Using dnschecker among other tools, the IP addresses used by our Cloudflare setup:
104.21.86.25
172.67.214.59
have apparently been blacklisted by spfbl. This client I do work for has experience in the networking side of computers and tells me that this blacklist can prevent people from visiting our website.
I know we have SPF and DKIM records set in place for emails. But I was not aware that any service provider would restrict access to a website due to being on a blacklist. He claims this is very much true although there is basically no public information on how ISPs might restrict access to a website so I can’t really say for sure.
I’ve contacted Cloudflare support to request them to contact spfbl and remove the IP address from their blacklist. I have not gotten a response back and the automated messages keep telling me to just post something here.
Forgot to mention. I saw plenty of posts related to spamhaus which is another DNS blacklist. The general consensus was that “it doesn’t matter” which this client will not accept for an answer.
It’d be the first time I’ve ever heard of it - and probably the same for a lot of people. SPFBL is, as the SPF part of the name implies, for email.
There’s plenty of blacklists that wrongly add the IP address of a website associated with a domain onto a blocklist - especially since they will have never received the email from a Cloudflare IP address since Cloudflare doesn’t have any products that allow you to send emails.
Unless the client has something they can refer you to as an example of a provider actually blocking your website as a result of a blocklist then I don’t see what exactly can be done. Cloudflare’s IP addresses are publicly listed and there’s no guarantee which ones you’ll get, as well as being shared by other customers.
That’s what I originally was thinking and told him as well. He says that ISPs have no problem with sourcing blacklists from all around including Spamhaus, SPFBL, etc. So even if those are databases of email spammers, apparently ISPs also use them to blacklist websites entirely. My thought was that in this day-and-age of reverse proxy and CDN usage, this would be crazy but he reiterated that this happens all the time.
There is basically no information I can provide to him that would prove otherwise. Of course we’re speaking in generalizations across hundreds of ISPs that might all have different procedures. But in general, being on a blacklist vs. not being on one, the prior is definitely more desirable.
Anyone using a spam blacklist like this to block websites is doing everything so profoundly wrong that there’s not going to be much you can do about it. Blacklists like SPFBL routinely list addresses that have no mail service at all, just because they shouldn’t have mail servers on them–like entire address blocks that residential users connect to the internet from, or blocks like, say, Cloudflare’s proxies, that should never be sending email.
It’s not because of Cloudflare and it’s not even because of the blacklist operator. Anyone using a blacklist in that way is so clueless that you probably can’t even communicate to them that they have broken their network, in any way that they will ever understand.
I don’t disagree that using a spam list in such a way would be a terrible idea. However, this client is convinced that it’s a widespread practice. Telling him that “it’s not our fault” is not really a solution for his perceived problem of people not being able to access the site. Has Cloudflare ever officially released a statement on these kinds of situations? It would be so much better if I could point him to an official Cloudflare post where they discuss the ramifications of being on a blacklist and explain why it may not be a big deal.
This client has networking experience with governmental agencies so his experience with spam filters might be one from an ultra security-conscious perspective. Residential ISPs may not really engage in this behavior but it could be a different story with ISPs for government entities. I do not have experience in that area so I can’t say how true that might be.