Allowlists

This section includes:

• Allowlists
  • About allowlists
  • Some more about allowlists
  • Types of allowlists
  • Propagating allowlists from a parent organization to child organizations
  • Global allowlists
  • Bulk import of allowlist entries
  • Allowlists vs blocklists - precedence
  • Allowlists vs restricted files - precedence
  • Configuring the "sender email address / domain allowlist"
  • Configuring the "recipient email address allowlist"
  • Configuring the "sender IP allowlist"
  • Configuring the "URL allowlist"
  • Configuring the "hash allowlist"
  • Custom allowlists
  • Troubleshooting
  • Filtering [searching] allowlists
  • Allowlisting MFA, 2FA, and OTP codes
  • Copying allowlists

About allowlists

Allowlists help to reduce the number of false-positive [FP] scan verdicts. A false-positive verdict is when a malicious or spam verdict is assigned to a scan, but where the correct verdict is clean. Allowlists are typically implemented when some aspect of the email, file, or URL that is to be scanned, is trustworthy. For example, the email may be sent from a known and trusted email address, or from an IP address that can be trusted.

For most of the allowlists, you'll need to specify either that:

• the spam scan engines will not be applied - and spam verdicts are therefore not possible; malicious verdicts are possible,

  or

• that no scan is performed at all, and a clean verdict is applied.

Some more about allowlists

• If the same item is included in both an allowlist and a blocklist, the allowlist will take precedence.
• Allowlists are not case-sensitive.

• For security reasons, it is recommended to review the allowlist periodically to ensure that it doesn't contain problematic entries.

• By default, each organization can have a maximum of 2,000 allowlist and blocklist entries combined.

• Allowlists can't be exported to .csv files by admin-users. This can be done by FortiMail Workspace Security Support [support@perception-point.io] only. By default, the exported files will contain the allowed email addresses and domains, and the comment associated with each entry.

• When you add an entry to an allowlist, if the same entry already exists in the allowlist, then the new entry is totally ignored, and the existing entry is maintained [unchanged].

• Allowlists are applied to inbound email scanning and internal email scanning [if it is enabled]. Allowlists are not applied to outbound email scanning [if it is enabled].

• It is possible to add a TLD [Top-Level-Domain] - such as .ir or .cfd - to an allowlist. This can be done by FortiMail Workspace Security Support only. For details, contact FortiMail Workspace Security Support [support@perception-point.io].

• If an email is "allowed" because it is included in an allowlist, there will still be a record of the scan of the email in the Scans page.

Types of allowlists

You can configure various allowlists in FortiMail Workspace Security:

Sender email address / domain allowlist	When an email is received from an email address that is included in the "Sender email address / domain allowlist", then you can select to: not scan the email, and set the scan verdict to clean. or scan the email - without applying the spam scanning engines. A spam verdict is therefore not possible; a malicious verdicts is possible.
Recipient email address allowlist	When an email is sent to an email address that is included in the "Recipient email address allowlist", then you can select to: not scan the email, and set the scan verdict to clean. or scan the email - without applying the spam scanning engines. A spam verdict is therefore not possible; a malicious verdict is possible.
Sender IP address allowlist	When an email is received from an IP address that is included in the "Sender IP allowlist", then you can select to: not scan the email, and set the scan verdict to clean. or scan the email - without applying the spam scanning engines. A spam verdict is therefore not possible; a malicious verdict is possible.
URL allowlist	When a URL that is included in the "URL allowlist" should possibly be scanned, then you can select to: not scan the URL, and set the scan verdict to clean. or scan the URL- without applying the spam scanning engines. A spam verdict is therefore not possible; a malicious verdict is possible.
Hash allowlist	When file should possibly be scanned, if the hash of the file is included the "hash allowlist," then the file will not be scanned, and the scan verdict will be set to clean.

The Allowlists & Blocklists page is available to admin users with the "Controller" role [or higher] only.

Note It is possible to perform a bulk import of allowlist entries. For details, see Bulk import of allowlist entries below.

For details about blocklists, see Blocklists.

Propagating allowlists from a parent organization to child organizations

All allowlist entries that are configured in a parent organization are applied to the child organizations as well.

Note: Allowlist entries that are added to a parent organization and propagated from the parent organization to the child organizations, are not visible in the child organizations.

