cPanel/WHM Mail Server IP Blacklisted? Here's How to Fix It Fast

Priya

Content Writer & Researcher

Last Updated: 13 June 2026

cPanel/WHM Mail Server IP Blacklisted? Here's How to Fix It Fast

🖥️

Is Your cPanel Server IP Blacklisted? We Can Fix It Fast

CloudHouse Technologies specialises in cPanel/WHM server management — from emergency blacklist removal and Exim triage to full email deliverability hardening. Get your server clean and your email flowing again.

🔧 Book Free Diagnosis Call Now WhatsApp

🖥️12,400+PCs Fixed

⭐4.9★Google Rating

⚡<15 minAvg. Response

🛡️ISO 27001Certified

If you're a sysadmin running a shared or VPS hosting environment on cPanel/WHM, few emergencies are as stressful as discovering your cPanel/WHM mail server IP is blacklisted. Bounce messages start piling up, clients call in a panic, and business-critical email fails for every account on the server. This guide gives you a complete, step-by-step process to diagnose the listing, kill the spam source in Exim, fix your authentication records, submit delisting requests to Spamhaus, Barracuda, and SORBS, and lock down your server so it never happens again.

💡 None of these worked? Skip the guesswork.

Get Expert Help →

How to Confirm Your cPanel Server IP Is Blacklisted (MXToolbox + WHM Tools)

Before you do anything else, confirm the listing and identify which blacklists you're on — they each have different delisting procedures.

Use MXToolbox

1Run an MXToolbox blacklist check

Go to mxtoolbox.com/blacklists.aspx and enter your server's sending IP address (not your domain name). MXToolbox checks against 100+ DNSBLs simultaneously and highlights any active listings in red. Note every list you're on — prioritise Spamhaus (SBL/XBL/PBL), Barracuda BRBL, and SpamCop.

2Check the mail log header in a bounce message

The SMTP rejection message in the bounce usually names the blacklist explicitly:

550 5.7.1 Service unavailable; Client host [203.0.113.45] blocked using
zen.spamhaus.org; https://www.spamhaus.org/query/ip/203.0.113.45

This tells you exactly which list to target first.

Use WHM's Email Delivery Tools

3WHM → Email Delivery Report

Navigate to WHM > Email > Email Delivery Report. Set the time range to the last 24–48 hours and sort by "Failed". This shows which domains and accounts are generating the most bounce traffic and which remote MX servers are rejecting your mail.

4WHM → Track Delivery

Use WHM > Email > Track Delivery to trace the path of a specific message and confirm whether the rejection is blacklist-related or a recipient-side policy block.

1Check the Exim mail queue size

exim -bpc

A healthy server has fewer than 100 messages queued. Anything over 500 is a red flag. Over 5,000 means you have an active spam source right now.

2View the queue and identify the sending account

exim -bp | head -100

Look at the sender addresses. If hundreds of messages share the same From: domain or are all destined for random external addresses (dictionary-attack pattern), that domain is almost certainly the source.

3Use WHM's "View Relayers" to find the top senders

Navigate to WHM > Email > View Relayers. This shows which cPanel accounts have relayed the most mail in the last hour. The top offender is your compromised account.

4Check Exim logs for the exact sending script

grep "cwd=" /var/log/exim_mainlog | grep "/home/" | sort | uniq -c | sort -rn | head -20

This command extracts the working directory (cwd) from Exim log lines and counts how many messages each directory has sent. A path like /home/user/public_html/wp-content/uploads/ is a dead giveaway of a compromised upload directory used as a mailer drop.

5Suspend the compromised account and flush the queue

# Suspend the cPanel account
/scripts/suspendacct username "Suspected spam source — under investigation"

# Flush spam from the queue (careful: this deletes ALL queued messages)
exim -bp | exiqgrep -i | xargs exim -Mrm

If you only want to remove messages from the compromised account rather than the entire queue:

exiqgrep -f 'compromised@domain.com' -i | xargs exim -Mrm

6Find and remove the PHP mailer script

find /home/username/public_html -name "*.php" -newer /home/username/public_html/wp-config.php -ls 2>/dev/null | head -30

Look for recently modified PHP files in uploads/, tmp/, or disguised as image files (image.php, thumb.php). Delete them and change all passwords (cPanel, FTP, database, WordPress admin).

