Skip to main content

Overview

Allow and Deny lists let you control how Ocean handles emails from specific senders. By adding domains, IP addresses, or specific sender email addresses to these lists, you can:
  • Allow List: Mark senders as trusted, reducing false positives for known safe sources
  • Deny List: Mark senders as suspicious or malicious, ensuring emails from these sources are blocked
Changes to allow/deny lists take effect immediately for all new incoming emails.

Accessing Allow & Deny Lists

Navigate to Settings > Allow & Deny List in the Ocean portal to manage your lists.
Allow & Deny List settings page

Understanding the Lists

Allow List

The Allow List contains domains, IP addresses, and email addresses that you trust. When an email arrives from a sender on your Allow List:
  • Ocean marks the email as allowed
  • Reduces false positives from known partners, vendors, or services
Use the Allow List for trusted business partners, SaaS applications, legitimate services that may trigger false positives, or specific individuals whose emails should always be allowed.

Deny List

The Deny List contains domains, IP addresses, and email addresses you want to block. When an email arrives from a sender on your Deny List:
  • Ocean marks the email as denied
  • Helps block known bad actors and mitigate associated risks
Use the Deny List carefully. Adding legitimate domains or email addresses could cause important emails to be flagged incorrectly.

Entry Types

Ocean supports three types of entries for both Allow and Deny lists:

Domain

Add a domain to apply the rule to all emails from that domain. Examples:
Subdomains are matched separately. Adding example.com does not automatically include mail.example.com. Add each subdomain explicitly if needed.

IP Address

Add an IP address or CIDR range to apply the rule based on the sender’s mail server IP. Examples:
  • 203.0.113.50 - Matches a single IP address
  • 203.0.113.0/24 - Matches all IPs from 203.0.113.0 to 203.0.113.255 (CIDR notation)
IP-based rules are useful for blocking or allowing entire mail server ranges, such as those from specific hosting providers or email services.

Email Address

Add a specific email address to apply the rule to emails from that exact sender. This provides more granular control than domain-based rules. Examples:
  • support@example.com - Matches only emails from this specific address
  • newsletter@marketing.io - Matches only emails from this specific newsletter sender
Use email address rules when you want to allow or deny a specific sender without affecting other users from the same domain. This is useful for allowing trusted contacts or blocking specific bad actors.
Email address rules take precedence over domain rules. If you allow support@example.com but deny example.com, emails from support@example.com will still be allowed.

Adding Entries

1

Open the Add Modal

Click the Add button in the Allow & Deny List settings page.
2

Select Action

Choose whether to Allow or Deny the entries you’re adding.
Select allow or deny action
3

Select Entry Type

Choose the identifier type:
  • Domain - For email domains
  • IP - For IP addresses or CIDR ranges
  • Email - For specific sender email addresses
4

Enter Values

Enter the domains, IP addresses, or email addresses you want to add. You can add multiple entries at once by separating them with commas.Example for domains:
trusted-partner.com, vendor.io, saas-app.com
Example for IPs:
203.0.113.50, 198.51.100.0/24
Example for email addresses:
support@vendor.io, newsletter@saas-app.com
5

Add a Comment (Optional)

Add an optional comment to document why this entry was added. This helps your team understand the context later.
Add comment
6

Save

Click Add to save your entries. They will take effect immediately.

Deleting Entries

To remove an entry:
  1. Find the entry in the list
  2. Click the menu icon (three dots) on the right side of the row
  3. Select Delete
  4. Confirm the deletion
Delete entry

Validation Rules

Ocean validates entries before adding them to ensure they are properly formatted.

Domain Validation

  • Must be a valid domain format (e.g., example.com)
  • Cannot contain wildcards (*)
  • Must have at least two characters in the top-level domain
  • Cannot be an internal domain belonging to your organization

IP Validation

  • Must be a valid IPv4 or IPv6 address
  • CIDR notation is supported (e.g., 192.168.1.0/24)
  • Cannot be a private/internal IP address:
    • 10.0.0.0/8
    • 172.16.0.0/12
    • 192.168.0.0/16

Email Address Validation

  • Must be a valid email address format (e.g., user@example.com)
  • Must contain exactly one @ symbol
  • Must have a valid domain portion after the @
Internal domains and private IP addresses cannot be added to protect against misconfigurations that could affect your organization’s email flow.

Conflict Handling

Ocean prevents conflicts between Allow and Deny lists:
  • You cannot add the same domain, IP, or email address to both lists
  • If an entry already exists in one list, you must remove it before adding it to the other list
If you see an error about a conflict, check both lists for existing entries with the same value.

Graymail-Scoped Rules

If graymail detection is enabled for your tenant, each allow/deny entry includes a Verdict scope field. This lets you create rules that apply only to graymail classification without affecting spam or threat detection.
Verdict scopeBehavior
GlobalDefault. The rule applies to all verdicts. Allow marks the email as allowed; Deny marks it as denied.
GraymailThe rule applies only to graymail classification. Allow = emails from this sender are never classified as graymail. Deny = emails from this sender are always classified as graymail and routed to the remediation folder.
Graymail verdict scope does not override threat verdicts. A malicious or spam email is not reclassified as graymail even if the sender has a Graymail Deny rule.
Allow & Deny List with Verdict Scope for graymail
To add a graymail-scoped rule:
  1. Follow the Adding Entries steps above.
  2. Before saving, set Verdict scope to Graymail.
All existing entries default to Global verdict scope. For more information on enabling and configuring graymail detection, see Configure Graymail Detection.

Frequently Asked Questions

Changes take effect immediately for all new incoming emails. Emails that have already been processed are not re-evaluated.
Use domains when you want to allow or deny all emails from a company or service. Use email addresses when you want more granular control over specific senders without affecting other users from the same domain. For example, you might allow newsletter@marketing.com while still blocking other emails from marketing.com.
Email address rules take precedence over domain rules. If you have conflicting rules (e.g., allow support@example.com but deny example.com), the more specific email address rule will be applied.
No. Adding example.com does not automatically include mail.example.com or other subdomains. You must add each subdomain explicitly.
Ocean prevents this scenario. You cannot add the same domain, IP, or email address to both the Allow and Deny lists. If you need to change a sender’s status, remove them from one list before adding to the other.
Currently, entries must be added through the portal interface. You can add multiple entries at once by separating them with commas.
Users with the appropriate permissions can view and edit allow/deny lists. Contact your Ocean administrator if you need access.
Verdict scope is available when graymail detection is enabled. It lets you create allow/deny rules that apply only to graymail classification, without affecting spam or threat verdicts. See Graymail-Scoped Rules for details.