You can control access to your Zendesk account by adding end users' email addresses and domains to your blocklist and allowlist. Using the blocklist, you can prevent specific users, or sets of users, from registering and submitting support requests. Using the allowlist, you can allow specific users, or sets of users, to access your Zendesk account and submit support requests.
This article contains the following sections:
About the blocklist and allowlist
The blocklist and allowlist can help you create rules for accepting, suspending, and rejecting users' emails. Any email that is suspended because of the blocklist is added to the suspended queue and flagged.
Your allowlist automatically overrides your blocklist. For example, if you blocked a specific domain, but allowed a user with that email domain, they will be given access.
Additional considerations for the blocklist and allowlist include the following:
- If you've set up user mapping, any email domains you add to the allowlist will automatically be included (see Automatically adding users to organizations based on their email domains).
- If you blocklist a user that is CC'd on a ticket, they will not be removed from existing tickets. If an email address is blocked, an agent can still add the user as a CC and they will still receive CC email notifications. To prevent CC notifications, you will need to suspend the user. The email address will still be visible, but agents cannot add the user to the ticket.
- If a user's domain is present in the blocklist but their full email address is present in an organization's Domains field, the system functions as though that address is allowlisted even if that specific address or domain is blocklisted.
- Being placed on the allowlist does not allow users to override their tickets from being suspended if the subject contains the text "Out of Office" or if the ticket comes from an email flagged as a "do not reply" address.
Depending on how your Zendesk account is set up, you can use the blocklist and allowlist to apply additional settings to control who can access your account. If you allow anyone to submit tickets, such as in open support type, you can use the blocklist to filter out spam email addresses and domains (see Suspending a user). Any ticket from a user or domain on the blocklist is automatically sent to the suspended tickets queue. If you require users to register, you can use the blocklist to ensure that only approved email addresses and domains can submit support requests and authenticate accounts.
The blocklist and allowlist feature contains rules you can combine to restrict access.
See the section below for a list of the available blocklist and allowlist rules.
About the CC blocklist
The CC blocklist prevents an address from being added as a ticket CC, but still allows the blocked address to submit tickets. This can help you fine-tune your permissions.
To access the CC blocklist
- In Admin Center, click
Objects and rules in the sidebar, then select Tickets > Settings.
- Enter the email address or the domain name of the users you want to prevent becoming CCs and followers by entering their email address or domain name into the blocklist. Use spaces to separate the addresses.
- When you are finished, click Save tab.
For more information, see Configuring CC and follower permissions.
Setting your blocklist and allowlist
- You can enter up to 10,000 characters in each of the allowlist and blocklist fields.
- Leave the allowlist blank to allow all users to submit tickets to your Zendesk account, except those added to the blocklist.
- To suspend ticket submissions from all users except for those added to the allowlist,
add a wildcard(*) in your blocklist.Important: The wildcard will send tickets from every user not added to the allowlist into the suspended tickets queue, preventing new users from creating accounts.
- Use keywords or symbols with a blocklist or allowlist entry to make the restrictions
broader or more specific:
- To block or allow an entire email domain, do not include the "@" symbol. An email domain will not be successfully added to the allowlist or blocklist with "@".
- To completely block support requests from specific users, enter the keyword
reject:
in front of an email address or domain list in the blocklist. Tickets will not be added to the suspended tickets queue, and there will be no record of the ticket in your Zendesk account.The keyword
reject:
applies only to support requests and doesn't prevent users from creating an account.
To edit your blocklist and allowlist
- In Admin Center, click
People in the sidebar, then select Configuration > End users.
- Enter your Allowlist and Blocklist settings.
You can view some of the common blocklist and allowlist examples in the section below. If you are adding multiple email addresses or domains, separate them with a space.
- Click Save tab.
Allowlist and blocklist usage examples
You can use a combination of the blocklist and allowlist rules to ensure you are permitting access or blocking the correct users. This section contains some usage examples you can replicate for your own Zendesk account.
