Forums/Documentation/Configuring and using your email channel

Using the whitelist and blacklist to control access to your Zendesk

Anton de Young
posted this on October 17, 2011 11:11

You can control access to your Zendesk based on your end-users' email addresses; either accepting or rejecting their attempts to register as a user in your Zendesk or to submit support requests. You do this using the whitelist and blacklist. The whitelist can be used to allow access to everyone or just specific email addresses and domains. The blacklist, used with the whitelist, prevents access to either all end-users who have not been added to the whitelist or specific email addresses and domains.

Email received from blacklisted domains and email addresses can be immediately routed into the suspended email queue or completely rejected, preventing tickets from being created.

The whitelist and blacklist are end-user settings.

In this example, the whitelist contains the MondoCam corporate domain. All email originating from this domain (including subdomains) are accepted. The blacklist is then used to declare that all other email is not allowed. This is done by adding an asterisk (*), which is a wildcard that blacklists (suspends) everything. All email not received from the mondocamcorp.com domain is sent to the suspended tickets queue.

You can however also reject email, meaning that it will not be added to the suspended tickets queue. There will be no record of the email in your Zendesk.

If you've configured your Zendesk to accept support requests from anyone, you can use the blacklist to filter out specific unwelcome email domains and addresses such as spam.

Email that has been suspended as a result of having been blacklisted is added to the suspended ticket queue and flagged as blacklisted.

To edit your whitelist and blacklist settings

  1. Click the Admin icon () in the sidebar, then select Settings > Customers.
    Zendesk Classic: Select the Settings menu, then select End-users.
  2. Enter your whitelist and blacklist settings (see examples below).
  3. Click Save tab.

Whitelist and blacklist usage examples

The whitelist and blacklist are used together to create rules for accepting, suspending, and rejecting email. Aside from the asterisk (*), which suspends email, you can use the following two keywords to build your rules:

  • suspend- The suspend keyword explicitly declares that a specific domain or email address will be sent to the suspended tickets queue. This is identical to blacklisting the domain or email address without a keyword.
  • reject- The reject keyword completely rejects the email, which means that it's not added to the suspended tickets queue.

All three keywords can be used together to define your rules.

Approve a domain, suspend all others

This example whitelists one domain and suspends all others.

whitelist: mondocamcorp.com
blacklist: *

You can also add more than one domain or email address to the whitelist. Separate each with a space.

whitelist: mondocamcorp.com mondocam.com mondostore.com
blacklist: *

Approve a domain, but suspend specific email addresses within it

In this example, an entire domain is approved in the whitelist, all other email is suspended by using an asterisk in the blacklist, and then a specific email address within the approved domain is suspended using the suspend keyword.
whitelist: gmail.com
blacklist: * suspend:randomspammer@gmail.com

Using this method, you can suspend specific email addresses from a domain that you have approved in the whitelist.

Approve a domain, but reject specific email addresses and domains within it

Similar to the previous example, a domain is approved in the whitelist and then exceptions to that approval are made in the blacklist. Instead of suspending a specific email address, it is instead rejected.
whitelist: gmail.com
blacklist: * reject:randomspammer@gmail.com

This example also shows that you can add multiple email addresses and domains to the blacklist.

Approve all, but reject specific email addresses and domains

You can also leave the whitelist empty, meaning that all email is accepted, and then make exceptions for specific email addresses and domains.

whitelist: 
blacklist: reject:randomspammer@gmail.com reject:megaspam.com

Marking tickets as spam and suspending users

If email somehow makes it through the spam filter and your blacklist and tickets and new user accounts are created, you have two options for purging your Zendesk of both.

One of the ticket update options is Mark as spam and suspend user, which deletes the ticket and suspends the ticket requester. You can also select a user's account and suspend their access. For more information, see Suspending a user in the Zendesk Agent Guide.

A note about blacklisting people who have been CC'd on tickets

If you blacklist an email address that has already been added to tickets as a CC, please note that blacklisting the email address will not remove it from those existing tickets. Also be aware that it is possible for agents to add blacklisted email addresses as CCs to new tickets.

