You can control access to your Zendesk by adding end users' email addresses and domains to your blocklist and allowlist. Using the blocklist, you can prevent specific users, or sets of users, from registering and submitting support requests. Using the allowlist, you can allow specific users, or sets of users, to access your Zendesk and submit support requests.
) > Settings > Customers.This article contains the following sections:
- About the blocklist and allowlist
- Setting up your blocklist and allowlist
- Allowlist and blocklist usage examples
About the blocklist and allowlist
The blocklist and allowlist can help you create rules for accepting, suspending, and rejecting users' emails. Any email that is suspended because of the blocklist will be added to the suspended queue and flagged. If you have set up user mapping, any email domains you add to the allowlist will automatically be included (see Automatically adding users to organizations based on their email domains).
Your allowlist will automatically override your blocklist. For example, if you blocked a specific domain, but allowed a user with that email domain, they will be given access.
Depending on how your Zendesk is set up, you can use the blocklist and allowlist to apply additional settings to control who can access your Zendesk. If your Zendesk permits anyone to submit tickets, such as in open support type, you can use the blocklist to filter out spam email addresses and domains (see Suspending a user in the Zendesk Agent Guide). If you require users to register, you can use the blocklist, so only approved email address and domains can submit support requests and authenticate accounts.
The blocklist and allowlist feature contains rules you can combine to easily restrict access. See the section below for a list of the available blocklist and allowlist rules.
Setting your blocklist and allowlist
- You can enter up to 10,000 characters in each of the allowlist and blocklist fields.
- To allow all users to submit tickets to your Zendesk, except those added to the blocklist, leave the allowlist blank.
- To suspend ticket submissions from all users, except for those added to the allowlist, add a wildcard(*) in your blocklist.
Important: The wildcard will send tickets from every user not added to the allowlist into the suspended tickets queue, and prevents new users from creating accounts.
- Use keywords or symbols with a blocklist or allowlist entry to make the restrictions broader, or more specific:
- To route tickets from specific users submitted through any channel to the Suspended Tickets queue, enter the keyword
suspend:in front of an email address or domain in your blocklist. Usage example - To block or allow an entire email domain, do not include the "@" symbol. An email domain will not be successfully added to the allowlist or blocklist with "@".
- To completely block support requests from specific users, enter the keyword
reject:in front of an email address or domain list in the blocklist. Tickets will not be added to the suspended tickets queue and there will be no record of the ticket in your Zendesk. This applies to tickets submitted through any channel.
- To route tickets from specific users submitted through any channel to the Suspended Tickets queue, enter the keyword
- To send support requests from specific users to the suspended tickets queue, enter the keyword in front of an email address or domain in your blocklist. This is identical to blocklisting without a keyword.
- To block or allow an entire email domain, do not include the "@" symbol. An email domain will not be successfully added to the allowlist or blocklist with "@".
- To completely block support requests from specific users, enter the keyword
reject:in front of an email address or domain list in the blocklist. Tickets will not be added to the suspended tickets queue and there will be no record of the ticket in your Zendesk.
reject: only applies to support requests and doesn't prevent users from creating an account in your Zendesk.To edit your blocklist and allowlist
- Click the Admin icon () in the sidebar, then select Settings > Customers.
- Enter your allowlist and blocklist settings. You can view some of the common blocklist and allowlist examples in the section below. If you are adding multiple email addresses or domains, separate with a space.
- Click Save tab.
Allowlist and blocklist usage examples
You can use a combinations of the blocklist and allowlist rules to ensure you are permitting access or blocking the correct users. This section contains some usage examples you can replicate for your own Zendesk.
Approve a domain, suspend all other users
You can allow specific domains access to your Zendesk by adding the domain in the allowlist and suspend all users with a different email domain by adding a wildcard (*) in the blocklist. In the example below, only email from the domain mondocampcorp.com will be permitted access.
allowlist: mondocamcorp.com blocklist: *
If you want to allow more than one domain access, you can enter multiple domains separated by a space. In the example below email from the domains mondocamcorp, comdocam, and mondostore are permitted and all other users will be suspended.
allowlist: mondocamcorp.com mondocam.com mondostore.com blocklist: *
Approve a domain, but suspend specific email addresses with the domain
You can prevent a specific email address with an allowed domain from accessing your Zendesk by using the suspend keyword.
allowlist: gmail.com blocklist: * suspend:randomspammer@gmail.com
Approve a domain, but reject specific email addresses and domains within it
Similar to the previous example, you can block specific email addresses from using an allowed domain by entering their email address in the blocklist. You can use the reject keyword to prevent a user's tickets from being adding to your Zendesk at all.