Approve a domain, suspend all other users
You can allow specific domains access to your Zendesk account by adding the domain in the allowlist and suspend all users with a different email domain by adding a wildcard (*) in the blocklist. In the example below, only email from the domain mondocampcorp.com will be permitted access.
allowlist: mondocamcorp.com blocklist: *
If you want to allow more than one domain access, you can enter multiple domains separated by a space. In the example below, email from the domains mondocamcorp, comdocam, and mondostore are permitted, and all other users will be suspended.
allowlist: mondocamcorp.com mondocam.com mondostore.com blocklist: *
Approve a domain, but suspend specific email addresses with the domain
Using the suspend
keyword, you can prevent a specific email address with
an allowed domain from accessing your Zendesk account.
allowlist: gmail.com blocklist: * suspend:randomspammer@gmail.com
Approve a domain, but reject specific email addresses and domains within it
Similar to the previous example, you can block specific email addresses from using an
allowed domain by entering their email address in the blocklist. Use the
reject
keyword to prevent a user's tickets from being added to your
Zendesk account at all.
In the example below, only email from gmail.com is accepted. All tickets from other email domains are sent to the suspended tickets queue except for the email address randomspammer@gmail.com. Email from randomspammer@gmail.com will be rejected completely, and the ticket will not be recorded in your Zendesk account.
allowlist: gmail.com blocklist: * reject:randomspammer@gmail.com
Approve all, but reject specific email addresses and domains
Unlike the examples above, you also have the option of allowing all users to register, except for specific email address and domains. To allow all users to register, you can leave the allowlist blank, then enter any blocked users.
In the example below, everyone can access your Zendesk account except for
randomspammer@gmail.com and megaspam.com. Since the reject:
keyword is
used, all email from those accounts will be blocked completely, and the ticket will not be
recorded in your Zendesk account.
allowlist: blocklist: reject:randomspammer@gmail.com reject:megaspam.com
Suspend support request tickets from specific email addresses or domains
Simply adding an email address or domain to your blocklist suspends tickets from those users, but only if those tickets are submitted through the email channel.
allowlist: blocklist: suspend:randomspammer@gmail.com suspend:megaspam.com
54 Comments
Just to confirm - I can list specific emails in my allow list and put an * in my blocklist? By doing so only those email within the allowlist can submit support request via web widget and submit request link in help center and all others will not be able to.....? I ask because I tried this specific setup with one of my other emails and my tickets are still getting through. They aren't even going to a "suspended" queue.
Hey Mandy,
That should be the case. If you add * to the blocklist then you would only be allowing ticket creating from users that are in the allowlist field. If this isn't happening on your end we may need to create a ticket on your behalf so we can look into some examples. Is this still the case for you?
hi, we would like to block entire domain, but allow one email from that domain and everybody else. For now I have set: in the approve field like this: email@domain.com, in the blocked field reject:domain.com But it is not working, it is still blocking all mails from this domain. What should I do?
Hi Jozsef, You should be able to remove the reject: portion from the blocklist. This will cause emails from that domain to be suspended, but it should allow the one address that you have in your allowlist to be processed as expected. Any time you use the reject: syntax it will reject all traffic from that domain.
I have removed the permalink, and it is not working the suspension. It allowed from my email address to create a ticket
Hi Jozsef, Because assisting you further will require us to inspect your account setup and to examine specific examples, could you open a ticket with us at support@zendesk.com so that we can investigate further? Thanks, Sean
We get a TON of spam via Zendesk tickets, and I understand that using the "Mark as Spam" option not only deletes the ticket, it suspends the user to prevent further incoming messages from adding to the noise.
My question is... when I need to add someone to the CC field on a ticket, all of those suspended people show up in the CC selection list (yes, flagged as suspended), which still makes it a pain in the butt to actually choose a "legit" customer or light agent. Is there ANY way to exclude the suspended offenders from appearing in the CC field?
Hi Shelley,
I'm afraid this is the expected behavior, and that there's no workaround for this. The CC field will suggest users that are currently saved in your Zendesk, regardless if they're suspended or not. I agree that it might be convenient if suspended users will be excluded from the list; I encourage you to create a new post in the Support Product Feedback topic in our community to engage with other users who have similar needs. Thanks Shelley!
You cannot blacklist TLDs by themselves
That's too bad, because we now get spam from @*.shop, with a constantly rotating number of domains under the .shop TLD. There is absolutely no reason why we would want to receive emails from anyone at .shop.