If you want to add an allowlist entry to a specific child organization only, make sure to select that child organization when you configure the new allowlist entry.

An allowlist entry in a parent organization overrides the same allowlist entry in a child organization. Therefore, for example, if an allowlist entry for a specific sender email address is set at the parent level to "Never mark as Spam", and the same sender email address is set at the child level to "Allow all emails", then the "Never mark as Spam" setting will be applied at the child level.

Global allowlists

FortiMail Workspace Security maintains global allowlists - with entries that apply to all organizations. Entries in globally maintained allowlists do not appear in the allowlists of your organization. When you add an entry to an allowlist, you'll know that the entry was added successfully only if you see a "successfully added" message, similar to the following:

If you add an entry, and a "successfully added" user notification doesn't appear, this may indicate that the entry is included in the globally maintained allowlist. The entry that you tried to add therefore won't appear in the allowlist for your organization.

Bulk import of allowlist entries

You can use FortiMail Workspace Security to perform a bulk import of entries for the following allowlists:

Sender email address / domain allowlist	Configuring the "sender email address / domain allowlist"
Sender IP address allowlist	Configuring the "sender IP allowlist"

If you need to upload multiple entries to another allowlist, contact FortiMail Workspace Security Support [support@perception-point.io] for assistance.

When you upload entries, make sure that the upload file meets the following requirements:

• The upload file must be a .csv file, with a maximum size of 20 KB.

• The upload file can have a maximum of 300 entries.

Note: If you have thousands of entries to add to an allowlist or a blocklist, contact FortiMail Workspace Security Support [support@perception-point.io] for assistance.

• Each entry should be on a separate line in the upload file.

• Don't include a header or header row [such as "Domains to block"] at the top of the file.

• By default, each organization can have a maximum of 2,000 allowlist and blocklist entries combined.

Allowlists vs blocklists - precedence

If the same item is included in both an allowlist and a blocklist, the allowlist will take precedence.

This may be useful in a scenario where you want to allowlist specified email addresses that are included in a domain that is in the blocklist.

Allowlists vs restricted files - precedence

Scenario

Your organization has an allowlist entry to allow all emails from a specified domain. The "Allow all emails" option is specified in the allowlist entry.

The organization receives an email from that domain - and the email includes a restricted file attachment. [See Restricted file types.]

Result

The allowlist entry takes precedence, and the restricted file is allowed. The email scan is assigned a Clean verdict.

Note: If the "Never mark as Spam" option is specified in the allowlist entry, then the restricted file takes precedence. The email scan is assigned a Restricted verdict.

Configuring the "sender email address / domain allowlist"

When an email is received from an email address that is included in the "Sender email address / domain allowlist", then you can select to:

• not scan the email, and set the scan verdict to clean.

  or

• scan the email - without applying the spam scanning engines. A spam verdict is therefore not possible; a malicious verdict is possible.

Follow the procedure below to allow-list sender email addresses and sender domains [such as acme.com].

Note: When an SPF check is performed, if the sender fails the SPF check, the email will not be allow-listed [even though it is on the allowlist], and may be assigned a malicious or spam verdict. This is done to prevent possible spoofing attempts. For further details, see Disable IP/SPF checks below.

To add an entry to the "sender email address / domain allowlist":

1. In FortiMail Workspace Security, in the left navigation menu, select Detection Setup > Allowlists & Blocklists.

2. Click Add Address on the right of "Sender Email Address / Domain Allowlist".

   

