You can control access to your Zendesk account by adding end users' email addresses and domains to your blocklist and allowlist. Using the blocklist, you can prevent specific users, or sets of users, from registering and submitting support requests. Using the allowlist, you can allow specific users, or sets of users, to access your Zendesk account and submit support requests.
This article contains the following sections:
About the blocklist and allowlist
The blocklist and allowlist can help you create rules for accepting, suspending, and rejecting users' emails. Any email that is suspended because of the blocklist is added to the suspended queue and flagged.
Your allowlist automatically overrides your blocklist. For example, if you blocked a specific domain, but allowed a user with that email domain, they will be given access.
Additional considerations for the blocklist and allowlist include the following:
- If you've set up user mapping, any email domains you add to the allowlist will automatically be included (see Automatically adding users to organizations based on their email domains).
- If you blocklist a user that is CC'd on a ticket, they will not be removed from existing tickets. If an email address is blocked, an agent can still add the user as a CC and they will still receive CC email notifications. To prevent CC notifications, you will need to suspend the user. The email address will still be visible, but agents cannot add the user to the ticket.
- If a user's domain is present in the blocklist but their full email address is present in an organization's Domains field, the system functions as though that address is allowlisted even if that specific address or domain is blocklisted.
- Being placed on the allowlist does not allow users to override their tickets from being suspended if the subject contains the text "Out of Office" or if the ticket comes from an email flagged as a "do not reply" address.
Depending on how your Zendesk account is set up, you can use the blocklist and allowlist to apply additional settings to control who can access your account. If you allow anyone to submit tickets, such as in open support type, you can use the blocklist to filter out spam email addresses and domains (see Suspending a user). Any ticket from a user or domain on the blocklist is automatically sent to the suspended tickets queue. If you require users to register, you can use the blocklist to ensure that only approved email addresses and domains can submit support requests and authenticate accounts.
The blocklist and allowlist feature contains rules you can combine to restrict access.
See the section below for a list of the available blocklist and allowlist rules.
About the CC blocklist
The CC blocklist prevents an address from being added as a ticket CC, but still allows the blocked address to submit tickets. This can help you fine-tune your permissions.
To access the CC blocklist
- In Admin Center, click Objects and rules in the sidebar, then select Tickets > Settings.
- Enter the email address or the domain name of the users you want to prevent becoming CCs and followers by entering their email address or domain name into the blocklist. Use spaces to separate the addresses.
- When you are finished, click Save tab.
For more information, see Configuring CC and follower permissions.
Setting your blocklist and allowlist
- You can enter up to 10,000 characters in each of the allowlist and blocklist fields.
- Leave the allowlist blank to allow all users to submit tickets to your Zendesk account, except those added to the blocklist.
- To suspend ticket submissions from all users except for those added to the allowlist,
add a wildcard(*) in your blocklist.Important: The wildcard will send tickets from every user not added to the allowlist into the suspended tickets queue, preventing new users from creating accounts.
- Use keywords or symbols with a blocklist or allowlist entry to make the restrictions
broader or more specific:
- To block or allow an entire email domain, do not include the "@" symbol. An email domain will not be successfully added to the allowlist or blocklist with "@".
- To completely block support requests from specific users, enter the keyword
reject:in front of an email address or domain list in the blocklist. Tickets will not be added to the suspended tickets queue, and there will be no record of the ticket in your Zendesk account.
reject:applies only to support requests and doesn't prevent users from creating an account.
To edit your blocklist and allowlist
- In Admin Center, click People in the sidebar, then select Configuration > End users.
- Enter your Allowlist and Blocklist settings.
You can view some of the common blocklist and allowlist examples in the section below. If you are adding multiple email addresses or domains, separate them with a space.
- Click Save tab.
Allowlist and blocklist usage examples
You can use a combination of the blocklist and allowlist rules to ensure you are permitting access or blocking the correct users. This section contains some usage examples you can replicate for your own Zendesk account.
Approve a domain, suspend all other users
You can allow specific domains access to your Zendesk account by adding the domain in the allowlist and suspend all users with a different email domain by adding a wildcard (*) in the blocklist. In the example below, only email from the domain mondocampcorp.com will be permitted access.
allowlist: mondocamcorp.com blocklist: *
If you want to allow more than one domain access, you can enter multiple domains separated by a space. In the example below, email from the domains mondocamcorp, comdocam, and mondostore are permitted, and all other users will be suspended.
allowlist: mondocamcorp.com mondocam.com mondostore.com blocklist: *
Approve a domain, but suspend specific email addresses with the domain
suspend keyword, you can prevent a specific email address with
an allowed domain from accessing your Zendesk account.
allowlist: gmail.com blocklist: * suspend:firstname.lastname@example.org
Approve a domain, but reject specific email addresses and domains within it
Similar to the previous example, you can block specific email addresses from using an
allowed domain by entering their email address in the blocklist. Use the
reject keyword to prevent a user's tickets from being added to your
Zendesk account at all.
