Blog , 13 Dec 2022

Abusix Mail Intelligence:  Billing demystified

Steve Freegard,

Sr. Product Owner Abusix Intelligence

Abusix Mail Intelligence and Queries

Abusix Mail Intelligence is charged based on usage: the number of queries/lookups made into our service. We chose this approach as this is what we can directly measure from your systems using your API/query key.

How do you know how many queries you will make? 

We’ll explain the process:

You can use Abusix Mail Intelligence to look up many different items: IP addresses, domain names, email addresses, short URLs, drive URLs, cryptocurrency wallet addresses, etc.

These different lookup items will have very different signal-to-noise ratios, e.g., the spread of how many lookups will yield a positive (spam result) versus the total number of lookups made. 

Additionally, some mail systems will only be able to utilize IP lookups because they don’t support the other lookup types.

IP Addresses

IP addresses will have the best signal-to-noise ratio (and the highest overall effectiveness).  

These lookups are done once for each connection made to the email server. So, as a rule of thumb, if you get 10,000 connections to your email server daily, you’ll make more or less 10,000 queries per day for every DNSBL list you query.

Domain Lookups

Domains lookups will have a considerably smaller signal-to-noise ratio because a single email message can contain multiple domains.

You’ll find them, for example, in the email addresses, message headers (e.g., DKIM-Signature, Message-ID, etc.), and in every URL within the message. 

Every message could require lots of lookups. 

The number of these lookups for “bad” domains is much smaller.

However, the overall effectiveness of domain lookups for things like Phishing and Malware remains high, which is why these lookups are worthwhile.

There are also some implementation-specific things:

Most vendors will have a hard limit on the number of domain lookups per message to limit the possibility of someone stuffing the message with thousands of domains to overload it or to try and avoid detection.

The other Lookup Items

The other list types we offer, like email addresses, short and drive URLs, and cryptocurrency wallets, have a signal-to-noise ratio somewhere between IPs and domains, as queries only happen if one of these is detected in a message.

And a simple diagram showing a typical conversation with an email server and where each lookup is done:

DNS Lookups by SMTP State
DNS Lookups by SMTP State

Because many variables are at play, we suggest doing a 14-day trial of Abusix Mail Intelligence to determine how many daily queries you make. 


For very large providers, we also offer per-mailbox pricing instead.

We only do this for bigger accounts that receive our data via rsync because we cannot measure usage in this setup.

Unfortunately, we cannot monitor mailbox counts. This has to be self-reported each year.

So what do we mean by mailbox?

A single mailbox could have multiple email addresses (e.g., aliases). 

These addresses could use different domains, but they all go to the same mailbox, which might be shared with one or more users.

Mailboxes and email addresses
Mailboxes and email addresses
Linkedin Icon Twitter Icon Facebook Icon E-mal Icon
Two computer monitors showing AbuseHQ

What’s next?

Go for a 14-day trial of Abusix Mail Intelligence and determine how many daily queries you make!

Sign up for free here!

Products & Tools



Get in touch

Talk to us

Do you want to remove your IP/domain from one of our blocklists?
Please use our lookup-service and follow the instructions there in order to get that resolved.