3. Configure the required settings.

   Organization	If this option appears, select the organization [or organizations] to which the allowlist applies. Note: If you add an allowlist entry to a parent organization, the entry will affect the parent organization and all child-organizations. However, the allowlist entry won't be visible in the child organizations. If you want to add an allowlist entry to a specific child organization only, select that child organization here.
   Sender Email Address / Domain	Single email address / domain Specify the email address or the domain of the sender. Emails from this email address or domain will be allow-listed. Email addresses should be plain email addresses only, without any display names or extra characters. Formatting a domain When you specify a domain, such as acme.com, all sub-domains, and all email addresses inside the domain, will be included in the allowlist or the blocklist. For example, if you specify acme.com: All sub-domains in the "acme.com" domain will be included in the list. This includes sub-domains such as legal.acme.com and drivers.acme.com Don't include a wildcard character [*], a period [.], or an at sign [@] before the domain. For example, *acme.com and *.acme.com and @acme.com are not valid formats. Domain names are not case-sensitive. Import bulk list Lets you add multiple email addresses and domains to the allowlist. You'll need to specify and upload a .csv file that contains the required email addresses and/or domains. Upload-file requirements You can include both email addresses and domains in the same upload file. Email addresses should be plain email addresses only, without any display names or extra characters. The upload file must be a .csv file, with a maximum size of 20 KB. The upload file can have a maximum of 300 entries. Note: If you have thousands of entries to add to an allowlist or a blocklist, contact FortiMail Workspace Security Support [support@perception-point.io] for assistance. Each entry should be on a separate line in the upload file. Don't include a header or header row [such as "Domains to block"] at the top of the file. By default, each organization can have a maximum of 2,000 allowlist and blocklist entries combined.   Formatting domains When you specify a domain, such as acme.com, all sub-domains, and all email addresses inside the domain, will be included in the allowlist or the blocklist. For example, if you specify acme.com: All sub-domains in the "acme.com" domain will be included in the list. This includes sub-domains such as legal.acme.com and drivers.acme.com Don't include a wildcard character [*], a period [.], or an at sign [@] before the domain. For example, *acme.com and *.acme.com and @acme.com are not valid formats. Domain names are not case-sensitive. Don't include sub-domains, such as sub.example.com. Instead, include just example.com If a sub-domain format such as sub.example.com is required, then add it separately, not as part of a bulk upload.
   Email allow options	Specify which scans will be performed on emails and URLs that satisfy this allow-list entry [you can select only one of the two options below]: Allow all emails: The email or URL will not be scanned, and the scan verdict will be set to clean. No links in the email will be clicked. Never mark as Spam: The email or URL will be scanned: The spam scanning engines won't be applied. A spam verdict is therefore not possible. The malicious scanning engines will be applied. All links in the email will be clicked. Note: If you do not select one of the "Email allow options", then the allowlist entry will not be functional. Note about restricted files Scans of emails that include restricted files [that is, attachments that are in the list of restricted file types or URLs that include references to files that are in the list of restricted file types] will be handled as follows, depending on the option that you select: Allow all emails: The scan verdict will be set to clean. Never mark as Spam: The scan verdict will be set to restricted, malicious, or clean - but never spam. For details about restricted file types, see Restricted file types.
   Disable IP/SPF checks	When this option is selected, no IP/SPF checks will be performed for this email address or domain. Select this option when the sender has not set up an SPF record or the SPF record is broken or incorrectly configured. Important: It is recommended that you disable IP/SPF checks only if the allowlist is set to "Never mark as Spam)". If the allowlist is set to "Allow all emails", it is recommended that you don't disable IP/SPF checks. This is because attackers can then spoof the allow-listed address or domain, and the scanning engines won't be activated to detect malicious content. See also: About SPF checks Note: When this option is not selected and an SPF check is performed, if the sender fails the SPF check, the email will not be allow-listed [and assigned a clean verdict], and the email may be assigned a malicious or spam verdict. The SPF check should be disabled only if you are familiar with the sender, the SPF check has failed, and the email was investigated and found to be not malicious. FortiMail Workspace Security performs SPF verification on the domain in "SMTP Return-Path" (SMTP.From)" (P1) and the domain in "From: header" (P2) . If either verification fails, the email is marked with SPF fail, and the allowlist won’t be applied [if the "Disable IP/SPF checks" check box isn't selected].
   Comment	Add an optional comment.

4. Click Add. Check that the new entry or entries appear in the allowlist as expected.

   Note: If you don't see a "successfully added" user notification, and if the entry that you tried to add doesn't appear in your allowlist, this may indicate that the entry is included in the globally maintained allowlist. For details, see Global allowlists above.

Configuring the "recipient email address allowlist"

When an email is sent to an email address that is included in the "Recipient email address allowlist", then you can select to:

• not scan the email, and set the scan verdict to clean.

  or

• scan the email - without applying the spam scanning engines. A spam verdict is therefore not possible; a malicious verdict is possible.

Note: The "recipient email address allowlist" can contain both emails addresses and domains.