1Enable SPF in WHM

Navigate to WHM > Email > Authentication. Ensure SPF is enabled for all domains. A typical cPanel server SPF record looks like:

v=spf1 +a +mx +ip4:YOUR.SERVER.IP ~all

Use ~all (softfail) rather than +all (pass all). For strict enforcement, switch to -all (hardfail) once you've confirmed all legitimate senders are covered.

DKIM

2Verify DKIM is enabled and regenerate if needed

In WHM > Email > Authentication, confirm DKIM is enabled globally. For individual domains, check via:

dig TXT default._domainkey.yourdomain.com

If no TXT record is returned, regenerate the DKIM key for that domain in cPanel > Email > Email Deliverability. Use a 2048-bit key — 1024-bit keys are considered weak and some MTAs reject mail signed with them.

DMARC

3Add a DMARC policy record

DMARC ties SPF and DKIM together and tells receiving MTAs what to do when either check fails. Add this TXT record to your DNS:

_dmarc.yourdomain.com.  IN  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100"

Start with p=quarantine rather than p=reject until you've monitored DMARC reports for 2–4 weeks and confirmed no legitimate mail is failing.

rDNS / PTR Record

4Set a matching PTR record

The PTR (reverse DNS) record for your sending IP must resolve to your server's SMTP hostname, and that hostname must resolve back to the same IP (forward-confirmed rDNS, or FCrDNS). Set the PTR record via your hosting provider's control panel or VPS dashboard. Verify:

dig -x YOUR.SERVER.IP
dig +short YOUR.SERVER.HOSTNAME

Both lookups must return matching values. Mismatched rDNS is one of the most common reasons IPs end up on the Spamhaus PBL.

1Identify which Spamhaus list you're on

Query zen.spamhaus.org (the combined lookup) at check.spamhaus.org. Each sub-list has a different removal path:

SBL (Spamhaus Block List) — manually reviewed spam sources. Removal requires fixing the issue and submitting via the SBL removal page. Typically takes 24–72 hours.
XBL (Exploits Block List) — compromised/infected IPs. Fix the compromised account, then request removal. Usually automated; processes within 1–4 hours.
PBL (Policy Block List) — dynamic/end-user IPs not meant to send mail directly. If your server IP is listed on PBL, set the PTR record and request removal at spamhaus.org/pbl. Automated removal, typically under an hour.

Removal URL: https://www.spamhaus.org/lookup/

Barracuda BRBL

2Submit a Barracuda removal request

Go to barracudacentral.org/rbl/removal-request. Fill in your mail server IP, your email address, and your phone number. Include a brief explanation of what caused the listing and what you've fixed. Barracuda typically processes requests within 12–24 hours. Note: Barracuda BRBL is widely used by corporate mail gateways — treat this as high priority even if Spamhaus is already clean.

SORBS

3SORBS — treat as low priority in 2026

SORBS is effectively offline as of 2025–2026. The list is no longer actively maintained and removal requests go unprocessed. It still appears in multi-checkers (like MXToolbox) due to cached data, but very few receiving MTAs actively use SORBS for rejection. Focus your effort on Spamhaus and Barracuda first.

SpamCop

4SpamCop self-expires

SpamCop listings expire automatically within 24 hours if no new spam reports arrive from your IP. You cannot manually request removal — just ensure the spam has stopped and the listing will clear on its own.

