When the From and Reply-to addresses in an incoming ticket reply do not match, and the Reply-to address is the email address of an agent in your Support account, Zendesk Support automatically suspends some agent abilities until an administrator confirms the agent’s identity and manually restores those abilities.
In this article, we’ll explain how the Reply-to and From email addresses are identified in an email, what happens automatically when a conflict is discovered involving an agent’s email address, and how you can restore an agent’s suspended abilities.
This article includes the following sections:
Understanding suspension criteria and suspended abilities
When a user looks at an email notification from their email client, they often see multiple email addresses in the message. The From and Reply-to address are not always the same.
If an incoming ticket reply has conflicting From and Reply-to email addresses, and the Reply-to address is an agent, Zendesk takes the following actions:
- Flagging the ticket
- Suspending agent abilities
Flagging the ticket
When a ticket is flagged, a warning icon appears on the ticket in the ticket UI. You can hover over the icon to view more information. The ticket is not flagged in any ticket views – it only appears in the ticket interface.
Suspending agent abilities
Zendesk suspends certain abilities belonging to the user whose email address is in the Reply-to field. See Automatically suspended abilities for more information.
If suspended, agents will no longer be able to:
- Change ticket properties.
- Add or remove CCs or followers from the ticket.
- Execute Mail API actions.
- Attach files to the ticket, if end users are not allowed to do so. Attempted attachments are dropped and are not added to the ticket.
Suspended agents will still be able to:
- Forward emails to create new tickets. However, related comments will be flagged.
- Submit new tickets, even when ticket submission is restricted.
Restoring agent abilities
If the From/Reply-to conflict is not considered a security risk, you can restore the agent's suspended abilities by adding their email address or domain to the allowlist. If you do not trust the From email address, you can add that email address or domain to the blocklist.
To add an address or domain to the allowlist or blocklist
- In Admin Center, click the People icon () in the sidebar, then select Configuration > End users.
the Anybody can submit tickets section,
the agent's email address or domain to the allowlist or blocklist as needed:
- Allowlist: All support requests from an email address or domain are accepted.
- Blocklist: All incoming support requests from the email address or domain are suspended or rejected, depending on your allowlist and blocklist settings.
- Click Save tab at the bottom of the page.
If you are blocking a user, you may want to also disable CCs (see Setting permissions for CCs and followers)).
This is confusing as all get out. I don't understand why this is such an issue or important? It says add our agent's email address to the whitelist? We are configured such that any external emails to an end user ticket are all forced to go through our domain via the ZD interface (not via agent email). So how could they possibly be out of sync with the reply-to?
I beginning to get agents flagged and no idea why are how after several years of usage. And now attachments blocked. This is all very very will-nilly it seems.
Much more deeper detailed explanations please.
This sounds like something that may need a closer look within a support ticket, as I'll want to collect some information that you may not wish to share in such a public forum. I'll follow up with you from such a ticket shortly to look into this further.
Dwight B. | Customer Advocate
Re: Note: If the From and Reply-to addresses are different, and the Reply-to address is a known end user, no user abilities are suspended. Instead, the comment is flagged and a warning appears letting you know that the From and Reply-to in the messages do not match.
Why does the email then show as an "Internal Note"? This is confusing to the agent. I can see that you may want to draw attention to the different email address, however, there should also be an option within the warning to say "OK" and then move it to Public Response. We have several clients that have 2 email addresses and do not always reply from the original email address from which the ticket was created.
Where can I post a "programming request" within Zendesk as I find it hard to navigate where this should be posted?
The reason that the response is set as an internal note is to avoid incorrect people surreptitiously adding themselves to tickets' public replies that might then get sent out to other users. This visibility level is discussed within this article
As for the ability to make a private comment switch to become a public one, that's not currently an option within our system, but I'll be happy to mark this request as product feedback so that developers are aware of it as I suspect this is what you meant by a "programming request". If you'd like to make your own product feedback post so that others may comment on it to provide suggestions/workarounds/vote in support of your idea, you'd want to search for this suggestion/post a new idea within this community topic
Dwight B. | Customer Advocate
Assuming I'm correct about this, and that this would restore the individual user's abilities, you may want to update this article to call out specifically that an individual user's email can be added to the allowlist.
Flagging does not work correctly, we have seen this on a lot of phishing tickets lately where you are able set any reply to address even using a legitimate system user (even an admin) Zendesk will set them as the requester and the ticket looks legitimate.
The warning needs to be bigger for the agent to easily see.
Big security risk.
Please sign in to leave a comment.