IP Geolocation Connection Rule

This Connection Rule detects the location of the connecting IP address. It will classify the IP to a country of origin. You can then use the rule to reject certain countries, or to only allow specific countries to be able to send email to your domain(s).

Since each customer has different location requirements, Email Security does not ship with a pre-configured Geolocation Rule as part of the default rule set. If you want to take advantage of the Geo IP Location Condition, you will need to create your own rule by following the guidelines in this article.

Blocking certain countries

To create a blocklist of countries that will not be allowed to interact with your domain:

  1. Visit your USS Dashboard and click ProductsEmail SecurityConnection Rules.
  2. Click to create a new Rule.
  3. Give the Rule a sensible name, such as "Restricted IP Location - Denylist", and click
  4. Add a Direction Condition, with the logic set to Matches: Inbound.
  5. Add a Sender IP Geolocation condition, with the Match Type set to Matches and the Value set to a list of the countries you wish to block.
You can add more than one country at a time, by simply continuing to add countries from the drop-down list.
  1. Add the Connection IP condition with the Value -> Does Not Match -> GeoIP exclusion for release servers
This excludes the email release servers from being rejected with options used in the Sender IP Location
  1. Add a Permanent Reject Final Action, with the Value set to 5.7.1 geoip restriction.
  2. Make sure that the Active checkbox is enabled, so that your new Rule will start working immediately.
  3. Click

Allowing certain countries

To create an allow list, specifying only the countries that will be allowed to interact with your domain:

  1. Visit your USS Dashboard and click ProductsEmail SecurityConnection Rules.
  2. Click to create a new Rule.
  3. Give the Rule a sensible name, such as "Restricted IP Location - Safelist", and click .
  4. Add a Direction Condition, with the logic set to Matches: Inbound.
  5. Add a Sender IP Geolocation Condition, with the Match Type set to Does not match and the Value set to a list of the countries you wish to allow.
  6. Add the Connection IP condition with the Value -> Does Not Match -> GeoIP exclusion for release servers
This excludes the email release servers from being rejected with options used in the Sender IP Location
  1. Add a Permanent Reject Final Action, with the Value set to 5.7.1 geoip restriction.
Adding a Reject Action might seem a bit counter-intuitive here, but remember that you're asking EMS to reject any connection that doesn't match your Geo IP list - so, EMS will therefore accept any connection that does match.
  1. Make sure that the Active checkbox is enabled, so that your new Rule will start working immediately.
  2. Click

Allowing specific domains from a blocked country

If you want to allow emails from a specific domain, while still denying emails from that domain's country of origin, you can do so as follows:

  1. First, create a Block rule, based on the example above.
  2. Create a new set of Rule Data, containing the domain you wish to permit.
  3. Re-open your Block rule for editing.
Do not create a new rule - add these overrides to your existing Block rule.
  1. Add a Sender in List Condition, with the Match Type set to Does Not Match and the condition Value set to the Rule Data you created in Step 2.


How did we do?