1Set outbound rate limits in WHM Exim Configuration Manager

Navigate to WHM > Service Configuration > Exim Configuration Manager > Advanced Editor. In the RATELIMIT section, add per-domain sending limits:

# Limit each domain to 500 outbound messages per hour
ratelimit = 500 / 1h / strict / $sender_address_domain

This prevents a single compromised account from flooding thousands of messages before you notice. Adjust the threshold to match your expected legitimate volume — a typical small business domain rarely sends more than 200 emails per hour.

BoxTrapper

2Enable BoxTrapper for high-volume inboxes

BoxTrapper is a challenge-response filter available in individual cPanel accounts. It stops inbound spam from triggering backscatter, which can itself get your IP listed. Enable it for any account receiving heavy inbound traffic: cPanel > Email > BoxTrapper.

SpamAssassin

3Configure SpamAssassin globally in WHM

Navigate to WHM > Email > Apache SpamAssassin Configuration. Recommended settings:

Required Score: 5.0 (default) — lower to 4.0 for stricter filtering on shared servers
Rewrite Subject: Enable, add ***SPAM*** prefix
Auto-Delete Spam: Enable for scores over 10.0 to prevent inbox flooding
Scan Outgoing Mail: Enable this — SpamAssassin can flag high-scoring outbound messages before Exim delivers them

Proactive Blacklist Monitoring

4Set up automated blacklist monitoring

Don't wait for client complaints to discover a listing. Use a monitoring service that checks your IP against major DNSBLs daily and emails you on any new listing:

MXToolbox Monitor (mxtoolbox.com) — free tier checks your IP every 24 hours against 100+ lists
HetrixTools (hetrixtools.com) — more granular, checks every 30 minutes on paid tiers
Postmaster Tools (postmaster.google.com) — add your domain to track your Gmail reputation score and spam rate directly with Google

Early detection means you can act before clients notice. A listing caught within an hour causes far less damage than one discovered after 12 hours of bounced mail.

Keep Exim and cPanel Updated

5Enable automatic updates in WHM

Navigate to WHM > Server Configuration > Update Preferences. Set cPanel/WHM to automatically install minor and security updates. Enable Automatic Daily Updates for Exim. Unpatched Exim versions have historically had remote code execution vulnerabilities (CVE-2019-10149, CVE-2020-28017) that attackers actively exploit to turn mail servers into spam relays.

For more expert help hardening your cPanel environment and preventing future deliverability incidents, see our CloudHouse server management service.

FAQs

Conclusion

A blacklisted cPanel/WHM server IP is a serious but fixable problem. The key is speed and order: stop the spam source first (Exim queue + compromised account), then fix your authentication records (SPF, DKIM, DMARC, rDNS), then submit delisting requests — never the other way around. Layer in WHM rate limits, SpamAssassin outbound scanning, and automated monitoring to make sure you're never caught off guard again.

Get the Free Linux Server Admin Cheatsheet (PDF)

Essential commands for server management, networking, and troubleshooting — all on one printable page.

Running Linux servers? Let us manage them for you.

Our Managed Linux Server plans cover updates, security hardening, monitoring, and 24/7 incident response — so your servers stay up and your team stays focused.

Proactive OS patching and security updates
24×7 monitoring with instant alerting
Backup configuration and disaster recovery
Dedicated Linux engineers on call

See Pricing Plans →

What our customers say

“Our production server went down at 2 AM. CloudHouse had it back online in under 20 minutes. Incredible response time.”

Arun S.

CTO, SaaS Startup

“They migrated our entire infrastructure from Ubuntu 18 to 22 with zero downtime. Couldn't have asked for better.”

Deepak N.

DevOps Lead

Frequently Asked Questions

Go to mxtoolbox.com/blacklists.aspx and enter your server's sending IP address. MXToolbox checks against 100+ DNSBLs simultaneously. You can also check the SMTP rejection message in any bounce email — it will usually name the blacklist directly in the error code (e.g., 'blocked using zen.spamhaus.org').

Book your free 15-minute diagnosis

A certified technician will call you back within 15 minutes during business hours.

Share this article

Comments (0)

Loading comments...