To add an entry to the "recipient email address allowlist":

1. In FortiMail Workspace Security, in the left navigation menu, select Detection Setup > Allowlists & Blocklists.

2. Click Add Address on the right of "Recipient Email Address Allowlist".

   

3. Configure the required settings.

   Organization	If this option appears, select the organization [or organizations] to which the allowlist applies. Note: If you add an allowlist entry to a parent organization, the entry will affect the parent organization and all child-organizations. However, the allowlist entry won't be visible in the child organizations. If you want to add an allowlist entry to a specific child organization only, select that child organization here.
   Recipient Email Address	Specify the email address of the recipient. Emails to this recipient will be allow-listed. If you need to include a wildcard character [*] in the definition of an allowlist, contact FortiMail Workspace Security Support [support@perception-point.io] for assistance. The email address must be an email address within the organization.
   Email allow options	Specify which scans will be performed on emails and URLs that satisfy this allow-list entry [you can select only one of the two options below]: Allow all emails: The email or URL will not be scanned, and the scan verdict will be set to clean. No links in the email will be clicked. Never mark as Spam: The email or URL will be scanned: The spam scanning engines won't be applied. A spam verdict is therefore not possible. The malicious scanning engines will be applied. All links in the email will be clicked. Note: If you do not select one of the "Email allow options", then the allowlist entry will not be functional. Note about restricted files Scans of emails that include restricted files [that is, attachments that are in the list of restricted file types or URLs that include references to files that are in the list of restricted file types] will be handled as follows, depending on the option that you select: Allow all emails: The scan verdict will be set to clean. Never mark as Spam: The scan verdict will be set to restricted, malicious, or clean - but never spam. For details about restricted file types, see Restricted file types.
   Comment	Add an optional comment.

4. Click Add. Check that the new entry or entries appear in the allowlist as expected.

   Note: If you don't see a "successfully added" user notification, and if the entry that you tried to add doesn't appear in your allowlist, this may indicate that the entry is included in the globally maintained allowlist. For details, see Global allowlists.

Configuring the "sender IP allowlist"

When an email is received from an IP address that is included in the "Sender IP allowlist", then you can select to:

• not scan the email, and set the scan verdict to clean.

  or

• scan the email - without applying the spam scanning engines. A spam verdict is therefore not possible; a malicious verdict is possible.

To add an entry to the sender IP allowlist:

1. In FortiMail Workspace Security, in the left navigation menu, select Detection Setup > Allowlists & Blocklists.

2. Click Add IP on the right of "Sender IP Allowlist".

   

3. Configure the required settings.

   Organization	If this option appears, select the organization [or organizations] to which the allowlist applies. Note: If you add an allowlist entry to a parent organization, the entry will affect the parent organization and all child-organizations. However, the allowlist entry won't be visible in the child organizations. If you want to add an allowlist entry to a specific child organization only, select that child organization here.
   Sender IP Address	Single IP Address Specify the IP address of the sender. Emails from this sender IP address will be allow-listed. Note: If you need to include a wildcard character [*] in the definition of an allowlist, contact FortiMail Workspace Security Support [support@perception-point.io] for assistance. By default, for security reasons, allow-listing a subnet [range] is not recommended. It may be possible to allow an IP range, if the IP range is paired with a domain. For possible implementation details, contact FortiMail Workspace Security Support [support@perception-point.io]. Import bulk list Lets you add multiple IP addresses to the allowlist. You'll need to specify and upload a .csv file that contains the required IP addresses. Upload-file requirements The upload file must be a .csv file, with a maximum size of 20 KB. The upload file can have a maximum of 300 entries. Note: If you have thousands of entries to add to an allowlist or a blocklist, contact FortiMail Workspace Security Support [support@perception-point.io] for assistance. Each entry should be on a separate line in the upload file. Don't include a header or header row [such as "Domains to block"] at the top of the file. By default, each organization can have a maximum of 2,000 allowlist and blocklist entries combined.
   Email allow options	Specify which scans will be performed on emails and URLs that satisfy this allow-list entry [you can select only one of the two options below]: Allow all emails: The email or URL will not be scanned, and the scan verdict will be set to clean. No links in the email will be clicked. Never mark as Spam: The email or URL will be scanned: The spam scanning engines won't be applied. A spam verdict is therefore not possible. The malicious scanning engines will be applied. All links in the email will be clicked. Note: If you do not select one of the "Email allow options", then the allowlist entry will not be functional. Note about restricted files Scans of emails that include restricted files [that is, attachments that are in the list of restricted file types or URLs that include references to files that are in the list of restricted file types] will be handled as follows, depending on the option that you select: Allow all emails: The scan verdict will be set to clean. Never mark as Spam: The scan verdict will be set to restricted, malicious, or clean - but never spam. For details about restricted file types, see Restricted file types.
   Comment	Add an optional comment.

