554 5.7.1 Client Host Blocked Using Spamhaus

What’s actually happening

Connections to many different recipient domains get rejected at the SMTP handshake or RCPT stage with 554 5.7.1 naming a Spamhaus zone. The bounce text usually includes a lookup URL with your own IP in it. Because Spamhaus feeds a huge number of mail servers, a single listing can block most of your outbound traffic at once. A subset of self-hosted senders also see an 'Error: open resolver' variant, which is a configuration problem on the receiver side, not an actual spam listing.

Common causes

• Your IP sent spam or was detected emitting it — the SBL or CSS list flags IPs with poor sending behavior.
• A machine behind the IP is infected and part of a botnet, landing you on the XBL exploit list.
• You are sending mail directly from a residential or dynamic IP range that Spamhaus lists on the PBL by policy.
• A shared hosting or cloud IP got listed because of another customer's spam, and the listing covers the whole netblock.
• DNS misconfiguration on the receiving side ('open resolver' / 'no IP queries') returns a false 554 — your IP is not actually listed.

How to fix it

1. Look up the exact listing and reasonGo to https://check.spamhaus.org and enter the sending IP from the NDR. It tells you which zone (SBL, CSS, XBL, PBL) listed you and why. The zone dictates the fix — PBL means 'do not send direct, relay through your provider'; XBL means 'you are infected, clean the host'; CSS/SBL mean 'your sending behavior is bad.'
2. Fix the underlying problemFor XBL, find and remove the malware or compromised account behind the IP. For SBL/CSS, stop the spam source — a hacked CMS, an open form, a hijacked mailbox, a bad mailing list. Tighten authentication (SPF/DKIM/DMARC) and disable open relay. Delisting without fixing the cause gets you relisted within hours.
3. Request removal at the Spamhaus removal centerOnce clean, go to https://check.spamhaus.org, look up the IP, and follow the Remove link to the removal form. Only the IP owner can delist. PBL self-removal is usually instant; SBL/CSS may require explaining what you fixed.
4. If it is a shared or netblock listing, escalate to the ownerIf the listing covers a range you do not control (cloud provider, shared host), you cannot self-delist. Open a ticket with your hosting provider and have them work with Spamhaus, or move to a dedicated IP with clean history.
5. Rule out the open-resolver false positiveIf the bounce says 'Error: open resolver' or 'no IP queries permitted', your IP is not listed — the receiving mail server is querying Spamhaus through a public DNS resolver that Spamhaus rate-limits. That is the recipient's problem to fix by using a local resolver or a Spamhaus Data Query Service key.