 

Comments

User photo
Norman Chan

Hello,

I don't see the option to Mark as spam and suspend user in the ticket options. Was this feature taken off?  I only see Copy to forum, Create as macro, Merge into another ticket, and Delete.  Perhaps I am not the owner or I need special permission granted?

Please advise and thanks!

Norman

January 18, 2013 14:52
User photo
Jennifer Rowe
Zendesk

Hi Norman,

That feature has not made it into the new Zendesk yet (it's still in the Classic version though). It will be coming to new Zendesk soon, so don't worry! Sorry for the inconvenience!

January 18, 2013 15:06
User photo
Norman Chan

Thank you for the quick response!

January 18, 2013 15:06
User photo
Alex Worth

Hi 

I need to stop the suspension of bounce backs for emails sent to clients with their invoices.  Can you filter them by subject heading? I can only see by email address currently.

Thanks

April 02, 2013 10:04
User photo
Amy Au-Yeung
Zendesk

Hi Alex,

I believe you can try adding the following to your whitelist:

    subject:"some subject filter"

Cheers! 

-amy

April 09, 2013 22:11
User photo
Colby
weidner

I have white listed all of my company email domains, but I'm still noticing that their tickets are getting held up in the suspended tickets section... Am I misunderstanding how this should work? I was thinking that if I white listed my company domains then they could complete the web form and they would not need to verified that they are the email owner... Also, I have recently started setting up some work flow approval and am running into the same issue. For example, I have a field associate that submits a ticket via the web form. I've designated that the ticket options they've chosen require approval from a senior operations leader without access to ZD. I've set that leader up as an email target and created a trigger that will place the ticket on "pending" status, email the ticket to the leader requesting work flow approval, and instructing them to reply with either "approved" or "declined" at which point my team would either process the ticket or push it back to the associate with the leaders response. Unfortunately what happens every time is the leaders reply to the ticket gets caught up in the suspended tickets section which has, at times, significantly impacted response times... any suggestions or help would be greatly appreciated.

April 10, 2013 09:22
User photo
Brandon K.
Zendesk

Hello Colby,

There are a few instances where the whitelist will suspend an email even if the domain or email is whitelisted. These situations usually involve potential security issues or mail loop situations. I believe the reason that your emails are being suspended in this situation is because you are sending out your notification as an email target. Zendesk does not authenticate targets to be able to respond, so when the email is sent back without an authentication token our system believes that it may be a spoofing attempt and suspends the ticket. If you need to have an end user put their input on a ticket I would recommend adding them as a CC to the ticket. If they are added as a CC, their email will contain the authentication token and allow the response to be added to the ticket. Using email targets is usually a great resource, but when you need the target to respond the CC functionality is much better suited.

April 22, 2013 17:01
User photo
Jim Stratton
plumchoice

We have "anybody can submit tickets" disabled, so I don't see the"whitelist" option.  When I check "anybody can submit tickets", I then see the "whitelist" option.  There is a domain listed there, but Zendesk is still determining (incorrectly) that some messages from that domain are spam and creating suspended tickets.

Thus,I assume the whitelist filter is not in effect when "anybody can submit tickets" is disabled.  How do I leave that disabled and still whitelist a domain?

 

May 01, 2013 12:16
User photo
Brandon K.
Zendesk

Hello Jim,

The whitelist option is not given when "anybody can submit tickets" is disabled because it is up to the customer what end users to add in that use case (effectively whitelisting the users themselves). Anybody can submit tickets has to be enabled to see this option.

May 15, 2013 16:45
User photo
Todd Watson

What are the mechanics of the blacklist when you have a rejected email, is it just ignored or is there any notice or response that goes back to that originating email?  We have triggered notifications that are going to customers via Amazon SES and some out of office and auto replies come back to our email address that comes into Zendesk and show up in suspended as coming from Amazon SES.  So if we blacklist the Amazon SES email address is it going to send any reject messages back to Amazon?  Or will this create an effective filter?  We want to receive actual responses to the notices which is why the reply email address comes to Zendesk but just trying to figure out filtering at least some of the known auto replies.  Thanks!