4. Click Add. Check that the new entry or entries appear in the allowlist as expected.

   Note: If you don't see a "successfully added" user notification, and if the entry that you tried to add doesn't appear in your allowlist, this may indicate that the entry is included in the globally maintained allowlist. For details, see Global allowlists.

Configuring the "URL allowlist"

By default, when FortiMail Workspace Security scans an email, FortiMail Workspace Security "clicks" each URL that is included in the email - and then scans the URL to check if the URL is safe. Although this is the desired behavior from a security perspective, it can result in various undesired scenarios, such as:

• clicking one-time links - that are thereafter not available to the email recipients

• clicking unsubscribe links

To prevent the above scenarios, you can include a list of URLs in the "URL allowlist". Then, when any of these URLs is included in an email, you can configure FortiMail Workspace Security to:

• not scan the URL, and set the scan verdict to clean. The associated link is therefore not "clicked".

  or

• scan the URL - without applying the spam scanning engines. A spam verdict is therefore not possible; a malicious verdict is possible. The associated link will be "clicked".

Alternatively, you can prevent FortiMail Workspace Security from "clicking" every URL that is included in scanned emails. For details, see Detection. However, this option prevents FortiMail Workspace Security from "clicking" every URL that is included in ALL scanned emails - which may not be ideal from a security perspective.

Note: Use the "URL allowlist" to allow access to websites when using FortiMail Browser Security. For more information, see Detection Settings. "URL follow allowlists" have been deprecated. Existing "URL follow allowlists" will remain functional - but they can't be viewed or edited. For assistance with existing URL follow allowlists, contact FortiMail Workspace Security Support [support@perception-point.io]. The deprecated "URL follow allowlist" functionality is replaced by "URL allowlists."

To add an entry to the "URL allowlist":

1. In FortiMail Workspace Security, in the left navigation menu, select Detection Setup > Allowlists & Blocklists.

2. Click Add URL on the right of "URL Allowlist".

   

3. Configure the required settings.

   Organization	If this option appears, select the organization [or organizations] to which the allowlist applies. Note: If you add an allowlist entry to a parent organization, the entry will affect the parent organization and all child-organizations. However, the allowlist entry won't be visible in the child organizations. If you want to add an allowlist entry to a specific child organization only, select that child organization here.
   Method and URL	In the field on the right, specify the URL of sites that will be allow-listed. Use Method on the left to define how the URL string should be applied. Specify how the specified URL string should be used to determine which URLs to allow-list: Starts with: A URL will be allow-listed if the URL starts with the specified URL string. In: A URL will be allow-listed if the URL includes the complete specified URL string. Note: This option is available to FortiMail Workspace Security Support only. Contact FortiMail Workspace Security Support [support@perception-point.io] for details. Domain ends with: A URL will be allow-listed if the URL ends with the specified URL string. Wildcard: An asterisk [*] included in the URL string above acts as a wildcard - representing any set of characters. If Wildcard is not selected, then an asterisk in the URL acts as an asterisk, and not as a wildcard. If Wildcard is selected, but no asterisk [*] is included in the specified URL, then each URL will be evaluated as if the "Exact" method has been selected. Note: This option is available to FortiMail Workspace Security Support only. Contact FortiMail Workspace Security Support [support@perception-point.io] for details. Exact: A URL will be allow-listed if the URL is the exact specified URL string.
   URL allow options	Specify which scans will be performed on emails and URLs that satisfy this allow-list entry [you can select only one of the two options below]: Allow all emails: The email or URL will not be scanned, and the scan verdict will be set to clean. No links in the email will be clicked. Never mark as Spam: The email or URL will be scanned: The spam scanning engines won't be applied. A spam verdict is therefore not possible. The malicious scanning engines will be applied. All links in the email will be clicked. Note: If you do not select one of the "Email allow options", then the allowlist entry will not be functional. Note about restricted files Scans of emails that include restricted files [that is, attachments that are in the list of restricted file types or URLs that include references to files that are in the list of restricted file types] will be handled as follows, depending on the option that you select: Allow all emails: The scan verdict will be set to clean. Never mark as Spam: The scan verdict will be set to restricted, malicious, or clean - but never spam. For details about restricted file types, see Restricted file types.
   Comment	Add an optional comment.

