What is Greylisting?
Greylisting is a spam-filtering technique that temporarily rejects email from unknown senders, forcing legitimate mail servers to retry delivery while filtering out spammers that do not retry.
Greylisting is an anti-spam method used by mail transfer agents (MTAs) to defer incoming email from senders not yet seen in a sender-recipient-IP triple. When a message arrives from an unknown combination, the receiving MTA returns a temporary failure response (typically a 4xx SMTP code, such as "450 4.7.1 Greylisted, try again later"). The sending server is expected to queue the message and retry delivery after a delay, usually a few minutes to a few hours.
Legitimate mail servers, following the SMTP specification (RFC 5321), will retry delivery automatically. Many bulk spammers, however, use lightweight scripts that send and forget, never retrying a failed attempt. By deferring on the first attempt, greylisting stops a significant portion of low-effort spam without needing to inspect message content. Once a triple has been seen and successfully delivered after retry, the receiving MTA adds it to a whitelist, allowing future messages from that sender to that recipient from that IP to pass immediately.
Greylisting is often deployed as a first-layer filter before more resource-intensive checks like content scanning or DNS-based blackhole lists. It works well against volume-based spam but can cause delivery delays, which is a trade-off. Administrators typically set a retry window (for example, 300 seconds) and a whitelist expiration (for example, 30 days). The technique does not require constant updates like signature-based filters and places minimal computational load on the receiving server.
Key facts
- Relies on SMTP 4xx temporary failure codes to defer first-time deliveries.
- Legitimate mail servers retry automatically; many spammers do not.
- Whitelists known sender-recipient-IP triples after successful retry.
- Causes short delivery delays, typically a few minutes to hours.
- Minimal CPU and network overhead compared to content-based filters.
How it works in practice
Related terms
References
More in Email
BIMI
BIMI (Brand Indicators for Message Identification) is a DMARC-aligned standard that lets email senders publish a verified logo for display in supporting mail clients.
Bounce Message
A bounce message, or non-delivery report (NDR), is an automated email sent to the originator when delivery cannot be completed, including a status code and failure reason.
Catch-All Email
A catch-all email account receives all messages sent to invalid or nonexistent addresses at a domain, preventing bounce-backs but attracting spam.
DKIM
DKIM is an email authentication method that lets a domain claim responsibility for a message by attaching a cryptographic signature validated against a DNS public key.
DMARC
DMARC is an email authentication policy protocol that builds on SPF and DKIM to tell receiving mail servers how to handle messages that fail authentication checks.
DNSBL
A DNSBL is a real-time IP reputation database published via DNS, used by mail servers at SMTP time to reject or flag senders known for spam or abuse.
IMAP
IMAP is an email protocol that lets clients access and manage messages stored on a mail server, keeping the server as the authoritative copy and synchronizing folder state across multiple devices.
Mailbox Quota
A mailbox quota is a storage limit placed on a user's email account. Once the total size of stored messages exceeds this limit, the server may reject new incoming emails or warn the user.
MDA
An MDA (Mail Delivery Agent) is a software component that transfers an email from a Mail Transfer Agent (MTA) into a recipient's local mailbox, typically on a mail server or a user's machine.
MTA
An MTA (Mail Transfer Agent) is server software that routes email between domains using the SMTP protocol, acting as the core delivery engine for internet email.