What is greylist­ing in email and how does it work?

Greylist­ing is a reliable technique for reducing spam emails. It functions directly on the recipient’s mail server and requires no con­fig­u­ra­tion from either the sender or the recipient.

Where is greylist­ing used?

In contrast to con­ven­tion­al spam filters, greylist­ing is aimed at blocking the delivery of clear-cut spam. Since it works through a straight­for­ward mechanism, it is resource-efficient and fits seam­less­ly into modern security models such as Zero Trust or Defense in Depth. Greylist­ing is mainly used to stop the il­le­git­i­mate mass dis­tri­b­u­tion of spam emails. This type of spam, known as Un­so­licit­ed Bulk Email (UBE), refers to non-per­son­al­ized messages sent in large volumes, often using lists of purchased or stolen email addresses.

These campaigns typically originate from com­pro­mised computers that form part of remote-con­trolled botnets, which are then exploited to send spam in bulk. Spoofed sender addresses are also commonly used in these spam waves to disguise the true source.

Greylist­ing is not suitable for tackling Un­so­licit­ed Com­mer­cial Email (UCE). This type of spam often consists of in­di­vid­u­al­ly sent, per­son­al­ized messages from seemingly le­git­i­mate busi­ness­es or in­di­vid­u­als. To counter UCE, content-based filters and black­list­ing.

How does greylist­ing work?

The idea of greylist­ing is based on sorting out potential spam emails during the delivery process. Let’s take a look at how the email sending process works.

Email trans­mis­sion sim­pli­fied

To send an email, the Simple Mail Transfer Protocol (SMTP) is used. Es­sen­tial­ly, an email sent over the internet follows this path:

1. The sender writes an email using their Mail User Agent (MUA). This can be a locally installed mail program or a webmail interface.

2. To send the email, the Mail User Agent es­tab­lish­es an SMTP con­nec­tion to the sender’s Mail Transfer Agent (MTA). This is software on the SMTP server that receives and forwards emails.

3. The sender’s Mail Transfer Agent forwards the email to the recipient’s Mail Transfer Agent. If this agent accepts the email, it is deposited in the recipient’s inbox.

4. When the recipient syn­chro­nizes their local inbox via IMAP or POP3, the email appears as a new message.

When greylist­ing in­ter­venes

Greylist­ing takes effect during the third step of email delivery — when the recipient’s Mail Transfer Agent (MTA) receives the message. At this stage, the receiving MTA already knows three key pieces of in­for­ma­tion before accepting the full email:

• The IP address of the sending mail server
• The sender’s email address, obtained via the SMTP MAIL FROM command
• The recipient’s email address(es), obtained via the SMTP RCPT TO command

Because these details are trans­mit­ted before the message body itself, they are referred to as envelope data. The Mail Transfer Agent logs the envelope data of each incoming email in a list known as the greylist. Here’s an example of a greylist entry:

First and second delivery attempt

If a com­bi­na­tion of envelope data appears for the first time, the Mail Transfer Agent (MTA) initially rejects the email. It returns a fault code in­di­cat­ing a temporary technical issue. The sending MTA is then prompted to retry delivery after a specified waiting period.

A le­git­i­mate, standards-compliant Mail Transfer Agent will follow this request and attempt to resend the email later. During the second delivery attempt, the envelope data is already stored in the greylist, allowing the message to be accepted and delivered.

By contrast, il­le­git­i­mate MTAs used by spammers typically don’t retry. This is where the strength of greylist­ing lies: because no second attempt is made, the spam email is never delivered. The recipient remains unaware of this process, making greylist­ing a discreet and highly effective method of filtering out unwanted messages.

The greylist­ing process in detail

(a) The Mail User Agent (MUA) hands over an email to the sender’s mail server (P).

(b) The sender’s mail server (P) forwards the email to the recipient’s mail server (Q). At this stage, server Q checks the email’s envelope data: the IP address of the sending server and the as­so­ci­at­ed email addresses. If this com­bi­na­tion is un­fa­mil­iar, server Q tem­porar­i­ly rejects the email with a technical error and records the envelope data in a table. The message is now “greylist­ed.”

(c) If the email is le­git­i­mate, the sender’s mail server (P) retries delivery after a short delay. Since the envelope data is now rec­og­nized, the recipient’s server (Q) accepts and delivers the message. Op­tion­al­ly, the envelope data may be added to the whitelist to ensure future emails with the same data are delivered without delay.

(d) If the email is il­le­git­i­mate, the sending system usually does not attempt re­de­liv­ery. In this case, greylist­ing succeeds as a spam pro­tec­tion method, and the fraud­u­lent email is never delivered.

Greylist­ing as part of com­pre­hen­sive spam pro­tec­tion

Greylist­ing is often used in com­bi­na­tion with other anti-spam tech­nolo­gies. Mech­a­nisms such as the Sender Policy Framework (SPF), Do­mainKeys Iden­ti­fied Mail (DKIM), and Domain-based Message Au­then­ti­ca­tion, Reporting, and Con­for­mance (DMARC) help secure email traffic and protect against common forms of abuse.

Com­bi­na­tion of greylist­ing and other methods

Greylist­ing works par­tic­u­lar­ly well in con­junc­tion with related tech­niques like whitelist­ing and black­list­ing. Let’s take a look at an example of the timeline of delivery attempts on the receiving mail server:

e1 An email from a sender not yet listed on the greylist (“Listed? No.”) arrives. The Mail Transfer Agent (MTA) rejects the email with a temporary error and logs the envelope data in the greylist.

e2 Later, another email from the same sender to the same recipient arrives. Since the envelope data is now in the greylist, the message is delivered. The envelope data is also added to the whitelist.

e3 After the last cor­re­spon­dence between Anne and Fred, the IP address of Anne’s SMTP server changes from 192.0.2.3 to 192.0.2.34. Because this is a new com­bi­na­tion, Anne is treated as an unknown sender and placed on the greylist.

e4 Anne writes to Fred again, this time via the original SMTP server 192.0.2.3. Since this envelope data already exists in the whitelist, the email is delivered im­me­di­ate­ly without delay.

e5 A delivery attempt is made from server 192.0.2.66. As this server is flagged as malicious in the blacklist, the email is rejected outright. This suggests that the sender address anne@example.com was spoofed.

What are the ad­van­tages and dis­ad­van­tages of greylist­ing?

What are the potential problems with greylist­ing?

Although greylist­ing offers clear ad­van­tages, the technique also comes with certain drawbacks:

• De­pen­dence on a stable IP address: If the sending SMTP server’s IP address changes, the recipient’s server treats the email as unknown and places it on the greylist.
• Possible delivery failures due to con­fig­u­ra­tion issues: If the sender’s Mail Transfer Agent does not follow the request to retry delivery, the message will never be delivered.
• Potential to be bypassed with enough resources: In theory, spammers could resend emails multiple times to cir­cum­vent greylist­ing. However, the effort required is currently so high that it’s rarely attempted.
• Delays can disrupt time-sensitive messages: Emails such as password reset links or login codes may expire if they are delayed by greylist­ing. By the time the resend occurs, the content may no longer be valid.
• Limited trans­paren­cy in cloud-based solutions: In many modern cloud email services, greylist­ing is in­te­grat­ed by default, without direct access for ad­min­is­tra­tors or users. This can lead to un­ex­plained delivery delays.