4. Click Add . Check that the new entry or entries appear in the allowlist as expected.

   Note: If you don't see a "successfully added" user notification, and if the URL that you tried to add doesn't appear in your URL allowlist, this may indicate that the URL is included in the globally maintained URL allowlist. For details, see Global allowlists.

Configuring the "hash allowlist"

When a file should possibly be scanned, if the hash of the file is included in the "hash allowlist," then the file won't be scanned, and the scan verdict will be set to clean.

To add an entry to the hash allowlist:

1. In FortiMail Workspace Security, in the left navigation menu, select Detection Setup > Allowlists & Blocklists.

2. Click Add Hash on the right of "Hash Allowlist".

   

3. Configure the required settings.

   Organization	If this option appears, select the organization [or organizations] to which the allowlist applies. Note: If you add an allowlist entry to a parent organization, the entry will affect the parent organization and all child-organizations. However, the allowlist entry won't be visible in the child organizations. If you want to add an allowlist entry to a specific child organization only, select that child organization here.
   SHA256	Specify the SHA-256 hash value. Any file with this hash value will not be scanned, and the scan verdict will be set to clean. Note:Only SHA-256 hashes are supported. MD-5 hashes and SHA-1 hashes are not supported.
   Comment	Add an optional comment.

4. Click Add. Check that the new entry or entries appear in the allowlist as expected.

   Note: If you don't see a "successfully added" user notification, and if the entry that you tried to add doesn't appear in your allowlist, this may indicate that the entry is included in the globally maintained allowlist. For details, see Global allowlists.

Custom allowlists

In addition to the standard allowlists, FortiMail Workspace Security Support is able to create customized allowlist entries that may be helpful in your organization. For example, they could create a custom allowlist entry to allow all emails that have the word "bitcoin" in the subject or in the body of the email.

Note: You won't be able to see any custom allowlist entries in the Allow & Block Lists page in FortiMail Workspace Security. Custom allowlist entries are visible to FortiMail Workspace Security Support only.

For additional information about custom allowlists, contact FortiMail Workspace Security Support [support@perception-point.io].

Troubleshooting

Scenario

I have added a domain to an allowlist, but emails from that domain are still being blocked as spam.

Suggestions

It seems that the domain was possibly not successfully added to the allowlist. Here are a few things you might want to consider:

1. Correct format for domains: Make sure not to include a wildcard character (*), a period (.), or an at sign (@) before the domain when adding it to the allowlist. For example, use just"kms.bet" instead of "@kms.bet".

2. SPF check: If you have configured SPF checks for your domains, it can cause issues if the domain fails the SPF check. You may want to disable SPF checks for the allowlist entries.

3. Verification: Ensure that you see a "successfully added" message when you add the domain to the allowlist. If you don't see this message, the entry might already be included in a globally maintained allowlist, and therefore won't appear in your organization's allowlist.

4. Contacting Support: If you continue to experience issues, it might be best to contact FortiMail Workspace Security Support [support@perception-point.io]. They can help in reviewing problematic allowlist entries.

Filtering [searching] allowlists

Sometimes allowlists may contain many entries. Finding a specific entry in a long allowlist may not be so simple. For example, your "Sender Email Address / Domain" allowlist contains 245 entries, and you want to see all entries that include "example.com". You can use the Search facility at the top of each allowlist.

Allowlisting MFA, 2FA, and OTP codes

MFA, 2FA, and OTP codes are frequently sent by email. These codes may be valid for a limited period. If you find that from time-to-time MFA, 2FA, or OTP codes from a particular source are already no longer valid when they are received, then you can add the sender to an allowlist.

Copying allowlists

It is possible to copy allowlists and blocklists from one organization to another. This can be done by FortiMail Workspace Security Support only. For details, contact FortiMail Workspace Security Support [support@perception-point.io].

Note: Besides allowlists and blocklists, no other lists can be copied from one organization to another.

See also: 

• Setup

• Blocklists