You can control access to your Zendesk by adding end users' email addresses and domains to your blocklist and allowlist. Using the blocklist, you can prevent specific users, or sets of users, from registering and submitting support requests. Using the allowlist, you can allow specific users, or sets of users, to access your Zendesk and submit support requests.
This article contains the following sections:
About the blocklist and allowlist
The blocklist and allowlist can help you create rules for accepting, suspending, and rejecting users' emails. Any email that is suspended because of the blocklist will be added to the suspended queue and flagged. If you have set up user mapping, any email domains you add to the allowlist will automatically be included (see Automatically adding users to organizations based on their email domains).
Your allowlist will automatically override your blocklist. For example, if you blocked a specific domain, but allowed a user with that email domain, they will be given access.
Depending on how your Zendesk is set up, you can use the blocklist and allowlist to apply additional settings to control who can access your Zendesk. If your Zendesk permits anyone to submit tickets, such as in open support type, you can use the blocklist to filter out spam email addresses and domains (see Suspending a user in the Zendesk Agent Guide). Any ticket from a user or domain on the blocklist is automatically sent to the suspended tickets queue. If you require users to register, you can use the blocklist, so only approved email address and domains can submit support requests and authenticate accounts.
The blocklist and allowlist feature contains rules you can combine to easily restrict access. See the section below for a list of the available blocklist and allowlist rules.
Setting your blocklist and allowlist
- You can enter up to 10,000 characters in each of the allowlist and blocklist fields.
- To allow all users to submit tickets to your Zendesk, except those added to the blocklist, leave the allowlist blank.
- To
suspend
ticket submissions
from
all users, except for those added to the
allowlist,
add a wildcard(*) in your
blocklist.Important: The wildcard will send tickets from every user not added to the allowlist into the suspended tickets queue, and prevents new users from creating accounts.
- Use keywords or symbols with a
blocklist
or
allowlist
entry to make the restrictions broader, or more specific:
- To block or allow an entire email domain, do not include the "@" symbol. An email domain will not be successfully added to the allowlist or blocklist with "@".
- To completely block support requests from specific users, enter the keyword
reject:in front of an email address or domain list in the blocklist. Tickets will not be added to the suspended tickets queue and there will be no record of the ticket in your Zendesk.
- To block or allow an entire email domain, do not include the "@" symbol. An email domain will not be successfully added to the allowlist or blocklist with "@".
- Being placed on the allowlist does not allow users to override their tickets from being suspended if the subject contains the text "Out of Office" or if the ticket comes from an email flagged as a "do not reply" address.
- To completely block support requests from specific users, enter the keyword
reject:in front of an email address or domain list in the blocklist. Tickets will not be added to the suspended tickets queue and there will be no record of the ticket in your Zendesk.
reject:
only applies to support requests and doesn't prevent users from creating an account in
your Zendesk. To edit your blocklist and allowlist
- In Admin Center, click the People icon (
)
in the sidebar, then select Configuration > End users. - In the Anybody can submit tickets section, select Enabled. This setting is required to use your blocklist or allowlist.
- Enter your
allowlist
and
blocklist
settings. You can view some of the common
blocklist
and
allowlist
examples in the section below. If you are adding multiple email addresses or domains,
separate with a space.
- Click Save tab.
Allowlist and blocklist usage examples
You can use a combinations of the blocklist and allowlist rules to ensure you are permitting access or blocking the correct users. This section contains some usage examples you can replicate for your own Zendesk.
Approve a domain, suspend all other users
You can allow specific domains access to your Zendesk by adding the domain in the allowlist and suspend all users with a different email domain by adding a wildcard (*) in the blocklist. In the example below, only email from the domain mondocampcorp.com will be permitted access.
allowlist: mondocamcorp.com blocklist: *
If you want to allow more than one domain access, you can enter multiple domains separated by a space. In the example below email from the domains mondocamcorp, comdocam, and mondostore are permitted and all other users will be suspended.
allowlist: mondocamcorp.com mondocam.com mondostore.com blocklist: *
Approve a domain, but suspend specific email addresses with the domain
You can prevent a
specific email address with an
allowed
domain from accessing your Zendesk by using the suspend keyword.
allowlist: gmail.com blocklist: * suspend:randomspammer@gmail.com
Approve a domain, but reject specific email addresses and domains within it
Similar to the previous
example, you can
block specific email addresses from using
an
allowed
domain by entering their email address in the
blocklist.
You can use the reject
keyword
to prevent a user's tickets from being adding to your Zendesk at all.
