Docs/Security Features/Sender Restrictions

Sender RestrictionsNEW

Control which users can send to which recipients. Prevent data leaks and enforce communication policies.

Overview

Sender Restrictions allow you to define rules that limit which recipients a specific sender can reach. This is essential for:

  • Preventing data leaks from automated systems
  • Restricting temporary staff to internal communication
  • Enforcing compliance policies
  • Limiting service account email destinations
Data Leak Scenario

An automated notification system with email access gets misconfigured and starts sending customer data to external addresses. Without sender restrictions, there's nothing stopping this. With SecZim, the email is blocked before it leaves your server.

How It Works

Define rules that limit which recipients a sender can reach. If a sender tries to email someone not on their allowed list, the message is rejected with a customizable error message.

notifications@company.com
Can only send to:
• *@company.com (all internal)
• support@vendor.com
• alerts@monitoring.io

Use Cases

🤖 Service Accounts

Restrict automated systems to only email internal addresses or specific external contacts.

👤 Temporary Staff

Contractors and interns can be restricted to internal domains only during their assignment.

🏢 Department Isolation

Finance teams can be restricted to internal communication and specific banking partners only.

📋 Compliance

Healthcare, legal, and financial organizations can enforce strict email controls for regulatory compliance.

Configuration

Configure sender restrictions in the web interface under Settings → Sender Restrictions.

Creating a Restriction

  1. Click "Add Restriction"
  2. Enter the sender email address
  3. Add allowed recipients (exact addresses or wildcards)
  4. Optionally customize the rejection message
  5. Save the restriction

Recipient Matching Patterns

  • Exact address: john@partner.com
  • Entire domain: *@company.com
  • Subdomain wildcard: *@*.company.com
  • Distribution lists: sales-team@company.com

Custom Rejection Messages

When a restricted sender tries to email an unauthorized recipient, they receive a customizable error message:

"This account is restricted to internal communication only. Please contact IT if you need to send external emails."
Instant Application

Sender restrictions take effect immediately when created or modified. No server restarts, no delays. Block a compromised account in seconds.

Logging

All sender restriction violations are logged in the session tracking logs with:

  • Timestamp of the attempt
  • Sender and attempted recipient
  • The restriction rule that was matched
  • The rejection message sent

View logs in the web interface under Logs → Session Tracking or via the API.