To whitelist, or not to whitelist?

One of our customer support reps emailed today, saying that a business partner was getting email bounces (NDRs) when they tried to email us. The exact bounce was:

554 The IP Address of the sender (999.999.999.999) was found in a DNS blacklist database and was therefore refused.

I responded with a brief email explaining what the message meant, and that the company needed to have their tech staff look into why they had been added to a spam blacklist.

The company’s immediate response was to ask if we could just whitelist them.

This presented an interesting quandary. While we’d like to ensure that our partners can reach us, what are the technical implications of whitelisting? It turns out that in our case, whitelisting is harder than it first seems.

Like many companies, we’ve gone to a layered anti-spam solution. Our border firewall does anti-spam. We’ve got a third-party anti-spam application running on the email server. The email service itself does anti-spam. Occasionally, when spam levels peak, we filter all emails through a spamassassin anti-spam daemon. And, of course, each employee’s Outlook has its own anti-spam filters.

To effectively whitelist someone, we’d have to whitelist them in each and every one of those layers. Sure, we could just whitelist them in the layer that is rejecting them today, but that wouldn’t prevent them from being rejected by a different layer tomorrow.

The long-term implications are murky, too. If it’s an IP block that needs to be whitelisted, how long do we whitelist it? Do we really want to commit ourselves to periodic reviews of our whitelists? If we start whitelisting, then haven’t we implicitly agreed to try to troubleshoot problems with the whitelists? How quickly could you find a sticking point among a 5-layer anti-spam solution that is intentionally diverse?

In the end, we realized that it was just too much for us to commit to:

[OUR COMPANY] has decided not to maintain an email white list at this time. [OUR COMPANY] employs a multi-layered anti-spam solution which would require not just one, but several white lists. White listing would also commit [OUR COMPANY] to long-term complications involving future (ab)uses from that email domain or hosting service. If the company does not have the technical resources to research and correct their spam list problems, [OUR COMPANY] recommends that they send email from a well-known third-party service, such as GMail, Hotmail, or Yahoo. [OUR COMPANY] cannot provide technical support for this issue.

We’re not happy about it, but we’re less so about the alternatives. Whitelisting for email was good for a time, but we may have moved beyond it.