In the example below, only email from gmail.com is accepted. All tickets from other email domains are sent to the suspended tickets cue, except for the email address randomspammer@gmail.com. Email from randomspammer@gmail.com will be rejected completely, and the ticket will not be recorded in your Zendesk.
allowlist: gmail.com blocklist: * reject:randomspammer@gmail.com
Approve all, but reject specific email addresses and domains
Unlike the examples above, you also have the option of allowing all users to register, except for specific email address and domains. To allow all users to register, you can leave the allowlist blank, then enter any blocked users.
In the example
below, everyone can access your Zendesk, except for randomspammer@gmail.com and
megaspam.com. Since the
reject:
keyword is used, all email from those accounts will be blocked completely and the ticket
will not be recorded in your Zendesk.
allowlist: blocklist: reject:randomspammer@gmail.com reject:megaspam.com
Suspend support request tickets from specific email addresses or domains
Simply adding an email address or domain to your blocklist suspends tickets from those users, but only if those tickets are submitted through the email channel.
allowlist: blocklist: suspend:randomspammer@gmail.com suspend:megaspam.com
108 Comments
Seems like having "reject:somedomain.com" in blacklist does not make emails from that domain skip suspended queue anymore.
I have two questions. First, where do you see rejected emails? Second, I want one of my support email support1@test.com to accept emails from gmail.com, however my second support email support2@test.com to reject emails from gmail.com.
Is this possible? Looking at the comments this seems to be a multibrand request that is not supported.
Is the Regex working within the blacklist now? Any update on this?
@Martynas it looks like there was a fix deployed recently that addresses this issue. Can you confirm on your end?
@Louis, when using reject there will be no record within Zendesk to track these emails. As for setting up separate blacklisting rules, I'm afraid this cannot be done. This setting is account wide and not specific to support addresses. You may need to set up a rule on your email provider side to account for this.
@Lijun see my response to Martynas above. If you still don't see emails being rejected and showing in the suspended tickets view let me know!
@Brett I haven't had any new occurrences in Suspended queue since the fix was put in place. Still keeping an eye out, but it looks like it was fixed. Thanks!
Glad to hear it Martynas :)
Hi, I am trying to whitelist all noreply emails. Would this rule do anything? I am afraid to try because of the wildcard on it.
Hi there,
Is there a way to ONLY suspend a ticket IF the sender or sender domain is in the Block List?
Hi James,
Surrounding ticket suspension, unfortunately, there aren’t any “exceptions” that we can make for our filters so that only emails in the blacklist field are suspended. If there are legitimate emails being sent to your suspended tickets view, you'll want to take a look at the cause of suspension as mentioned in the article I've attached.
Let us know if you have any other questions.
Hello,
We have "Anybody can submit tickets" disabled because we are running a closed email-only support desk. The idea is to only make tickets for end users we have registered manually. We register the end users and they email us.
Is it possible to notify a requester that their email has been suspended?
We can only accept tickets from nominated individuals. However, we want to inform others who may send requests to our support email address that they can reach us through a nominated individual in their organisation, rather than give them no indication that they are unregistered and that their message was suspended.
Any advice?
@Colum I had a Zendesk setup like that a while back. What I would recommend is to add a tag to the nominated end-user profiles. Maybe something like "nominated" :)
Then you can set a trigger to respond with an auto-reply when a ticket is created and doesn't have the "nominated" tag which should be inherited from the end-user tag and onto every ticket created by a nominated individual.
You can set the Status to Closed in the auto-reply trigger and maybe add a tag like "auto-closed" so that you can setup a view to monitor those tickets. And include message body saying something like "Ask your org's nominated member" and put something very clear in the subject line of the auto reply that says something like "NOT AUTHORIZED -- Please Read" (or something a bit softer if you prefer).
I have added "rejected:spam.com" [spam=the domain name] in the blacklist field and click save, but I'm still receiving emails from them.
Any advice?
Add another vote for white/ blacklisting with multiple Brands
@PenN I'm having the same issue. I recently rejected a new domain and am still receiving emails from them in our queues. I already submitted a ticket to inquire about it, I'd recommend you do the same.
Can I use regex on the black list? For example I want to blacklist any email that has 10 digits email address and are from spammer.com domain. For example qwertyuiop@spammer.com or 1234567890@spammer.com
Hey Leonardo,
I was able to check with our internal team and it looks like the blacklist field is string only. You wouldn't be able to use regex in this case. You could blacklist the domain as a whole using suspend:qq.com or reject:qq.com but that may not be the exact solution you're looking for.
Let me know if you have any other questions.
Cheers!
In the view "suspended tickets", when we push the button "recover automatically", is that email automatically added to the white-list?
In other words, after "recover automatically" will future email from that domain end up in the "suspended tickets" view?
Hey Helder,
Once you select recover automatically this will train the spam filter to generate these tickets instead of sending them to the suspended tickets view. You may need to select this option a couple of times to train the spam filter but that should resolve the issue of legitimate tickets going to the suspended view.