In the example below, only email from gmail.com is accepted. All tickets from other email domains are sent to the suspended tickets cue, except for the email address randomspammer@gmail.com. Email from randomspammer@gmail.com will be rejected completely, and the ticket will not be recorded in your Zendesk.
allowlist: gmail.com blocklist: * reject:randomspammer@gmail.com
Approve all, but reject specific email addresses and domains
Unlike the examples above, you also have the option of allowing all users to register, except for specific email address and domains. To allow all users to register, you can leave the allowlist blank, then enter any blocked users.
In the example below, everyone can access your Zendesk, except for randomspammer@gmail.com and megaspam.com. Since the reject: keyword is used, all email from those accounts will be blocked completely and the ticket will not be recorded in your Zendesk.
allowlist: blocklist: reject:randomspammer@gmail.com reject:megaspam.com
Suspend support request tickets from specific email addresses or domains
Simply adding an email address or domain to your blocklist suspends tickets from those users, but only if those tickets are submitted through the email channel.
However, if you add "suspend:" before each address or domain, tickets submitted through any channel (such as Chat, Twitter, and the like) are routed to the Suspended Tickets queue.
allowlist: blocklist: suspend:randomspammer@gmail.com suspend:megaspam.com
95 Comments
Hi Jim!
If you've blacklisted a user their emails don't even make it into Zendesk as a ticket, so they will not receive any notifications of any kind.
Hi Jeffrey! Welcome to the Community!
The whitelist only works in conjunction with the blacklist, so unless you have something in the blacklist that would otherwise prevent those users from accessing your Zendesk, you wouldn't need to whitelist them.
Can you give more details about what you're trying to set up here?
I ONLY want people from my company to be able to access zendesk, so I'd like to do something like this:
blacklist: *
whitelist: *.mycompany.com
so that user1@a.mycompany.com and user2@b.mycompany.com and user3@c.mycompany.com can all have access.
Hey Jeffrey!
Thanks for clarifying. I'm not sure whether the wildcard for the subdomain will work. Have you tried it yet? Otherwise, you can add each subdomain (ie: a.mycompany.com, b.mycompany.com) to the whitelist and it'll work the way you want.
I have added domains to the white list but they are still going straight to suspended, how do i fix this?
Hi Abel A, this means these emails are being suspended correctly. Please open a ticket with us at support@zendesk.com so that we can provide you more specific details as to why this is.
Howdy all.
Our white/black lists looks (sort of) like this:
When I click the "save tab" button I get the error "Warning: The following addresses or domains cannot be blacklisted; they are whitelisted due to association with one of your Organizations: suspend:user.name@domain3.com".
This seems odd as our whitelist/blacklist setup looks a lot like the one demonstrated under the heading "Approve a domain, but suspend specific email addresses with the domain".
I'm wondering if because the whitelisted domains are mapped to organisations - do we even need to have them in the whitelist? Or does this happen automagically? I'm not sure what/where we've gone wrong.
Any help would be appreciated.
Cheers.
Hey Ashley!
By default the blacklist suspends any email on your list (so the "Suspend:" is unnecessary). The only modifier allowed there would be "reject:{email}" which would stop emails from even hitting your suspended queue (and the validation should be accepted!).
As for the domain mapped orgs -- You are correct, once a domain is org mapped, you will not need to whitelist in addition to the domain mapping (as its considered automatically whitelisted when this occurs).
Hope that helps!
Hi Ryan,
I've cleared out the whitelist as they're included by default due to domain mapping - however I'm still getting the validation warning when trying to add individual accounts to the blacklist.
Being that this is just a warning, does that mean it will still run and the 2 users in the blacklist will have their requests blacklisted? The warning seems to advise otherwise.
Thanks
Does it work if you include a wildcard within an email address?
For example, my company uses one gmail account as an outside-our-system account for certain tests. I don't want to blanket whitelist gmail.com, but I do want to whitelist an email like tester@gmail along with all its "+"-style aliases tester+1@gmail tester+caseb@gmail etc.
So does "tester*@gmail.com" work properly in the whitelists?
Hi Ashley,
Sorry for the late reply -- Unfortunately this is a Catch-22 with the org whitelisting -- there is no way to blacklist someone who is in an org. You would have to manually remove them from the Org to do so. Otherwise, if you're trying to prevent specific users from creating tickets, it will likely be easier to suspend their profile rather than working around this (which will cause the tickets to be suspended, while still remaining in the org).
______
@Aisling -- Unfortunately we do not support wildcard or Regex within the blacklist field at this time --- though this is a common feedback. I highly recommend making a feedback request to properly log your support (post the link here, Once you go to the section, and I would be glad to upvote it to help garner some views!).
In reverse, you may want to add your tester emails manually to an organization, which will then selectively whitelist that particular email. You could then continue to add identities to that one profile, to avoid needing multiple accounts (though a bit manual unfortunately).
Hopefully that helps!
Thanks for the clarification Ryan.
Looks like suspending their profile might be the way to go in this instance.