Hi Everyone,
Thank you for all of your questions on the blocklist / allowlist settings. We love your feedback. If you have more product feedback on this topic, we'd like to hear from you!
Please find some time to talk to our product directly at https://calendly.com/pooja-palan/30min?back=1&month=2021-08
Thanks!
When a specific email address or domain is on the blocklist, will it prevent them from creating an account in Guide or will it just prevent them from creating tickets? We are trying to prevent certain users from commenting in our community and help articles.
We currently have our help site open to all users and use the web widget. All users can submit tickets through the web widget. They do not submit tickets through email.
Hi Melody,
The blocklist only applies to the creation of tickets, but you can also suspend a user, which prevents them from logging in (and therefore posting or commenting in your help center and community): Suspending a user
Hi,
Is there any way to update allowlist/blocklist via API?
Regards.
If I've previously added a list of end users manually, and then later put a wildcard into the blocklist, will all end user tickets be automatically rejected?
Hi Dave,
Thanks for the answer!
Is there an intelligent way to transition my help center from being completely closed down (only adding end users one at a time) to having users in allowlisted domains sign up -- without totally blocking the end users we've already added?
First Assignee User I can't find any reference in the API docs for the blocklist either.
@... Do you have any knowledge of where one might view or modify the various blocklists via API?
First Assignee User & Plugabot, the allowlists and blocklists are not accessible via our API. For visibility to our product team, it'd be great if one of you could post to our Feedback - Platform: Apps & Integrations topic, using the Product Feedback Post Template to format your post.
Josh McCrowell let me see what i can find out.
Hi @...,
Just a follow-up to my earlier question. Is there a way to block a domain from creating accounts? We are trying to prevent users from an entire company from commenting in our community and help articles.
I know we can suspend accounts after they are created, but am looking for a way to prevent them from being created.
Hi All ,
I am trying to block one particular email ID from creating tickets in Zendesk , but the other uses with the same domain should be able to create tickets , so will the below option work :
We often have users forward "DELIVERY FAILED" messages asking the IT team to investigate them. Is there any way we can unblock these, instead of manually restoring them?
With the recent update where in the wildcard (*) in the blocklist is now for all channels (not just email).
For everyone who are using
(*)
in their blocklist setting and also have custom webforms / API integrations which were previously working regardless of the (*), will now need to be added to the allowlist.Suggestion is to leverage
allowlist
to allow anything that we do not want to block.+1 to Gaurav's question. I'm trying to block one specific user email address from a domain but allow all other users from that same domain to create tickets. However, I get the following message:
Warning: The following addresses or domains cannot be blacklisted; they are whitelisted due to association with one of your Organisations: reject:donotreply@email.com
Please help!
This warning would happen in this circumstances (blacklisting) if there is an existent Organization with that name "email" and probably the domain is on the allowing list. Ex: In Organizations > find the Organization in question > Remove the allowed domain.
I hope this helps.
Best,
Thanks for the response Fabricio but it doesn't answer what I need.
For my screenshot below, I want to ensure all users from Test Organisation with an email domain @email.com can create tickets in ZenDesk however, I want to block one specific user from this organisation, donotreply@email.com from creating tickets. Seems ZenDesk cannot do this or am I missing something?
Want to confirm as it's not really clear. If I want to only accept issues from the folks with specific domains, I need to do the following:
1. Turn off this option
2. Add the allowed users domains to this list
Thanks in advance
Hello Jed, thank you for your question!

That is correct, you will need to disable the "anybody can submit tickets" option, enter the email domains you wish to be able to contact you, and also, enter a "*" symbol on the blocklist, so that all other email domains are blocked, like the example on this article:
I hope that was helpful!
I am also interested in Micheál McArdle comment/question, can someone at Zendesk, please respond?
Hi
Is it possible to send an automatic email response for suspended users? At the moment they can send us emails, but we will not receive them and the user is not aware, that we did not receive their email. It would be great if there would be an automatic email sent to the user, that he is not allowed to open tickets or to send emails to this email address.
is this something we could solve with triggers?
thanks for any suggestions.
Hi Ad Astra,
Have you already followed the steps in "Approve a domain, but reject specific email addresses and domains within it"? If you did and the issue persisted, you can directly contact support and we'll help out to determine what could be causing it
Please sign in to leave a comment.