Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=email-allow-block

Inbound Allow/Block

You can create a list of email addresses and domains that you trust or don't trust.

You can only use this option if your license includes Sophos Email.

A list of addresses and domains that are allowed to connect with your email system, or are blocked from it, helps you control unwanted emails. Add addresses and domains you trust to the allow list, and those you don't trust to the block list. This setting only applies to inbound messages.

Note

When adding entries to the allow list or block list, use either the SMTP envelope sender address or the "From" header address shown in the email. If either address matches an entry on the list, the appropriate action is triggered as configured, regardless of which address is used.

If a sender or client IP address is on the block list, the email is deleted without further scanning.

For information on how allow list entries are processed, see What happens when you allow an address or domain?.

Restrictions

Note the following restrictions when adding entries to the admin or user allow or block list:

  • The maximum limit for all lists is 100,000 entries.
  • You can add up to 500 entries per user to their allow or block list.

Note

When users add entries from smart banners, in which we don't apply the limit, the list can exceed 500 entries per user.

Enforce Message Authentication

When you add or edit an allowed address or domain, you can enforce message authentication on entries in the admin allow list. Message authentication is always enforced for the user allow list. The risk of allowing a sender address without enforcing message authentication is that a forged email using that address can bypass scans and reach the user's inbox. We recommend enforcing message authentication on entries in the admin allow list to prevent spoofing.

When message authentication is enforced for an address or domain, an inbound email from that address or domain bypasses the scan only if the message authentication passes. If the message authentication fails, all scans are applied to the message.

For message authentication, the following DNS checks are performed:

  1. DMARC

    • If the DMARC check passes, a message from the allowed address is considered to have passed allowed address authentication.
    • If the DMARC check fails and the sender policy isn't set to p=none, the message is considered to have failed allowed address authentication only when prevent spoofing is turned on in User Settings.
    • If the DMARC check fails and the sender policy is set to p=none, the DMARC check doesn't give a definitive result, and allowed address authentication relies on SPF and DKIM checks.
    • If the DMARC check can't be performed (for example, if no DMARC record exists), allowed address authentication relies on SPF and DKIM checks.

  2. SPF: If the SPF check passes for the envelope domain of the message, the message is considered to have passed SPF authentication.

  3. DKIM: If the DKIM check passes for the domain in the allowed entry, the message is considered to have passed DKIM authentication.

The options under Enforce Message Authentication are the same as those in User Settings, but you can turn them on or off for each entry in the admin allow list. This gives you granular control to keep or override the settings applied to all allowed entries. For more information about how these options work, see Prevention of spoofing of allowed address.

Emails from addresses on the block list are rejected before the mail server accepts them. However, in a multi-recipient email where recipients have different block list settings for the same sender address, the email is still blocked, but only after delivery and only for recipients who have that sender on their block lists.

Admin list

You can allow or block domain names, IP addresses, or specific email addresses. The domain or email address is added to the list and shown as allowed or blocked. This list is global and applies to all protected mailboxes.

Admin list.

You can view email addresses, domains, and IP addresses you've already blocked through Message History.

For information on how the emails from addresses and domains in allow and block lists are processed, see Allow list authentication.

Wildcards

Wildcards are supported for email addresses and domains. For example, *@domain.com includes any addresses that are part of domain.com. Subnet masks are supported from /16 to /32 (inclusive).

You can also use wildcards to block whole top level domains (TLDs). For example, *.top blocks every email from the .top TLD. This is useful for blocking email from generic or geographic TLDs that you don't communicate with and are common sources of unwanted emails.

Wildcards can be added at a domain's beginning, middle, or end. The following wildcard examples are supported:

  • *user@domain.com
  • use*@domain.com
  • user@domai*.com
  • domain.co*

Manage admin list

To set up and manage the allow and block admin list, do as follows:

  1. Click the General Settings icon General Settings icon..
  2. Under Email Security, click Inbound allow/block.
  3. Click Admin list.

  4. On the Inbound Allow/Block page, do one of the following:

    Note

    When you add allowed or blocked addresses or domains, you can provide a brief explanation stating the reason for each entry. When you import email address or domain lists, make sure that the descriptions are not longer than 250 characters. Otherwise, they'll be truncated.

    • Add an allowed address or domain.
    • Add a blocked address or domain.
    • Add or edit an entry to configure descriptions, message authentication, SPF checks, or envelope domains.
    • Import a list of email addresses or domains to allow or block. See Import and export allow/block list.
    • Export the selected entries or the entire allow/block list as a CSV file. See Import and export allow/block list.
    • Enforce or remove message authentication for one or more allowed entries.
    • Delete one or more addresses or domains.

If you're adding the same address or domain for an admin again, select Override duplicates. Your most recent choice will be used.

The admin list comes with an Advanced Search option. You can search entries by allow or block, by message authentication, or by sender address or domain.

Admin list Advanced Search option.

For help with setting up Email Security policies, see Email Security policy.

For help on reviewing quarantined messages for your users, see Quarantined Messages.

User list

Users can set up their own allow and block lists in Sophos Central Self Service Portal. If there are any conflicts between their lists and the lists in Sophos Central Admin, the lists in Sophos Central Admin have priority.

You can view and modify the user allow and block lists from Sophos Central. Only email addresses and domains can be added to a user allow/block list. Wildcards aren't supported.

User list.

Multiple recipient emails

Emails from addresses in block lists are processed early in the checking process (the SMTP command). The emails are treated differently if they're addressed to multiple recipients who've listed the sending address differently in their respective allow/block lists.

For example an email is sent from user@domain.com to person1@sophosuser.com and person2@sophosuser.com.

If person1 has added user@domain.com to their block list in Sophos Central Self Service Portal and person2 hasn't, the email is sent to person2 and not to person1.

Manage user list

To set up and manage the allow and block user list, do as follows:

  1. Click the General Settings icon General Settings icon..
  2. Under Email Security, click Inbound allow/block.
  3. Click End user list.

  4. On the Inbound Allow/Block page, do one of the following:

When you add the same address or domain for a user again, select Override duplicates. Your most recent choice will be used.

The user list comes with an Advanced Search option. You can search entries by allow or block, by sender email address or domain, or by specific users.

End User Advanced Search option.

Edit descriptions for admin allow and block entries

You can edit your allow or block entry descriptions to better organize and manage them.

To edit a description, do as follows:

  1. Click the General Settings icon General Settings icon..
  2. Under Email Security, click Inbound allow/block.

  3. On the Inbound Allow/Block admin list, take one of the following actions:

    • Select a single allow or block entry.
    • Select a combination of allow and block entries.
    • Select multiple allow entries.
    • Select multiple block entries.

  4. Click Edit.

    A pop-up window appears.

  5. Enter a new or updated description in the field provided.

    You can enter up to 250 characters.

    For example, you can update a blocked entry to specify the reason for blocking it, such as "blocked due to spam".

  6. (Optional) If you selected an allow entry or multiple allow entries and Enforce Message Authentication is turned off, you can turn it on.

  7. Click Save to apply the changes.

The description is now updated. This helps you track the reason for each allow or block entry.