You can control access to your Zendesk by adding end users' email addresses and domains to your blocklist and allowlist. Using the blocklist, you can prevent specific users, or sets of users, from registering and submitting support requests. Using the allowlist, you can allow specific users, or sets of users, to access your Zendesk and submit support requests.
This article contains the following sections:
About the blocklist and allowlist
The blocklist and allowlist can help you create rules for accepting, suspending, and rejecting users' emails. Any email that is suspended because of the blocklist will be added to the suspended queue and flagged. If you have set up user mapping, any email domains you add to the allowlist will automatically be included (see Automatically adding users to organizations based on their email domains).
Your allowlist will automatically override your blocklist. For example, if you blocked a specific domain, but allowed a user with that email domain, they will be given access.
Depending on how your Zendesk is set up, you can use the blocklist and allowlist to apply additional settings to control who can access your Zendesk. If your Zendesk permits anyone to submit tickets, such as in open support type, you can use the blocklist to filter out spam email addresses and domains (see Suspending a user in the Zendesk Agent Guide). Any ticket from a user or domain on the blocklist is automatically sent to the suspended tickets queue. If you require users to register, you can use the blocklist, so only approved email address and domains can submit support requests and authenticate accounts.
The blocklist and allowlist feature contains rules you can combine to easily restrict access. See the section below for a list of the available blocklist and allowlist rules.
Setting your blocklist and allowlist
- You can enter up to 10,000 characters in each of the allowlist and blocklist fields.
- To allow all users to submit tickets to your Zendesk, except those added to the blocklist, leave the allowlist blank.
- To
suspend
ticket submissions
from
all users, except for those added to the
allowlist,
add a wildcard(*) in your
blocklist.Important: The wildcard will send tickets from every user not added to the allowlist into the suspended tickets queue, and prevents new users from creating accounts.
- Use keywords or symbols with a
blocklist
or
allowlist
entry to make the restrictions broader, or more specific:
- To block or allow an entire email domain, do not include the "@" symbol. An email domain will not be successfully added to the allowlist or blocklist with "@".
- To completely block support requests from specific users, enter the keyword
reject:in front of an email address or domain list in the blocklist. Tickets will not be added to the suspended tickets queue and there will be no record of the ticket in your Zendesk.
- To block or allow an entire email domain, do not include the "@" symbol. An email domain will not be successfully added to the allowlist or blocklist with "@".
- Being placed on the allowlist does not allow users to override their tickets from being suspended if the subject contains the text "Out of Office" or if the ticket comes from an email flagged as a "do not reply" address.
- To completely block support requests from specific users, enter the keyword
reject:in front of an email address or domain list in the blocklist. Tickets will not be added to the suspended tickets queue and there will be no record of the ticket in your Zendesk.
reject:
only applies to support requests and doesn't prevent users from creating an account in
your Zendesk. To edit your blocklist and allowlist
- In Admin Center, click the People icon (
)
in the sidebar, then select Configuration > End users. - In the Anybody can submit tickets section, select Enabled. This setting is required to use your blocklist or allowlist.
- Enter your
allowlist
and
blocklist
settings. You can view some of the common
blocklist
and
allowlist
examples in the section below. If you are adding multiple email addresses or domains,
separate with a space.
- Click Save tab.
Allowlist and blocklist usage examples
You can use a combinations of the blocklist and allowlist rules to ensure you are permitting access or blocking the correct users. This section contains some usage examples you can replicate for your own Zendesk.
Approve a domain, suspend all other users
You can allow specific domains access to your Zendesk by adding the domain in the allowlist and suspend all users with a different email domain by adding a wildcard (*) in the blocklist. In the example below, only email from the domain mondocampcorp.com will be permitted access.
allowlist: mondocamcorp.com blocklist: *
If you want to allow more than one domain access, you can enter multiple domains separated by a space. In the example below email from the domains mondocamcorp, comdocam, and mondostore are permitted and all other users will be suspended.
allowlist: mondocamcorp.com mondocam.com mondostore.com blocklist: *
Approve a domain, but suspend specific email addresses with the domain
You can prevent a
specific email address with an
allowed
domain from accessing your Zendesk by using the suspend keyword.
allowlist: gmail.com blocklist: * suspend:randomspammer@gmail.com
Approve a domain, but reject specific email addresses and domains within it
Similar to the previous
example, you can
block specific email addresses from using
an
allowed
domain by entering their email address in the
blocklist.
You can use the reject
keyword
to prevent a user's tickets from being adding to your Zendesk at all.