May 23, 2013 12:04
User photo
Brandon K.
Zendesk

Hello Todd,

When an address is added to the blacklist all incoming emails are directed to the suspended ticket queue. This is the red view that you can see at the bottom of your list of views. Triggers will not check their conditions against a ticket in the suspended ticket queue so no response email will be sent back to them. If you go in to the suspended tickets queue and recover these tickets, then the triggers will be checked against them and emails will be sent out.

In the use case you described, I believe blacklisting the Amazon SES address would effectively prevent automatic responses from being sent back to Amazon. As long as you do not receive any incoming emails from this address that you need to respond to, only these out of office messages, there should be no issues that arise.

May 28, 2013 14:24
User photo
Jose Ortiz
tcicollege

I have added  * to the blacklist but I am getting emails from outside our whitelist any ways

it seems they are sending the email to helpdesk@tcicollge.zendesk.com and it creates tickets

strange

May 29, 2013 09:19
User photo
Brandon K.
Zendesk

Hey Jose,

Do you think you could give me some ticket numbers or the email address that is making it through the blacklist? I'd love to take a look and see what's happening but I need to know where to start first.

May 30, 2013 17:46
User photo
Jose Ortiz
tcicollege

ticket # 11660,11666,11667,11669,11671,11673

wallmart.com

cfp@hightany.com

info@news-talk.net

mailer-daemon@deferred06.pod1.ord.zdsys.com

May 31, 2013 09:08
User photo
Laura D.
Zendesk

Hi Jose, 

Sorry for the long delay, and thanks for the details. I looked at your suspended tickets queue and I see a few emails from addresses outside the domains you've whitelisted - this is the expected behavior when you use the '*' to blacklist all domains apart from those whitelisted. 

It's possible someone recovered several suspended tickets by mistake; I looked up the ticket numbers you listed but they've already been deleted so I can't say for certain. 

if you don't want these specific addresses to even create suspended tickets you'll want to add a "reject" condition to the blacklist - this will prevent suspended tickets from being made. You could have your blacklist look like this:

blacklist: * reject:info@news-talk.net reject:cfp@hightany.com

For the "mailer-daemon@deferred06.pod1.ord.zdsys.com" address - I would not reject messages that come from that server - those messages should automatically be suspended anyway and you may actually want to look at them. Messages from that address can be helpful because they contain information about email addresses to which your messages could not be delivered, for example, when someone spells their email address incorrectly. In that case you might be able to correct the address and then send out a new message that you know will reach them. 

Hope this helps, please let me know if you have more questions!

August 05, 2013 09:48
User photo
Jose Ortiz
tcicollege

Thanks for the help on this I will try these solutions

 

August 06, 2013 06:54
User photo
Ray Light
gooddata

Hi Guys,

Is it possible to blacklist a domain that contains some string? For example, we are getting a lot of spam from users registering from xxxxxxblogs.com

Can I blacklist a domain like this:

*blogs.com

Thanks!

August 14, 2013 18:32
User photo
Laura D.
Zendesk

Hi Ray, 

I see you have a ticket with us - we'll update you through there very soon. I'm sorry to report there isn't a way to blacklist domains that way with various strings at the front. I think we have some other options for you on this though, we'll be in touch soon through the ticket! 

 

August 15, 2013 13:56
User photo
Andrey Stryukov

can i use in blacklist * reject:* ?

I have no way of noing specific email addresses spam going to cam from. And I really want to reject everything outside of my whitelist.

October 01, 2013 21:31
User photo
Brian Bruffey
Take-Two Interactive

Thanks for the article; this is exactly the info I needed. Very helpful

October 04, 2013 05:42
User photo
Sean Cusick
Zendesk

Hi Andrey,

Perhaps a better way to accomplish the same goal would be to turn off "Anybody Can Submit Tickets" in Settings>>Customers. Then, the  only people who could submit tickets are those people that you already have in your Zendesk User profiles, you wouldn't have to add all of them to your whitelist. Would that work?

