How to whitelist or block sender domains

You can restrict an alias to a list of trusted senders, block noisy ones, or exempt one sender from a filter you already have. All three are done in the same place — but they are not three rules. They are three different shapes of one rule.

Note: Alias rules require a Maker plan or higher.

Read this before you start

Each alias has exactly one rule set: a list of conditions and one action (Block, Allow, or Tag). You cannot put an allow rule and a block rule on the same alias — there is only ever one action and one answer.

And the action names are misleading in one specific, expensive way:

Allow means "accept ONLY what matches — reject everything else." It is a guest list, not an exception. An Allow rule naming one sender rejects all your other mail.

Almost everything below follows from those two sentences.

Case 1 — Only accept mail from trusted domains

This is the case Allow is built for: invoices@yourcompany.com should hear from your two suppliers and nobody else.

  1. Open the alias and go to Rules
  2. Turn on Enable acceptance rules
  3. Condition 1 — field Sender address, operator is one of, value *@supplier-one.com
  4. Click + Add, set the join to OR
  5. Condition 2 — field Sender address, operator is one of, value *@supplier-two.com
  6. Action: Allow
  7. Save
Action:      Allow
Condition 1: Sender address  is one of  *@supplier-one.com
Condition 2: OR  Sender address  is one of  *@supplier-two.com

Mail from either supplier is delivered. Everything else is rejected — which here is exactly what you asked for. Make sure it really is.

Two details that will bite you otherwise:

  • One value per condition. Typing *@supplier-one.com, *@supplier-two.com into a single field does not create a list — the text is matched as one literal string, so it matches nothing and the alias rejects all mail. Use one condition per sender, joined with OR.
  • Use Sender address with *@, not Sender domain. See the warning further down.

Case 2 — Block a specific sender or domain

You want to accept mail generally, but drop one noisy sender. That is a Block action:

Action:      Block
Condition 1: Sender address  is one of  *@spam-company.com

Matching mail is rejected; everything else is delivered. To block several, add more conditions joined with OR.

Case 3 — Exempt one sender from your spam filter

This is the case people reach for "an allow rule" and destroy their mail. Do not add an Allow rule for the trusted sender — that would reject everything else.

An exemption goes inside the same rule, OR-ed to the filter it's exempt from:

Action:      Allow
Condition 1: Sender address  is one of  *@trusted-partner.com
Condition 2: OR  Spam score  less than  6

Read it as deliver if the partner sent it, or if it scored under 6. An email is rejected only when it is both not from the partner and scoring 6 or above. The partner is exempt; everyone else is still filtered.

Be aware of what you just handed the partner: because there is only one rule set, an OR-matched sender short-circuits every other condition in it, including attachment conditions. The exemption is not scoped to the spam check — it is a skeleton key for the whole rule.

Also note: condition order is meaning. The fold is strictly left to right with no precedence, so [A] OR [B] AND [C] is (A OR B) AND C — an AND after your exemption can still veto it. Put the exemption where you want it read.

⚠️ Never use "Sender domain" to protect anything

The Sender domain field only offers the operator contains, and contains is a plain substring match.

ceo@trusted-partner.com.evil.io contains trusted-partner.com.

So a condition Sender domain contains trusted-partner.com happily matches that address. If it is your spam exemption, an attacker registers a lookalike domain and walks straight past your filter. If it is your allowlist, they're on it.

✅  Sender address  is one of  *@trusted-partner.com     (suffix match on the full address — not spoofable this way)
❌  Sender domain   contains   trusted-partner.com        (substring — a lookalike domain satisfies it)

Use Sender address with a *@domain wildcard for every allowlist and every exemption. Keep Sender domain contains for cosmetic filtering only — for instance a Tag rule.

Try it as a Tag first

If you're nervous about rejecting real mail — and with Allow you should be — set the action to Tag instead. Tag never blocks: matching mail is delivered with an X-EmailConnect-Tagged header (plus X-EmailConnect-Spam-Score when a spam condition matched), so you can watch what would have been affected in your webhook payloads for a day, then flip the action.

Notifying blocked senders

By default a rejected email is dropped silently. Enable Send sender notification on block to send the sender a short notice instead. The custom message is plain text, 500 characters maximum; leave it empty for the default.

Turn it on when a legitimate sender might be caught by mistake. Leave it off when you're filtering spam — a bounce just confirms that the address is live.

If something goes wrong

Everything is being rejected. You have an Allow action with a condition list narrower than your real traffic — most likely a comma-separated list in one field (which matches nothing), or a single trusted sender. Switch to Block with an inverted condition, or OR your legitimate traffic back in.

The rule was supposed to catch a spam score of exactly 6. It doesn't — the operators are strict > and < even though the editor draws them as and . Use 5.9.

Unscored mail slips through. If a message was never scored, a spam condition can't be decided, and an undecidable rule delivers. That's deliberate: we won't destroy your mail on evidence we don't have.

Related