Greylisting Used to Work.
What Happened?

For years, greylisting was one of the best tools a mail admin had. Then MFA became standard, email got time-sensitive, and spammers learned to retry.

The idea behind greylisting was simple and brilliant: temporarily reject every email from an unknown sender, then wait for the retry. Legitimate mail servers will retry several times after a delay. Spam bots, built for volume over reliability, usually didn't bother. For a while, it worked remarkably well. Greylisting could block the majority of spam without any content analysis at all.

But the email landscape changed in ways that made greylisting a liability.

MFA Codes Can't Wait

Multi-factor authentication is everywhere now. When a user triggers an MFA code, they need it in seconds, not minutes. Greylisting delays that delivery by design. A five-minute greylist window means a five-minute wait for a code that might expire in ten. Users get locked out. Helpdesk tickets pile up. Administrators end up whitelisting the very senders greylisting was supposed to evaluate.

Time-Sensitive Email Is the Norm

It's not just MFA. Password resets, order confirmations, shipping updates, appointment reminders, verification links with short expiration windows. A growing share of legitimate email is time-sensitive. Greylisting treats all unknown senders the same, which means transactional emails from new services get delayed right when the recipient is actively waiting for them.

Spammers Learned to Retry

The original effectiveness of greylisting depended on spammers not bothering to retry. That assumption no longer holds. Modern spam infrastructure uses legitimate-looking mail servers that handle retries properly. Botnets have evolved to mimic standard SMTP behavior. The technique that once separated spam bots from real servers no longer draws a reliable line.

Large Providers Rotate IPs

Major email providers like Google, Microsoft, and Amazon send from large pools of IP addresses. A greylisted message might be retried from a different IP entirely, which the greylist sees as a new unknown sender. The retry never matches the original, and the delay extends further or the message gets lost in the loop.

What Replaces Greylisting?

The gap greylisting leaves behind can't be filled by another single technique. It needs to be replaced by classification that's fast enough to not delay delivery and smart enough to catch what greylisting used to catch.

SpamFoo analyzes important signals in email and makes classification decisions locally on your mail server, with no delay and no reliance on retry behavior. Emails are classified as they arrive, including the sender reputation analysis that greylisting was trying to approximate with its wait-and-see approach.

When a new sender shows up, SpamFoo doesn't stall the message. It evaluates the sender's domain age, authentication records, IP reputation, content patterns, and many other email signals in real time. Legitimate senders get through immediately, and spam gets caught without making anyone wait.

Learn More About SpamFoo

Ready to move past greylisting?

SpamFoo is coming soon. Get notified when it's ready.