Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=email-allow-block

Inbound Allow/Block

You can create a list of email domains and addresses that you trust or don't trust.

You can only use this option if your license includes Sophos Email.

A list of domains and addresses that are allowed to connect with your email system, or are blocked from it, helps you control unwanted emails. Add domains and addresses you trust to the allow list, and those you don't trust to the block list. This setting only applies to inbound messages.

You can allow or block domain names, IP addresses, or specific email addresses. The domain or email address is added to the list and shown as allowed or blocked. This list is global and applies to all protected mailboxes.

Admin Allow/Block List

You can view email addresses, domains, and IPs you've already blocked, through the Message History and Quarantined Messages settings.

For information on how the emails from addresses and domains in allow and block lists are processed, see Allow list authentication.

Wildcards

Wildcards are supported for email addresses and domains. For example, *@domain.com would include any addresses that are part of domain.com. Subnet masks are supported from /16 to /32 (inclusive).

You can also use wildcards to block whole top level domains (TLDs). For example, *.top would block every email from the .top TLD. This is useful for blocking email from generic or geographic TLDs that you don't communicate with and are common sources of unwanted emails.

Wildcards can be added at a domain's beginning, middle, or end. The following wildcard examples are supported:

  • *user@domain.com
  • use*@domain.com
  • user@domai*.com
  • domain.co*

Enforce sender authentication

If Enforce sender authentication is turned on for an address or domain, inbound messages are only delivered if they pass at least one of the DNS authentications: DMARC, SPF, or DKIM. This ensures that emails pretending to be from addresses on the allow list (spoofing) are scanned.

When you add domains and addresses to an allow list, you can turn on Enforce sender authentication for that domain or address.

You can also select addresses and domains in the allow list and click Remove sender authentication or Enforce sender authentication.

Manage admin allow and block lists

To set up and manage admin allow and block lists, do as follows:

  1. Go to Global Settings > Inbound allow/block > Admin list.

  2. On the Inbound Allow/Block page, do one of the following:

    • Add an allowed domain or address.

      Adding domain or IP address to Admin Allow/Block List

    • Add a blocked domain or address.

    • Import a list of domains or email addresses to allow or block. See Import and export allow/block list.
    • Export the selected entries or the entire allow/block list as a CSV file. See Import and export allow/block list
    • Enforce or remove sender authentication for one or more allowed entries.
    • Delete one or more domains or addresses.

If you're adding the same address or domain for an admin again, select Override duplicates. Your most recent choice will be used.

The admin list comes with an Advanced Search option. You can search entries by allow or block, by sender authentication, or by sender address or domain.

Admin List Advanced Search option

For help with setting up Email Security policies, see Email Security policy.

For help on reviewing quarantined messages for your users, see Quarantined Messages.

Users can set up their own allow and block lists in Sophos Central Self Service Portal. If there are any conflicts between their lists and the lists in Sophos Central Admin, the lists in Sophos Central Admin have priority.

You can view and modify the user allow and block lists from Sophos Central. Only email addresses and domains can be added to a user allow/block list. Wildcards aren't supported.

User Allow/Block List

Sender Authentication always enforced

The sender authentication is always enforced for the user allow list. The allow list is honored if the inbound emails pass at least one of the DNS checks (DMARC, SPF, or DKIM).

Multiple recipient emails

Emails from addresses in block lists are processed early in the checking process (the SMTP command). The emails are treated differently if they're addressed to multiple recipients who've listed the sending address differently in their respective allow/block lists.

For example an email is sent from user@domain.com to person1@sophosuser.com and person2@sophosuser.com.

If person1 has added user@domain.com to their block list in Sophos Central Self Service Portal and person2 hasn't, the email is sent to person2 and not to person1.

Manage user allow and block lists

To set up and manage user allow and block lists, do as follows:

  1. Go to Global Settings > Inbound allow/block > End user list.

  2. On the Inbound Allow/Block page, do one of the following:

If you’re adding the same address or domain for a user again, select Override duplicates. Your most recent choice will be used.

The user list comes with an Advanced Search option. You can search entries by allow or block, by sender email address or domain, or by specific users.

End User Advanced Search option