What is Greylisting?
Greylisting is a simple, effective anti-spam technique that temporarily rejects email from unknown senders with a temporary failure (4xx SMTP status code), usually 451 4.3.0 Greylisted – try again later.
Most real mail servers (legitimate ones used by Gmail, Microsoft 365, Zoho, your ISP, etc.) will automatically retry sending the email after a short delay (typically 5–30 minutes). When they retry, the email is accepted normally.
Spammers and spam bots, on the other hand, almost never retry — they move on to the next victim immediately. This simple delay eliminates the vast majority of junk email at almost zero cost.
How Greylisting Works (Step-by-Step)
- A remote server tries to deliver an email to your server.
- Your mail server looks at the combination of three pieces of information (the “triplet”):
- Sender IP address
- Sender email address (envelope MAIL FROM)
- Recipient email address (envelope RCPT TO)
- If this exact triplet has never been seen before → return temporary failure (451).
- The legitimate server waits and tries again later → your server remembers the triplet → accepts the email on the second attempt.
- Future emails from the same triplet are accepted immediately (usually forever, or for a configurable period).
Why Greylisting Is So Effective
- Blocks ~90–98% of spam with almost no false positives on legitimate mail.
- Extremely low resource usage compared to content filtering (SpamAssassin, Rspamd, etc.).
- Very hard for spammers to bypass — they would need to implement real retry logic and wait, which destroys their scale and economics.
- Works especially well against dictionary attacks, joe-jobbing, and low-quality botnets.
Real-World Benefits
- Reduces incoming spam dramatically before it even reaches your content filters → less CPU/disk usage for Rspamd, ClamAV, etc.
- Cleaner mailboxes for end-users.
- Very few legitimate senders are affected (only a tiny fraction delay more than 30 minutes).
Common Issues & Complaints (and How to Handle Them)
Greylisting is not perfect — here are the situations users most often complain about, and what to do:
1. Password Reset Emails Are Delayed
This is the most common legitimate complaint.
Many password-reset systems (WHMCS, WordPress, Microsoft, Google, banks, etc.) send the reset email only once and do not retry on temporary failure.
Solutions (choose one or combine):
- Whitelist the sender domain Most greylisting implementations let you whitelist entire domains or specific IPs. Common domains to whitelist:
text
no-reply@yourdomain.com noreply@whmcs.com no-reply@wordpress.org *.google.com *.microsoft.com *.amazonaws.com *.sendgrid.net *.mailgun.org *.mandrillapp.com *.sparkpostmail.com - Whitelist by IP (if you know the sending IPs) For example, if your WHMCS is hosted externally, whitelist its outbound SMTP IP.
- Disable greylisting for certain recipients Create a special mailbox (e.g., reset@yourdomain.com) that bypasses greylisting, and redirect important reset emails there.
- Use a longer initial retry delay (5–15 minutes instead of 30–60) Many legitimate senders retry within 5–15 minutes.
2. Other Delayed Emails
- Newsletters (Mailchimp, SendGrid, etc.) usually retry and are fine after the first delay.
- Some older corporate mail servers or misconfigured systems may give up → whitelist them if users report issues.
3. Forwarded Email Issues
Forwarders (e.g., catch-all forwarding) can cause double greylisting (sender → forwarder → your server). Solution: Whitelist the forwarder’s IP or disable greylisting on the forwarding account.
Summary
Greylisting is one of the simplest and most effective ways to block 90–98% of spam with almost zero false positives on legitimate mail.
Main drawback: Occasional delay (5–30 minutes) on the first email from a new sender — most noticeable with password resets and some automated notifications.
Best practice:
- Use greylisting + strong SPF/DKIM/DMARC + Rspamd/SpamAssassin
- Whitelist known senders of time-sensitive emails (reset links, alerts, newsletters)
- Educate users: “If you don’t receive a reset email, wait 15–30 minutes and try again.”
