Prevent untrusted users from triggering inbound actions

You can prevent users from untrusted domains from triggering inbound actions.

Before you begin

Role required: admin

About this task

For example, you can prevent email from users outside your company domain from creating incidents.

Note: Users in your instance must still have write and update access to the records that they create or update through inbound email actions.

Procedure

  1. Enable automatic user creation and add a list of trusted domains. For example, add your company domain example.com.
  2. Navigate to User Administration > Users.
  3. Select the user guest.
  4. Select the Locked out field to disable the guest account. Locking out a user record prevents the user from processing inbound actions.

Result

When a user from a trusted domain sends an email to the instance, the instance either matches the email to an existing user or creates a new user. Since the incoming email matches a user record (either an existing or new one), the email can trigger an inbound action.

When a user from an untrusted domain sends an email to the instance, the instance attempts to impersonate the guest user. Since the guest user is locked out, the impersonation fails and the incoming email cannot trigger an inbound action.
Warning: Allowing locked out users to trigger inbound actions also allows untrusted users to trigger inbound actions.