Thanks again for your help :)
Hi Ryan! I just created this new request, so hopefully you'll upvote it. I did see a very similar request for blacklisting, which I upvoted and linked in my request.
I've tried the organization process you recommended, and it was clunky and doesn't fully resolve the issue, but should insulate us from repeating the issue with the email accounts used so far.
Hey Aisling! You rock. I've upvoted and will keep it bookmarked if I see the request once again.
Thanks!
It doesn't seem like there is, but is there a way to "whitelist" an email subject?
Our application sends alerts to our support team when users submit requests that fail due to API issues. However, since the API issue will generate the same error for many users all at around the same time, the emails that hit our Zendesk are "detected as email loop" and suspended.
I believe these are being suspended because the subject for each email is exactly the same. The "requester" is too (our application's email identity) but I don't think (I hope) that's not causing the tickets to be suspended.
Does anyone have any input on this? If there is a way for me to whitelist the subject we won't need to make any changes to the email alerts. If there isn't, I think we'd need to dynamically add user/request specific details to the subject so that each error alert will have a unique subject.
Questions: Would a subject like this be unique enough to not be detected as a loop? And is it ok if they are all coming from the same "requester?"
Action Required - User Self Service Request Failed - {User Name} -- {YYYY-MM-DD 00:00:00}
Hey Rich. unfortunately not directly.
Shredder may be a third party option:
https://www.zendesk.com/apps/support/shredder/?source=app_directory
The app should be considered a bandaid -- You should consider sending the issue via our API via the tickets endpoint: https://developer.zendesk.com/rest_api/docs/core/tickets (which should avoid the issue altogether).
Otherwise you will have to make sure the headers of that email are correct and don't get caught up due to one of the suspension reasons:
https://support.zendesk.com/hc/en-us/articles/115009659807-Causes-for-ticket-suspension
Hope that helps!
Ryan, thanks for the tip on the shredder app for a bandaid. And we will look at the email headers with regard to suspension causes also as potentially a better short term stopgap.
Errors via tickets API is 100% what we should do and exactly what I will be advocating for as far as a proper solution. Thank you for your input Ryan, very helpful!
Hi
How about below?
What will restrict?
Hi Bell!
That configuration would restrict all emails from gmail.com domain, except for aa@gmail.com
I hope this helps!
Does anyone know how to un-blacklist someone? My CS teams believes they blocked and/or blacklisted an abusive customer's email a few months back HOWEVER we cannot find the customer profile for the blocked end-user and cannot find a way to unblock them. Anyone know?
Hi All,
We currently use the blacklist feature to block domains of organizations who are no longer our customers. We just add a ".lost" to the domain name on the Organization so we have record of the original domain. However, I'm still receiving a message in the blacklist area that an Organization has the domain name and is on the whitelist because of this. No matter what I do, including removing the domain name from the Organization, I can't get the message to go away. Is this a bug or something I'm missing?
Thanks,
Maggie
Hi Maggie, Because this will require information that is best not to post in a public forum, could you open a ticket with us at support@zendesk.com so that we can investigate further?
Sure, no problem. Thanks!
Can you blacklist an entire TLD? I've got ".ru .cn" in the blacklist but still get tickets from spammers like "example@mail.ru".
Hi Jody,
It is not possible to blacklist top-level domains within Support at this time. You would need to blacklist the individual email addresses or the "mail.ru" domain to prevent these emails from generating tickets on your account.
I've attached some additional tips to combat spam which I believe you will find useful here.
Let us know if you have any other questions!
Is adding users to the whitelist or blacklist via API available yet?
Hi Patrick!
I took a look through the endpoints in our API resources and I don't see any endpoints for whitelist or blacklist.
Hi, is there a way to whitelist/blacklist via brand not just the whole Zendesk?
We have 3 brands, 2 for internal use and one for external.
We would like to restrict the internal brands to our registered domains and the external open to everything (within reason - i.e. setup a blacklist for the obvious)
Thanks
Hey Justin,
The whitelist/blacklisting settings are account wide so you wouldn't be able to configure them by brand unfortunately. That being said, if you're trying to restrict Help Center content for internal use you can use User Segments.
With user segments you can create a collection of users/agents on your account defined by the attributes you set. Once you're user segments are created you can then apply that user segment to your Help Center articles which will restrict anyone outside the specified users from viewing this content. More information in our Setting view permissions on articles with user segments article which I've linked.
Let us know if you have any other questions.
Cheers!
Thanks Brett, unfortunately as with most things with Zendesk that doesn't work. Unfortunately we use a proprietary K2 workflow interface and the widget won't offer deflection through documentation due to restrictions. Its such a shame, Zendesk is big on ideas and promises but when it comes down to it always fails me on what is technically capable of due to limitations.
Please sign in to leave a comment.