October 08, 2013 13:56
User photo
Marshall LigaForex
ligaforex

Hi Support,

I have a request that may concern blacklists - I'm sure you can help me clear it up.

My ZD currently receives wall posts from FB - which we like ;)

However, when I post company info on FB (as company) these appear in ZD as tickets and are clogging up the joint.

What is the best solution you would recommend?

Thank you!

Marshall

PS. FB end-users don't have emails listed so I'm not sure how to blacklist it if that's the advice, also I'm leery of blacklisting any email that has the company domain in it (sounds like a recipe for bad pudding ;)

October 10, 2013 02:39
User photo
Jose Ortiz
tcicollege
you can create an automation and have the unwanted post put to a group and have them deleted
October 10, 2013 09:25
User photo
Jose Ortiz
tcicollege
there should.be a facebook email associated to.the.account
here is.an article on it sovif you want to use it for blacklisting thqt might be an option
https://m.facebook.com/help/www/224049364288051
October 10, 2013 09:59
User photo
Laura D.
Zendesk

Hi Marshall, 

I would not recommend blacklisting the email address, I think that could get very confusing and I'm not sure it would work well. 

One option you do have is to turn off the "include post made by author" setting (Admin > Channels > Facebook > edit). This means if you make a post on the page as the auther, Zendesk will ignore it and not make a ticket out of it:

Screen_Shot_2013-10-10_at_11.47.23_AM.png

One note about turning that setting off, if an end-user comments on a post you make as the author of the page, it too will not be made into a ticket. 

If that isn't something you want to do I would suggest finding a workflow similar to what Jose mentioned - maybe tagging these tickets and then have a trigger that automatically closes these types of tickets. Hope this helps, let me know if you have more questions!

October 10, 2013 11:58
User photo
Andrey Stryukov

can i use in blacklist * reject:* ?

I have no way of noing specific email addresses spam going to cam from. And I really want to reject everything outside of my whitelist.

October 10, 2013 13:14
User photo
Marshall LigaForex
ligaforex

Thanks Jose and Laura!

I think this will do the trick for now.

"[not] Include Wall posts authored by the Page"

Cheers!

October 10, 2013 18:59
User photo
Trisha Patel
Zendesk

@Andrey You can add t an asterisk (*) to blacklist everything except the domains added to the whitelist (Without the Reject) 

October 29, 2013 04:47
User photo
Andrey Stryukov

@ Trisha Patel, is the sintacks looks good?

t*

or I need a space like:

t *

?

 

October 29, 2013 07:07
User photo
Jose Ortiz
tcicollege

t* would be correct

t * would look for t with a space

October 29, 2013 08:21
User photo
Emily
Zendesk

Hi Andrey and Jose, 

It looks like the "t" in Trisha's previous comment was just a typo. If you enter just an asterisk (*) by itself (no "t") in the blacklist box, it will blacklist every email address except those added to your white list. You can read more about this in the above article. 

October 29, 2013 09:53
User photo
Daniel King

If I blacklist domains, does that also stop them from registering an account on our Zendesk customer web portal site? If so do they get some sort of notification that they are not allowed to register? Or better yet are we able to customize the message they see?

For example we are a B2B solution and we require people to sign up using their work email address so will blacklist yahoo.com, gmail.com, hotmail.com, etc. Our message would say something like "Please use your company email to register for an account"

November 05, 2013 08:03
User photo
Trisha Patel
Zendesk

Adding a domain to the blacklist will prevent end-users with that domain from signing up on your web portal (adding a 'reject' before the domain will NOT prevent them form signing up for an account). At this time there isn't a way to customize the message a user will see - it's a generic "users with x domain are not able to sign up for accounts on this site" type of message. 

