Skip to content

Inbound Allow/Block

You can create a list of email domains and addresses that you trust or don't trust.

You can only use this option if your license includes Sophos Email.

A list of domains and addresses that are allowed to connect with your email system, or are blocked from it, helps you control unwanted emails. Add domains and addresses you trust to the allow list, and those you don't trust to the block list. This setting only applies to inbound messages.

Restrictions

Note the following restrictions when adding entries to the admin or user allow or block list:

  • The maximum limit for all lists is 100,000 entries.
  • You can add up to 500 entries per user to their allow or block list.

Note

When users add entries from smart banners, in which we don't apply the limit, the list can exceed 500 entries per user.

You can allow or block domain names, IP addresses, or specific email addresses. The domain or email address is added to the list and shown as allowed or blocked. This list is global and applies to all protected mailboxes.

Admin Allow/Block List.

You can view email addresses, domains, and IPs you've already blocked, through the Message History and Quarantined Messages settings.

For information on how the emails from addresses and domains in allow and block lists are processed, see Allow list authentication.

Wildcards

Wildcards are supported for email addresses and domains. For example, *@domain.com would include any addresses that are part of domain.com. Subnet masks are supported from /16 to /32 (inclusive).

You can also use wildcards to block whole top level domains (TLDs). For example, *.top would block every email from the .top TLD. This is useful for blocking email from generic or geographic TLDs that you don't communicate with and are common sources of unwanted emails.

Wildcards can be added at a domain's beginning, middle, or end. The following wildcard examples are supported:

  • *user@domain.com
  • use*@domain.com
  • user@domai*.com
  • domain.co*

Enforce sender authentication

If Enforce sender authentication is turned on for an address or domain, inbound emails are only delivered if the following applies:

  • SPF passes and the envelope sender domain matches the listed domain.
  • DKIM passes and the signing domain matches the listed domain.
  • DMARC passes and the From header domain matches the listed domain.

This behavior ensures that emails pretending to be from addresses on the allow list (spoofing) are scanned.

When you add domains and addresses to an allow list, you can turn on Enforce sender authentication for that domain or address.

You can also select addresses and domains in the allow list and click Remove sender authentication or Enforce sender authentication.

Manage admin allow and block lists

To set up and manage admin allow and block lists, do as follows:

  1. Go to My Products > General Settings > Inbound allow / block > Admin list.
  2. On the Inbound Allow/Block page, do one of the following:

    • Add an allowed domain or address.

      Adding domain or IP address to Admin Allow/Block List.

    • Add a blocked domain or address.

    • Import a list of domains or email addresses to allow or block. See Import and export allow/block list.
    • Export the selected entries or the entire allow/block list as a CSV file. See Import and export allow/block list
    • Enforce or remove sender authentication for one or more allowed entries.
    • Delete one or more domains or addresses.

If you're adding the same address or domain for an admin again, select Override duplicates. Your most recent choice will be used.

The admin list comes with an Advanced Search option. You can search entries by allow or block, by sender authentication, or by sender address or domain.

Admin List Advanced Search option.

For help with setting up Email Security policies, see Email Security policy.

For help on reviewing quarantined messages for your users, see Quarantined Messages.

Users can set up their own allow and block lists in Sophos Central Self Service Portal. If there are any conflicts between their lists and the lists in Sophos Central Admin, the lists in Sophos Central Admin have priority.

You can view and modify the user allow and block lists from Sophos Central. Only email addresses and domains can be added to a user allow/block list. Wildcards aren't supported.

User Allow/Block List.

Sender Authentication always enforced

The sender authentication is always enforced for the user allow list. The allow list is honored if the following applies:

  • An inbound email passes the SPF check and the envelope sender domain matches the listed domain.
  • An inbound email passes the DKIM check and the signing domain matches the listed domain.
  • An inbound email passes the DMARC check and the From header domain matches the listed domain.

Multiple recipient emails

Emails from addresses in block lists are processed early in the checking process (the SMTP command). The emails are treated differently if they're addressed to multiple recipients who've listed the sending address differently in their respective allow/block lists.

For example an email is sent from user@domain.com to person1@sophosuser.com and person2@sophosuser.com.

If person1 has added user@domain.com to their block list in Sophos Central Self Service Portal and person2 hasn't, the email is sent to person2 and not to person1.

Manage user allow and block lists

To set up and manage user allow and block lists, do as follows:

  1. Go to My Products > General Settings > Inbound allow / block > End user list.
  2. On the Inbound Allow/Block page, do one of the following:

If you’re adding the same address or domain for a user again, select Override duplicates. Your most recent choice will be used.

The user list comes with an Advanced Search option. You can search entries by allow or block, by sender email address or domain, or by specific users.

End User Advanced Search option.