result is cached for 30 minutes (TTL 1800) and an
NXDOMAIN for 5 minutes (TTL 300), so most repeat lookups never leave your network.
The zone is refreshed from the community blacklist every few minutes, so newly listed IPs start being blocked without any action on your side.
Standards & compatibility
The zone follows RFC 5782, the DNSBL/DNSWL standard: IPv4 is queried as reversed octets, IPv6 as reversed ip6.arpa nibbles, the test point 127.0.0.2 is always listed, and the 127.255.255.0/24 range is reserved for error codes (never a real listing). The token-in-query layout (<reversed-ip>.<your-token>.bl.reportedip.de) matches the keyed-DNSBL convention used by established services such as Spamhaus' Data Query Service, so any RBL-capable software — Postfix, Rspamd, a BIND RPZ — works out of the box with no custom code.
Unlike most free and legacy blocklists, which are IPv4-only, this zone covers IPv4 and IPv6 equally.