Greylisting
What is Greylisting?
GreylistingAn anti-spam technique that initially returns a temporary SMTP rejection for unknown sender triplets and only accepts the message on a later, properly retried delivery attempt.
Greylisting, popularized by Evan Harris in 2003 and described in RFC 6647 in the broader context of SMTP anti-spam, exploits the fact that compliant Mail Transfer Agents queue and retry messages after a 4xx temporary error, while many spam senders do not. The receiver records a triplet of (sending IP, MAIL FROM, RCPT TO); on first sight it responds with 451 4.7.1, then accepts the message once a retry arrives after a configurable delay. Once a triplet is trusted, future messages bypass the delay. Modern deployments narrow scope with reputation feedback, exempt known senders, integrate with DNSBLs, and consider trade-offs because legitimate cloud platforms may use short-lived IPs that complicate retry alignment.
● Examples
- 01
A Postfix policy server returns 451 on the first attempt and accepts the message on a retry five minutes later.
- 02
An MTA whitelisting Google Workspace and Microsoft 365 outbound ranges to avoid delaying business-critical mail.
● Frequently asked questions
What is Greylisting?
An anti-spam technique that initially returns a temporary SMTP rejection for unknown sender triplets and only accepts the message on a later, properly retried delivery attempt. It belongs to the Network Security category of cybersecurity.
What does Greylisting mean?
An anti-spam technique that initially returns a temporary SMTP rejection for unknown sender triplets and only accepts the message on a later, properly retried delivery attempt.
How does Greylisting work?
Greylisting, popularized by Evan Harris in 2003 and described in RFC 6647 in the broader context of SMTP anti-spam, exploits the fact that compliant Mail Transfer Agents queue and retry messages after a 4xx temporary error, while many spam senders do not. The receiver records a triplet of (sending IP, MAIL FROM, RCPT TO); on first sight it responds with 451 4.7.1, then accepts the message once a retry arrives after a configurable delay. Once a triplet is trusted, future messages bypass the delay. Modern deployments narrow scope with reputation feedback, exempt known senders, integrate with DNSBLs, and consider trade-offs because legitimate cloud platforms may use short-lived IPs that complicate retry alignment.
How do you defend against Greylisting?
Defences for Greylisting typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Greylisting?
Common alternative names include: Grey Listing, Tempfail Greylisting.
● Related terms
- network-security№ 336
DNS Blocklist (DNSBL)
A DNS-based mechanism described in RFC 5782 that lets mail systems query a list of IP addresses or domains known to send spam or malware and apply blocking, scoring, or routing decisions.
- network-security№ 984
Secure Email Gateway
A perimeter or cloud service that filters inbound and outbound email for spam, phishing, malware, data leakage, and policy violations before it reaches user mailboxes.
- network-security№ 1076
SPF (Sender Policy Framework)
An email authentication mechanism defined in RFC 7208 that lets a domain publish in DNS which IP addresses or hosts are authorized to send mail using its domain in the envelope MAIL FROM.
- network-security№ 330
DKIM
An email authentication standard defined in RFC 6376 that lets a sending domain add a cryptographic signature to outgoing messages so receivers can verify that headers and body were not altered.
- network-security№ 333
DMARC
An email authentication standard defined in RFC 7489 that lets domain owners publish a policy telling receivers what to do with messages that fail SPF or DKIM and aligned domain checks.
- attacks№ 375
Email Spoofing
Forging email headers so a message appears to come from a trusted sender, typically to enable phishing, fraud, or malware delivery.