Overview

Starting in early 2025, Spamhaus began enforcing their fair-use policy by blocking DNS-based blacklist (DNSBL) queries originating from certain hosting providers, including Hetzner. Servers hosted on these providers can no longer query the public Spamhaus zones (e.g., zen.spamhaus.org) via standard DNS lookups.

As a result, Kerio Connect's spam filtering may fail to identify spam correctly, and in some cases legitimate email may be flagged or rejected based on stale or incorrect blacklist data.

This is not a defect in Kerio Connect. The change is due to Spamhaus's updated access policy. Spamhaus's recommended solution is to use their Data Query Service (DQS), which requires a registered authentication key and queries a different hostname (<key>.zen.spamhaus.org or <key>.zen.dq.spamhaus.net).

Symptoms

• Legitimate messages are rejected with a reason citing SpamHaus SBL, XBL, or Zen blacklists
• Spam filtering no longer functions as expected on servers hosted by Hetzner or similar providers
• Spamhaus lookups time out or return no results in Kerio Connect logs
• The issue began around early 2025 without any changes to the Kerio Connect configuration

Root Cause

Spamhaus publishes their blocklists through two access methods:

1. Public DNS (free, fair-use) — queries go to zen.spamhaus.org directly. Spamhaus is now blocking queries from hosting providers that historically generated excessive lookup volumes.
2. Data Query Service (DQS) — a registered service that routes queries through a personal authentication key (e.g., <your-key>.zen.spamhaus.org). This method is not blocked and supports additional datasets.

Kerio Connect's built-in DNSBL integration is designed around the public access method. It does not currently have native support for DQS-style authenticated queries.

Current Status

This limitation has been escalated to the GFI - Kerio Connect product team as a feature enhancement request. The development team is evaluating adding native DQS support to Kerio Connect so that administrators can supply a DQS authentication key in the mail server configuration.

Until DQS support is added to the product, the options below may help mitigate the impact.

Workarounds

Option 1: Verify and Correct Spamhaus Scoring

If Spamhaus rules are configured with a score of 0, they will have no effect on spam filtering even when lookups succeed. Verify and correct the scoring:

1. In Kerio Connect, go to Configuration → Content Filter → Spam Filter
2. Locate the Spamhaus-related scoring entries
3. Ensure the score is set to at least 2.5 (as recommended by Spamhaus documentation)
4. The default tagging threshold is typically 5 and blocking threshold is 9.5 — adjust these in line with your organization's tolerance

Option 2: Use an Alternative DNSBL Provider

Consider supplementing or replacing Spamhaus with an alternative DNSBL service that does not restrict queries from hosting providers. Common alternatives include:

• Barracuda Reputation Block List (BRBL)
• Spamcop (bl.spamcop.net)
• SORBS (dnsbl.sorbs.net)

These can be added in Configuration → Content Filter → Spam Filter → Blacklists. Consult each provider's documentation for their query hostnames and acceptable use terms.

Additional Information

For background on Spamhaus's fair-use policy change for Hetzner-hosted servers, see Spamhaus's own explanation: Why can't Hetzner users query the public blocklists?

For details on migrating to DQS, refer to the Spamhaus DQS migration guide: Migrating to DQS

This article will be updated when native DQS support is added to GFI - Kerio Connect.

FAQ

Q1: Is this a bug in Kerio Connect?
A1: No. This is the result of a policy change by Spamhaus, not a defect in Kerio Connect. The product functions correctly, but the public Spamhaus service is no longer accessible from certain hosting providers. A feature enhancement to support DQS natively has been submitted to the product team.

Q2: Will moving my server to a different hosting provider fix the problem?
A2: Possibly. The issue is specific to providers that Spamhaus has blocked from their public DNSBL service. Moving to a provider not affected by these restrictions would restore public DNSBL functionality. However, the DQS approach is a more reliable long-term solution regardless of provider.

Q3: Can I manually configure Kerio Connect to use the DQS hostname as a workaround?
A3: No. This approach was investigated and confirmed not to work. Kerio Connect's spam filter cannot authenticate DQS queries by simply substituting the hostname in the blacklist configuration — the product requires a code-level update to properly support the DQS authentication mechanism. This update has been requested from the product team.