November 08, 2013 04:14
User photo
Chris Cogdon
instartlogicinc

The last example, "Approve all, but reject specific email addresses and domains", has a "*" in the blacklist section, which is probably not intended.

December 20, 2013 12:03
User photo
Emily
Zendesk

Hi Chris, 

Good eye! I'm reviewing this with our documentation team now. 

December 20, 2013 15:06
User photo
Chris Cogdon
instartlogicinc

I did some experimentation, and "reject:" doesn't seem to be working as expected. I did a "reject:mailinator.com" in the blacklist field, and was still able to sign up for an account through the "sign up" web interface. if I replaced it with simply "mailinator.com", then it correctly told me to P.O. Perhaps and "reject:" only works with in-bound email, and if I want to prevent web signups, I have to omit those prefixes? If so, that seems a little awkward, and perhaps incorrect to me. "suspend" implies holding for review, and "reject" implies everything is thrown away... so... "reject" seems to be the closest to refusing a web sign up, but this particular case doesn't work.

December 28, 2013 19:07
User photo
Laura D.
Zendesk

Hi Chris, 

I tested this too and seems to be the case...I agree with you, it doesn't seem consistent, I would think reject should be more severe. I'm going to create a ticket for you and send it up the support chain to see if we can get some clarification. Look out for another email!

December 30, 2013 15:17
User photo
Domien

Hi all, 

It's not completely clear to me. I hope someone can clarify...

So, when setting up a restricted Zendesk, using a whitelist for a certain domain, my Knowledge Base wouldn't be really 'open'. Meaning: when a user not part of this domain, he/she will see the log-in/registration screen when going to my Knowledge Base URL, but will not be able to create an account. When a (new) user who is part of this domain, enters the Knowledge Base URL, he/she will also see the log-in screen, and will be able to create an account. 

Is this correct?

Then, is there any way to set an 'open' Knowledge Base whereby only people from a specific domain can see the content but without the need of creating accounts & paswords for them?
So, in that situation, users from the domain can access the Knowledge Base and see the content (without need of logging-in). Users who are not part of the domain will see login/registration screen.

Thanks in advance, 

 Domien

February 17, 2014 02:55
User photo
Matthew Zaglin
tpco

Hi Domien - In order to restrict/allow a certain set of users from not seeing/seeing content, you need a mechanism that controls that.  In this article, the 'Domain' is an email domain (not necessarily an AD domain).  

So, to determine if a person is white or black listed, they must authenticate somehow.  There are several ways this authentication can happen (via Google Apps credentials, username/password, Facebook, Twitter, SSO Integration).  Using one of the 3rd party authentication mechanisms can eliminate your end-user from having to remember (yet) another username/password.

In my Zendesk instance, we turned Google Apps on (as we use that for our Email), as well as whitelisting our email domains "OurDomain.com OurOtherDomain.com".  We also put a star (*) into the Blacklist section, to prevent non-approved email domains from opening tickets.

On the help center/forum side, you can set the "restricted forum's" settings such that "Who have all of the following tags" (or "Who are in one of the following organizations") can see the section (top-level, and sub-levels).  And then set the "public" section such that "Anyone" can see the content.  Then, you'd have to mark your users/organizations with the proper tags.

SSO and IP Block restrictions can likely give you further granular control, however I am not familiar enough with those methods to speak to them.

February 19, 2014 08:00
User photo
Domien

Hi Matt, 

Thanks for your comment. I think we need to have a look at a SSO set-up indeed. 

 

 

February 24, 2014 02:31
User photo
Shawn Lao
calgaryscientific

I believe this was brought up a while back.  We just got confirmation that the following is incorrect:

Approve all, but reject specific email addresses and domains

You can also leave the whitelist empty, meaning that all email is accepted, and then make exceptions for specific email addresses and domains.

whitelist: 
blacklist: * reject:randomspammer@gmail.com reject:megaspam.com

It should be:

whitelist: 
blacklist: reject:randomspammer@gmail.com reject:megaspam.com
March 20, 2014 15:00