In the example below, only email from gmail.com is accepted. All tickets from other email domains are sent to the suspended tickets queue except for the email address email@example.com. Email from firstname.lastname@example.org will be rejected completely, and the ticket will not be recorded in your Zendesk account.
allowlist: gmail.com blocklist: * reject:email@example.com
Approve all, but reject specific email addresses and domains
Unlike the examples above, you also have the option of allowing all users to register, except for specific email address and domains. To allow all users to register, you can leave the allowlist blank, then enter any blocked users.
In the example below, everyone can access your Zendesk account except for
firstname.lastname@example.org and megaspam.com. Since the
reject: keyword is
used, all email from those accounts will be blocked completely, and the ticket will not be
recorded in your Zendesk account.
allowlist: blocklist: reject:email@example.com reject:megaspam.com
Suspend support request tickets from specific email addresses or domains
Simply adding an email address or domain to your blocklist suspends tickets from those users, but only if those tickets are submitted through the email channel.
allowlist: blocklist: suspend:firstname.lastname@example.org suspend:megaspam.com
The behavior to restrict notification to suspended users is by design. As it turns out, there's no option to bypass it not unless the user will be unsuspended or there is a different email address that they are using to be added as a CC.
More information can be found in Suspending a user.
Shouldn't there be an automatic notification of the system? Like if I suspend or reject all emails from the domain gmail.com and someone with an email @gmail.com is sending an email to the system, shouldn't this @gmail.com email sender receive an automatic message that the email could not be delivered or something?
Otherwise the feature is not very usable in my opinion. The sender sends an email but does not know that we never received the email and we do not know that someone tried to contact us.
This is bad customer service.
Thanks for any additional infos.
Does adding a domain to an allowlist, up the number of tickets before an email loop is declared for the whole domain?
Can you further elaborate what you mean by "up the number of tickets"?
Dane I mean that there's a specific number of tickets that a single email address can send in to a ZD account in an hour. After a certain number, they start going to spam with the reason "email loop". Too many of those come in, and Zendesk literally stops bringing in their emails at all.
Previously, I've been told that you can increase the number before they go to spam, and subsequently stop being processed, by including the *full email* in the allowlist. I am asking if recent updates allow us to up the limit for all emails for a whole domain, instead of just for full email addresses.
Thank you for the clarification.
As it turns out, only the full email address can be used and not the whole domain.
I hope this helps.
For those looking to have the allowlist/blocklist modified via API I have created a feature request here. Please upvote it if you care about this feature.
Read the thread, but not goy my answer yet.
Can I block a domain (almost) completely, but only allow 2 or 3 e-mail addresses from that domain?
allow email@example.com firstname.lastname@example.org
You should be able to just add thisdomain.com under blocklist and then approve of specific email addresses in that domain by adding them directly to the allowlist.
If you do run into any issues setting this up let us know :)
Hi there, I have an issue when adding multiples values under the blocklist field, it says, separate values with a space, unfortunately it's not working, see screenshot attached:
The mails from qq.com are going to the suspended tickets, but the 163.com emails are coming through, why?
Hello. Is there a way of allowing ALL emails? So none come into our suspended file?
An email can be suspended for a variety of reasons. For example, one common reason is that the email is from an unregistered user when you require users to register. You can enable Anybody can submit tickets, no registration required, however, this is not a guarantee that no email will fall in the Suspended ticket view.
Email sent to Zendesk Support can be suspended or rejected. Suspended emails are often, but not always, spam. This article explains what suspended tickets are and your options for managing them.
You may check out How spam is detected in Zendesk Support and a few common causes for suspensions. Thanks!
we would like to block any email domain (blocklist: *) but only allow the domains that are already configured on the organization.
Is this the default, or is it required to configure a domain twice within the allowlist and the organization?
You would need to specify the domain in both the allowlist (in order to allow tickets to be created at all), and then also in the Organization (to allow tickets from that domain to be automatically assigned to that organization).
Thanks Dave, the allowlist only supports 10'000 chars, so we might hit the limit somewhen. Are there any efforts to extent that limit or provide a setting to allow registered organizations?
I want to allow public access to HC, allow everyone to register for a user account, require that only registered / verified / manually-approved accounts can submit a ticket that makes it to our agents.
What's the right way to do this keeping in mind that there may be 1,000 approved ticket creators over the first few months as I rollout Zendesk powered tickets for support?
Hi Ram Moskovitz
You can set up your Help Center to be publicly visible but only verified/added users can submit tickets. This article describes how to set up a closed instance so that your Help Center is visible to everyone but only the users that you add to your Zendesk account can sign in and submit support requests.
Hope this helps!
Is it possible to unblock/allow tickets to be created from a domain, based on the subject text? We have a lot of customers send through Remittance emails which seem to be marked as spam by Zendesk. Without unblocking each email address it's coming from (which we won't know), we can't see a way around it.
However, if we could set it up so that any with a subject containing 'remittance' was accepted, that'd be great.
Hi Bex Heenan,
At the moment there is no feature to automatically unsuspend a ticket and no way for the blocklist to check on the subject line before suspending a ticket. The blocklist/allowlist only functions using the email address or email domain.
I encourage you to create a new post in the General Product Feedback topic in our community to engage with other users who have similar needs and discuss possible workarounds. Conversations with a high level of engagement ultimately get flagged for product managers to review when they go through roadmap planning.
Please sign in to leave a comment.