Greylisting: Is It a Good Idea?
Greylisting is based on the idea that if the recipient server rejects an email with a "soft" rejection, only a legitimate sender will attempt to resend the email later. This whole scheme is based on the belief that spammers are not smart enough to reconfigure their software to resend a spam later after a "soft" rejection. Unfortunately for this anti-spam method, most spammers aren't that stupid, and while some spam may be rejected from spammers who haven't adapted yet, frequently good emails are also greylisted and rejected. If the greylisting in the recipient server is slightly mis-configured, the sending server may never retry, even if it is a legitimate server.
Good emails that are greylisted, i.e., rejected with the expectation they will be resent, are not always resent. They are sometimes returned to the sender for any number of reasons without ever being delivered to the intended recipient. Often times, servers may be configured to refer "soft" errors back to the sender, rather that automatically resend. So, while the email is not technically "lost," it may be practically lost in the case that the sender, or the sending server decides not to resend it. Potential new clients often assume that the vendor's site is broken, or that the vendor has no interest.
At best, under normal conditions, the email will be delayed by an amount of time configured into the sending server, and that might be anything from a few minutes to a full day.
Here are some posts by users who have experienced problems with greylisting:
"In my experience, greylisting does not offer enough benefit to justify the drawbacks. While I had greylisting set up on my server, it was annoying enough to have every (new) incoming email delayed. I also know for certain that some incoming email was getting lost.
Spammers were persistent enough (and I think even back then they were starting to automatically do retries) that their spam got through anyway. I turned greylisting off years ago and haven't looked back." [Greg Hewgill]
"I found grey listing as implemented in SmarterMail to block more legitimate email (I assume, senders giving up after being denied) than I was comfortable with. It was especially annoying when doing things like attempting to reset a password, etc. I turn it off on all my domains, which are more or less low-traffic, but still attacked by spammers." [jmsmcfrlnd]
"For example, if your organization mostly has internal mails and mails with a few longstanding business partners, the impact will be negligible [but] if you frequently exchange mail with new customers, it might well be painful. One situation in particular could be a problem: If you talk to someone on the phone and want to exchange documents relevant to the discussion via email (something I regularly do in support-type telephone calls), even a delay of a few minutes can be unacceptable." [sleske]
"Most of the emails I receive are to my basic, use every day email, which is my first name, followed by my domain. Most mail sent is from a brand new potential client, who was referred by another individual who gave them my 'every day' email address. If I never received a message which was not resent, and lost as a result of greylisting, I would never 'hear' from them, and therefore never know if I missed that email, and potential sale. They would assume that I had no interest in them, and just trashed their email. That would be a sale lost to competition."
"On a separate note, I sent a slew of test message through from my ISP's provided email to my [name hidden] email, and it took overnight to be received. I can see maybe a few hours of delay, but overnight, or 16+ hours? I understand that email is not an "instant" communication method, however sometimes time is of the essence. If I am expecting an email from somebody for the first time, why should I need to wait hours, if not days, to receive it. My business revolves around quick turnaround, and speedy service. I guess the answer from [name hidden] would be, "If you know you are expecting an email, then we would suggest whitelisting that individual's email address." How unprofessional. I would have to call them on the phone (long distance 90% of the time) and have them give me their email address so that I may whitelist it to receive a single email. [progravix]
Czar Mail note: While a new client was signing up for Dish TV, the client asked the rep, "from what email would I be receiving Dish emails?" The rep didn't know, and went to ask someone. Two email domains were given, and in the end, it turned out both were wrong. Sometimes the sender doesn't even know where the emails will come from in his company. Czar Mail keeps a list of rejected emails, in case you need to know.
"I'm using postfix and gld here, and have been for over a year. Today I set up my girlfriend with an account and we arranged for webforwarding from her yahoo and gmail accounts. It's been going for a couple of hours, and so far no emails sent from yahoo or gmail have got through. The reason, I've discovered, is that yahoo and google resend as instructed via the RFC but change the IP of their sender through (I assume) a class C network. This is essentially rejecting all email so far today. ... I'm now wondering if I get all emails from google or yahoo. Looking through the lists of email/IPs that haven't made it through the greylist reveals six thousand yahoo addresses that didn't make it through. That's of a total of 17000 records. Previously I'd have assumed it was spam, but now I'm not sure. This is also exacerbated by the greylisting only checking against a triplet of sender IP AND sender email AND sender address." [TinheadNed]
How does Czar Mail do it?
Czar Mail doesn't greylist. As poster Greg Hewgill said, "greylisting does not offer enough benefit to justify the drawbacks." In order to get around greylisting, spammers simply configure their email to retry rejected deliveries.
The real solution to spam is membership email.