I have tuned my email server and have taken the opportunity to find and check the available DNS blacklists (DNSBL) by reading statistics and opinions. The result is that I currently use these blacklists to block mail without any scoring or further conditions:

1. zen.spamhaus.org
2. bl.spamcop.net
3. ix.dnsbl.manitu.net
4. dul.dnsbl.sorbs.net
5. karmasphere.email-sender.dnsbl.karmasphere.com
6. dnsbl-1.uceprotect.net
7. dnsbl-2.uceprotect.net
8. virbl.dnsbl.bit.nl
9. bhnc.njabl.org
10. bogons.cymru.com

The lists are ordered such that the upper ones are most likely to catch a bogus mail, for performance reasons.

Together these blacklists block roughly 90% of all incoming spam on my server, which is a really nice result.

Notes:

1. The uceprotect lists, particularly dnsbl-2.uceprotect.net, are allegedly somewhat aggressive, but the statistics I have found didn't bear that out. If you are very risk-averse, don't use the dnsbl-2 list or use neither of these two.
2. The karmasphere list requires free registration and notification of the mail server's IP address or address range.
3. The spamcop blacklist used to be over-aggressive, but this has changed recently. This list is now eminently usable even in conservative settings.
4. At least two of the blacklist contain dynamic IP addresses like dial-in ports and DSL addresses. If your mail server checks mail coming from authenticated users against the blacklists (which it shouldn't do, but some do it), then you cannot use these lists. Try to make all your mail users use port 587, the new mail submission port, for SMTP, instead of port 25, because some mail servers do check mail coming in through port 25 against the blacklists, even if the user has authenticated himself, while incoming mail on port 587 can only be delivered by authenticated users and should never be checked against any blacklist.

I am grateful for comments.