In the example below, only email from gmail.com is accepted. All tickets from other email domains are sent to the suspended tickets cue, except for the email address randomspammer@gmail.com. Email from randomspammer@gmail.com will be rejected completely, and the ticket will not be recorded in your Zendesk.
allowlist: gmail.com blocklist: * reject:randomspammer@gmail.com
Approve all, but reject specific email addresses and domains
Unlike the examples above, you also have the option of allowing all users to register, except for specific email address and domains. To allow all users to register, you can leave the allowlist blank, then enter any blocked users.
In the example
below, everyone can access your Zendesk, except for randomspammer@gmail.com and
megaspam.com. Since the
reject:
keyword is used, all email from those accounts will be blocked completely and the ticket
will not be recorded in your Zendesk.
allowlist: blocklist: reject:randomspammer@gmail.com reject:megaspam.com
Suspend support request tickets from specific email addresses or domains
Simply adding an email address or domain to your blocklist suspends tickets from those users, but only if those tickets are submitted through the email channel.
allowlist: blocklist: suspend:randomspammer@gmail.com suspend:megaspam.com
108 Comments
You sure can. Add the domain you want to block to your blacklist and the address you want to allow to your whitelist. Something like:
That will block incoming tickets from everyone at "sample.com" except "theguy".
Can you whitelist all subdomains, for example *.mydomain.com ?
Is it possible to black list an entire top-level domain (.e.g *.ru)?
This would help significantly with our suspended tickets (spam) coming from Eastern European countries.
Just something to note for other users in configuring whitelist/blacklists:
There is an example in this article which I tried to emulate to restrict access to only selective users in a domain.
Whitelist: theguy@sample.com
Blacklist: sample.com
That will block incoming tickets from everyone at "sample.com" except "theguy".
Hence I configured our whitelist with 3 specific emails and blacklisted their domain. However when doing so I received the error:
"Warning: The following addresses or domains cannot be blacklisted; they are whitelisted due to association with one of your Organizations".
The error message is because I was attempting to blacklist a domain already configured in the Domains field for this particular organization. For this reason, the domain is whitelisted and hence the contradiction.
If you need to blacklist the domain, you will first need to remove the domain from the particular Organization's profile page, then go back and set the whitelist of individual users and blacklist the domain, then go back and include the domain in the Domains field for this particular organization.
Looks like spam filter does not apply to tickets created Via Mobile SDK (web widget with answer bot).
Added reject:qq.com to blacklist, however, spam tickets are created regardless. Any ideas on how to resolve this?
Hi Ashley,
Sorry for the late reply -- Unfortunately this is a Catch-22 with the org whitelisting -- there is no way to blacklist someone who is in an org. You would have to manually remove them from the Org to do so. Otherwise, if you're trying to prevent specific users from creating tickets, it will likely be easier to suspend their profile rather than working around this (which will cause the tickets to be suspended, while still remaining in the org).
______
@Aisling -- Unfortunately we do not support wildcard or Regex within the blacklist field at this time --- though this is a common feedback. I highly recommend making a feedback request to properly log your support (post the link here, Once you go to the section, and I would be glad to upvote it to help garner some views!).
In reverse, you may want to add your tester emails manually to an organization, which will then selectively whitelist that particular email. You could then continue to add identities to that one profile, to avoid needing multiple accounts (though a bit manual unfortunately).
Hopefully that helps!
I have added "rejected:spam.com" [spam=the domain name] in the blacklist field and click save, but I'm still receiving emails from them.
Any advice?
Thanks for the clarification Ryan.
Looks like suspending their profile might be the way to go in this instance.
Thanks again for your help :)
Hi, I am trying to whitelist all noreply emails. Would this rule do anything? I am afraid to try because of the wildcard on it.
Hi there,
Is there a way to use this "whitelist & blacklist" through the API? I want to add and remove emails to those lists using your API.
Best regards
Can you blacklist an entire TLD? I've got ".ru .cn" in the blacklist but still get tickets from spammers like "example@mail.ru".
@Brett I haven't had any new occurrences in Suspended queue since the fix was put in place. Still keeping an eye out, but it looks like it was fixed. Thanks!
@Martynas it looks like there was a fix deployed recently that addresses this issue. Can you confirm on your end?
@Louis, when using reject there will be no record within Zendesk to track these emails. As for setting up separate blacklisting rules, I'm afraid this cannot be done. This setting is account wide and not specific to support addresses. You may need to set up a rule on your email provider side to account for this.
@Lijun see my response to Martynas above. If you still don't see emails being rejected and showing in the suspended tickets view let me know!
Hey Nick and Carlos Posadas,
In general to remove all incentive from spammers targeting your account, we recommend changing your triggers to not relay the original message back to the requester on ticket creation (the spammers are using their target's email as requester, then sending their message to them by way of your trigger).
