diff --git a/lib/server.js b/lib/server.js
index 027e611..95b2885 100755
--- a/lib/server.js
+++ b/lib/server.js
@@ -205,10 +205,14 @@ module.exports = function createServer(config, log) {
               // a blocked ip should just be ignored completely
               // it's malicious, it shouldn't penalize emails or allow
               // (most) escape hatches. just abort!
-              return {
+              const result = {
                 block: true,
                 retryAfter: ipRecord.retryAfter()
               }
+
+              if (! allowWhitelisted(result, ip, email)) {
+                return result
+              }
             }
 
             var wantsUnblock = req.body.payload && req.body.payload.unblockCode
diff --git a/test/remote/check_tests.js b/test/remote/check_tests.js
index 4566897..07a4ab6 100644
--- a/test/remote/check_tests.js
+++ b/test/remote/check_tests.js
@@ -1,10 +1,13 @@
 /* Any copyright is dedicated to the Public Domain.
  * http://creativecommons.org/publicdomain/zero/1.0/ */
 
-var test = require('tap').test
-var restify = require('restify')
-var TestServer = require('../test_server')
-var mcHelper = require('../memcache-helper')
+'use strict'
+
+const mcHelper = require('../memcache-helper')
+const Promise = require('bluebird')
+const restify = require('restify')
+const test = require('tap').test
+const TestServer = require('../test_server')
 
 const ALLOWED_EMAIL = 'test@restmail.net'
 const TEST_EMAIL = 'test@example.com'
@@ -93,7 +96,7 @@ test(
 )
 
 test('allowed email addresses in /check do not block subsequent requests to /checkIpOnly', t => {
-  return client.post('/check', {
+  return client.postAsync('/check', {
     email: ALLOWED_EMAIL,
     ip: TEST_IP,
     action: 'recoveryEmailVerifyCode'
@@ -101,7 +104,7 @@ test('allowed email addresses in /check do not block subsequent requests to /che
     t.equal(res.statusCode, 200, '/check succeeded')
     t.equal(obj.block, false, 'request was not blocked')
 
-    return client.post('/check', {
+    return client.postAsync('/check', {
       email: ALLOWED_EMAIL,
       ip: TEST_IP,
       action: 'recoveryEmailVerifyCode'
@@ -111,7 +114,7 @@ test('allowed email addresses in /check do not block subsequent requests to /che
     t.equal(res.statusCode, 200, '/check succeeded')
     t.equal(obj.block, false, 'request was not blocked')
 
-    return client.post('/checkIpOnly', {
+    return client.postAsync('/checkIpOnly', {
       ip: TEST_IP,
       action: 'consumeSigninCode'
     })