Let me know if you have any other questions.
Cheers!
Looks like spam filter does not apply to tickets created Via Mobile SDK (web widget with answer bot).
Added reject:qq.com to blacklist, however, spam tickets are created regardless. Any ideas on how to resolve this?
Got the same issue like Carlos, spam from qq domain via mobile SDK, but qq.com is blacklisted.
More than that - mobile SDK is not active, so i can't do anything with this. So, is any way to resolve this?
Hey Nick and Carlos Posadas,
In general to remove all incentive from spammers targeting your account, we recommend changing your triggers to not relay the original message back to the requester on ticket creation (the spammers are using their target's email as requester, then sending their message to them by way of your trigger).
More details can be found here:
https://support.zendesk.com/hc/en-us/articles/360025895613-Combating-spam-submitted-via-web-service-
If you have any questions about the above, please write into Support, and our advocates may be able to assist you further.
----
As for the Mobile SDK bit in general -- The "Via" is just a cosmetic change to the ticket itself (left open for various integrations and customizations on your side, to denote your ticket how you would like). This spam is still likely coming through the API, so the above article should be useful.
We've tried what was listed and we are still getting spam. Would be nice if we could black list TLDs, IP ranges, and have the native blacklist feature do more than just blacklist the envelope sender.
What should the configuration be if we need the user to be able to log in to create the account via SSO, update tickets created for him, allow them to reply to tickets created for them but NOT allow them to email the mailbox to create a ticket?
Setup:
-SSO Enabled
-Users account is created while logging into the portal page or if a ticket is created for them by an agent
-User needs to be able to reply to the ticket notification email, update the ticket via the portal but NOT have access to email the zendesk support address directly to create a ticket.
I tried setting the domain as whitelisted, then set the blacklisting to reject:domain. This allows the following;
-account can be created on login
-user cannot email directly and create a support ticket
-user can update tickets via the portal
-user CANNOT update the ticket by replying to the ticket notification (This we need enabled)
Thanks
Hey RTB,
If I'm understanding you correctly, the easiest option would be to tag that users profile, then create a trigger that auto-closes any ticket they create based on that tag. You can also filter out any tickets that contain that tag within your reports.
I couldn't find any way to get this granular with the whitelist/blacklist rules you're referring to unfortunately.
Let me know if you need additional assistance setting up the trigger I referenced.
Cheers!
Just something to note for other users in configuring whitelist/blacklists:
There is an example in this article which I tried to emulate to restrict access to only selective users in a domain.
Whitelist: theguy@sample.com
Blacklist: sample.com
That will block incoming tickets from everyone at "sample.com" except "theguy".
Hence I configured our whitelist with 3 specific emails and blacklisted their domain. However when doing so I received the error:
"Warning: The following addresses or domains cannot be blacklisted; they are whitelisted due to association with one of your Organizations".
The error message is because I was attempting to blacklist a domain already configured in the Domains field for this particular organization. For this reason, the domain is whitelisted and hence the contradiction.
If you need to blacklist the domain, you will first need to remove the domain from the particular Organization's profile page, then go back and set the whitelist of individual users and blacklist the domain, then go back and include the domain in the Domains field for this particular organization.
Thanks for taking the time to share this Randall :)
Hi,
I had added *@sample.be on the blacklist. Our support email address was added as CC in an email from user@sample.be and a ticket was created while it shouldn't have. Is it because our support email was in CC and not in the To field that the blacklist didn't work? How to get this resolved?
Thanks!
Barbara
Hey Barbara,
Can you trying adding reject:sample.be instead to your blacklist field to see if that resolves the issue? That should reject any emails originating from the sample.be domain.
Let me know if that doesn't work!
Is it possible to black list an entire top-level domain (.e.g *.ru)?
This would help significantly with our suspended tickets (spam) coming from Eastern European countries.
Hello William,
You cannot blacklist TLDs by themselves. You need at least the second level domain attached to it, as well. Blacklisting mail.ru, for instance, would save you a good deal of trouble, but .ru by itself won't take.
As far as other ways to mitigate things, you can set up an automation to remove the tickets that already exist if they have some commonality between them, like a string of words in the comment text. Take a look at the following for more info on that:
https://support.zendesk.com/hc/en-us/articles/360001481448-How-can-I-bulk-delete-spam-tickets-in-Zendesk-
Additionally, you can try adding DKIM authentication to your instance to add some security to your instance:
Lastly, the notify requester of received request trigger has a placeholder in it -- I might suggest removing that, as it provides a clickable link for the spammers to loop off of.
Give those a shot and let me know if you have any further questions.
Best regards.
Please sign in to leave a comment.