Allow or block email senders

Allowlists provide the ability to include known safe email sender addresses, domains, IP addresses, or IP ranges that Coro can check if an Email Security event occurs. For instance, if an email is flagged by Coro's detection mechanisms as containing potentially malicious content or a possible phishing attack, Coro continues to allow the email if the sender is listed in an allowlist.

Blocklists list known bad senders, domains, or IP addresses/ranges where, regardless of content or authentication status, corresponding emails are blocked from being received by the named recipients. Coro raises tickets identifying the blocked event.

List types

Coro provides two primary allowlist and blocklist types applicable to your workspace (and optionally also to child workspaces generated by this workspace owner, where relevant):

Type	Description
Suspicious content	An allowlist and blocklist relating to checks on email content. Records added here (through ticket remediation or manual entry on this page) feed into remediation decisions concerning the content of emails sent to your protected and protectable users. Future remediation decisions based on positive detector tests take into account whether the sender or domain is in this list.
Authentication failure	An allowlist and blocklist for authentication failure conditions with the specified sender or sender's domain. Authentication is performed on the sender details to establish the legitimacy of their identity, primarily by checking message headers to determine the possibility of spoofing or impersonation. Records added here (through ticket remediation or manual entry on this page) feed into remediation decisions concerning detectors that are triggered by authentication failures.

Type

Description

Suspicious content

An allowlist and blocklist relating to checks on email content.

Records added here (through ticket remediation or manual entry on this page) feed into remediation decisions concerning the content of emails sent to your protected and protectable users.

Future remediation decisions based on positive detector tests take into account whether the sender or domain is in this list.

Authentication failure

An allowlist and blocklist for authentication failure conditions with the specified sender or sender's domain.

Authentication is performed on the sender details to establish the legitimacy of their identity, primarily by checking message headers to determine the possibility of spoofing or impersonation.

Records added here (through ticket remediation or manual entry on this page) feed into remediation decisions concerning detectors that are triggered by authentication failures.

Important

Coro also references a third high-level global allowlist and blocklist maintained by Coro itself and based on continuous research and observations over time. This list is not user accessible.

Viewing allowlists and blocklists

To view and update Email Security allowlists and blocklists, sign in to the Coro console and go to Control Panel > Email Security > Allow/Block:

Allow/Block

On this page, the Name column displays the sender email address or email domain, and the List column indicates whether each item belongs to an allowlist or blocklist for one of the named types.

Select the All entities dropdown to filter the list by Email or Domain:

Filter all entities

Select the All lists dropdown to filter the list by Allowlist or Blocklist:

Filter all lists

Use the Search box to filter the Name column using a free text search:

Cascading allowlist and blocklist rules to child workspaces

Coro provides the ability for Managed Service Providers (MSPs) and partners to apply allowlist and blocklist rules defined in a parent ("Channel") workspace to all connected child workspaces. To enable this feature, use the Apply allow/block rules to all child workspaces toggle:

Apply allow/block rules to all child workspaces

note

This toggle appears only for parent ("Channel") workspaces and applies only to the immediate child workspaces.

When enabled, a child workspace inherits ONLY the allowlist and blocklist rules from its parent workspace, combining them with any unique rules defined already within itself. A child workspace does not inherit the rules from any workspace above its own parent (in other words, from a grandparent workspace).

Additionally, when a child workspace itself becomes a parent (through Coro's approach to providing flexible workspace hierarchies), it passes on only those allowlist and blocklist rules defined within it, and none of the rules it inherited from a parent.

Adding entries

Coro enables you to add email addresses, domains, and IP addresses/ranges to the allowlist or blocklist through the following methods:

From Email Security tickets
Directly on this page
In bulk using a CSV file

From Email Security tickets

Coro raises Email Security tickets in response to events such as phishing and malware detection. For protected users, these tickets are typically remediated automatically by Coro - in that the suspicious email message is deleted, quarantined, or delivered with a warning notice (depending on the event type and your selected security mode) and the ticket is closed.

An admin user can view these tickets and make decisions as to whether to add the sender to the allowlist or blocklist.

To do this, open the Ticket Log and review your Email Security tickets. Each ticket involving a protected user includes an ACTIONS button, which provides actions applicable to that ticket type:

Email Security ticket actions

To add the sender to the allowlist, select Allow. Or, for the blocklist, select Block. Coro presents a dialog offering options for each list.

Coro adapts the allow or block options based on a combination of the ticket type and your Email Security settings. For example, if the email contains suspected phishing and you selected a security mode of Quarantine, Coro quarantines the email. As a result, your allow options include the ability to restore the email as well as affect future remediation by adding the sender to the allowlist. However, if the email contains malware, Coro deletes the email automatically and the allow choices are then limited to adding the sender's identity to the allowlist for future remediation decisions only.