More details can be found here:
https://support.zendesk.com/hc/en-us/articles/360025895613-Combating-spam-submitted-via-web-service-
If you have any questions about the above, please write into Support, and our advocates may be able to assist you further.
----
As for the Mobile SDK bit in general -- The "Via" is just a cosmetic change to the ticket itself (left open for various integrations and customizations on your side, to denote your ticket how you would like). This spam is still likely coming through the API, so the above article should be useful.
Glad to hear it Martynas :)
Is the Regex working within the blacklist now? Any update on this?
Not sure if this will help you Jessica but in our organisation we have a number of email accounts that will send us auto responders so to combat this we made a zendesk organisation called (Auto responder) which we assign to any email account that will send us an auto response and then our trigger that does the Autoresponder from us has the following condition Ticker: organisation is not "Auto responder"
Seems like having "reject:somedomain.com" in blacklist does not make emails from that domain skip suspended queue anymore.
Hi,
Is there any way to update allowlist/blocklist via API?
Regards.
Hi Everyone,
Thank you for all of your questions on the blocklist / allowlist settings. We love your feedback. If you have more product feedback on this topic, we'd like to hear from you!
Please find some time to talk to our product directly at https://calendly.com/pooja-palan/30min?back=1&month=2021-08
Thanks!
Hi James!!
The asterisk in your blacklist prevents any user from creating and authenticating accounts. Tickets from every user not added to the whitelist will be sent to the suspended tickets queue in that case. The user needs to be added to the whitelist.
Does it work if you include a wildcard within an email address?
For example, my company uses one gmail account as an outside-our-system account for certain tests. I don't want to blanket whitelist gmail.com, but I do want to whitelist an email like tester@gmail along with all its "+"-style aliases tester+1@gmail tester+caseb@gmail etc.
So does "tester*@gmail.com" work properly in the whitelists?
Howdy all.
Our white/black lists looks (sort of) like this:
When I click the "save tab" button I get the error "Warning: The following addresses or domains cannot be blacklisted; they are whitelisted due to association with one of your Organizations: suspend:user.name@domain3.com".
This seems odd as our whitelist/blacklist setup looks a lot like the one demonstrated under the heading "Approve a domain, but suspend specific email addresses with the domain".
I'm wondering if because the whitelisted domains are mapped to organisations - do we even need to have them in the whitelist? Or does this happen automagically? I'm not sure what/where we've gone wrong.
Any help would be appreciated.
Cheers.
Is adding users to the whitelist or blacklist via API available yet?
Hi Jozsef, You should be able to remove the reject: portion from the blocklist. This will cause emails from that domain to be suspended, but it should allow the one address that you have in your allowlist to be processed as expected. Any time you use the reject: syntax it will reject all traffic from that domain.
Hi Jody,
It is not possible to blacklist top-level domains within Support at this time. You would need to blacklist the individual email addresses or the "mail.ru" domain to prevent these emails from generating tickets on your account.
I've attached some additional tips to combat spam which I believe you will find useful here.
Let us know if you have any other questions!
Hi Jozsef, Because assisting you further will require us to inspect your account setup and to examine specific examples, could you open a ticket with us at support@zendesk.com so that we can investigate further? Thanks, Sean
We want to keep "anybody can submit tickets" unchecked as we have it tied to SSO for our website. However, we are seeing legitimate customers that send tickets to our support email address get suspended. Is there a way to modify the whitelist with "anybody can submit tickets" unchecked?
Or better yet, can we just turn off the ticket suspension feature? Its very annoying.
--Thor
What should the configuration be if we need the user to be able to log in to create the account via SSO, update tickets created for him, allow them to reply to tickets created for them but NOT allow them to email the mailbox to create a ticket?
Setup:
-SSO Enabled
-Users account is created while logging into the portal page or if a ticket is created for them by an agent
-User needs to be able to reply to the ticket notification email, update the ticket via the portal but NOT have access to email the zendesk support address directly to create a ticket.
I tried setting the domain as whitelisted, then set the blacklisting to reject:domain. This allows the following;
-account can be created on login
-user cannot email directly and create a support ticket
-user can update tickets via the portal
-user CANNOT update the ticket by replying to the ticket notification (This we need enabled)
Thanks
We have a CRM system here as well as zendesk. Sometimes people of the CRM system encounter an issue were they have an auto responder war between two emails due to an accidental email. So the users of this system contact the managers of the CRM system to stop this. They do so through our zendesk installation. So they are using words which are being flagged as an auto responder and these emails are being blocked. How can I stop them from being blocked without telling each user to be careful of the words they are using.
Please sign in to leave a comment.