Equally, for block options, Coro present choices that take into account remediation that has already taken place. You can only act on the email that triggered the ticket if it has not already been deleted.

This is also true where you have configured threat detection to warn recipients only. The email is already delivered to recipients so the Allow this email or Block this email options are disabled.

note

For a complete list of all Email Security ticket types and the available options in each case, see Ticket types for Email Security.

The following Allow choices represent an example where the email is in quarantine and therefore recoverable:

Email Security ticket allow options

Choose from:

Allow this email only : Allow the quarantined email that triggered this ticket to reach its recipients, but DO NOT add the sender's identity to the allowlist. Future emails from this or any other sender in the same domain can still trigger a ticket in Coro.
Allow this email and add the sender's domain to the allowlist : Allow the email, and instruct Coro to add the sender's domain to the allowlist. Future emails from any senders in this same domain continue to be received by all named recipients.
Allow this email and add the sender's email address to the allowlist : Allow the email, and instruct Coro to add the sender's email address to the allowlist. Future emails from this specific sender continue to be received by all named recipients.
Allow this email and add the sender's IP address to the allowlist : Allow the email, and instruct Coro to add the sender's IP address to the allowlist. Future emails from this specific IP address continue to be received by all named recipients.
note
This option is disabled if Coro cannot determine the IP address from the sender's identity.

Select CONFIRM to proceed.

In the same scenario, the following Block choices are available:

Email Security ticket block options

Choose from:

Permanently delete this email only : Permanently delete the email that triggered this ticket, but DO NOT add the sender's domain or email address to the blocklist. Future emails from this or any other sender in the same domain can still trigger a ticket in Coro.
Add the sender's domain to the blocklist and permanently delete this and all future emails from this domain : Instruct Coro to add the sender's domain to the blocklist, and permanently delete this and all future emails that originate from any sender in the same domain.
Add the sender's email address to the blocklist and permanently delete this and all future emails from this sender : Instruct Coro to add the sender's email address to the blocklist, and permanently delete this and all future emails that originate from the same email address.
Add the sender's IP address to the blocklist and permanently delete this and all future emails from this IP address : Instruct Coro to add the sender's IP address to the blocklist, and permanently delete this and all future emails that originate from the same IP address.
note
This option is disabled if Coro cannot ascertain the IP address.

Select CONFIRM to proceed.

note

Both dialogs include the option to enable Close all related tickets. This requests Coro to close all related tickets connected to the event.

note

Coro prevents adding well-known email provider domains to the allowlist or blocklist. In this situation, the option to add the entire domain is disabled, although you can still add individual email addresses or IP addresses.

Directly on this page

To add email addresses, domains, or IP addresses and ranges directly into the allowlist or blocklist:

Select ADD :
Select an option:

Choose from:
- Select Add to allowlist to add item(s) in the Add to allowlist dialog:
  
  Select the type of allowlist you want to add these entries to, then select ADD TO LIST.
- Select Add to blocklist to add item(s) in the Add to blocklist dialog:
  
  Select the type of blocklist you want to add these entries to, then select ADD TO LIST.
- Select Import from CSV to upload a comma-separated value (CSV) file containing your allowlist and/or blocklist data.
  note
  To learn more about creating a valid CSV file, see Using a CSV file.
  
  Select Upload a CSV file to browse your filesystem, or drag-and-drop a file into the dialog:
  
  To begin the import process, select ADD USERS.
  
  Coro presents a confirmation dialog that the import is now in progress:
  
  Select GOT IT to continue.
  
  note
  After the import process is complete, Coro displays an acknowledgement notice in the Console and places an entry in the Activity Log providing details of the import operation.

Your added items are displayed in the Allow/Block list, showing the list they belong to.

In bulk using a CSV file

Coro enables you to add existing email security allowlist and blocklist data by importing a CSV file containing a list of user email addresses with their corresponding list (Allow/Block).

Entries in your CSV file must follow the pattern:

<item>,<policy>,<content list>,<authentication list>

Each entry must be on a separate line, with the following allowed values in each field:

Field	Description	Allowed values
<item>	The sender's email address, domain, IP address, or IP address range.	`coro1@example.com`, `example.com`, `192.0.2.0` or `192.0.2.0/24`
<policy>	Whether to allow or block the item.	`Allow` or `Block`
<content list>	Add this item to the Suspicious Content list.	`Yes` or `No`
<authentication list>	Add this item to the Authentication Failure list.	`Yes` or `No`

Files must adhere to the following rules:

You must specify valid values in both columns. Entries with extra columns or invalid values are ignored.
The maximum file size is 5 MB.
A maximum of 100,000 records are permitted.

To facilitate creating a valid CSV file, Coro provides a link to a template in the Upload a CSV file dialog:

CSV template file link