Mailbox Contact Rules
Per-mailbox allow/block rules for inbound email. The mailbox's filter_mode field decides how the rule list is interpreted:
filter_mode: "whitelist"— only senders matching anallowrule can deliver mailfilter_mode: "blacklist"— every sender can deliver except those matching ablockrule
Set filter_mode on the mailbox itself via PATCH /mailboxes/{email_address} — see Mailboxes. The rules below are interpreted against that mode.
Rules match on either a full email address (match_type: "exact_email") or a bare domain (match_type: "domain"). A rule with status: "paused" reserves the target slot without taking effect, so you can stage policy changes without losing the uniqueness claim.
Auth. List, get, and create accept admin API keys, claimed agent keys, and Clerk JWT; unclaimed (mid-signup) agent keys are rejected. PATCH, DELETE, and the org-wide list are admin + JWT only.
For the org-wide audit view, see List org mail contact rules.
List contact rules GET
GET /mailboxes/{email_address}/contact-rulesList contact rules for a mailbox, newest first. Returns both active and paused rules.
Path parameters
| Parameter | Type | Description |
|---|---|---|
email_address | string | Mailbox email address |
Query parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
action | string | — | Filter by "allow" or "block" |
match_type | string | — | Filter by "exact_email" or "domain" |
limit | integer | 50 | Max rules (1–200) |
offset | integer | 0 | Offset for pagination |
Response (200)
JSONCode examples
cURLCreate contact rule POST
POST /mailboxes/{email_address}/contact-rulesCreate an allow or block rule on a mailbox.
Path parameters
| Parameter | Type | Description |
|---|---|---|
email_address | string | Mailbox email address |
Request body
| Field | Type | Required | Description |
|---|---|---|---|
action | string | Yes | "allow" or "block" |
match_type | string | Yes | "exact_email" (full address) or "domain" (bare domain like gmail.com) |
match_target | string | Yes | Value to match against. For exact_email: a full address with one @ and at least one dot after it. For domain: a lowercase ASCII bare domain (no leading *@, no leading @, no trailing .). Max 320 chars. |
New rules always start with status: "active" — to pause a rule use Update contact rule.
Request example
JSONResponse (201)
Returns the created rule.
Error responses
| Status | Description |
|---|---|
| 409 | A non-deleted rule with the same (match_type, match_target) already exists. Response body contains existing_rule_id. |
| 422 | match_target invalid for the given match_type (e.g. glob pattern, non-ASCII domain, missing dot) |
Code examples
cURLGet contact rule GET
GET /mailboxes/{email_address}/contact-rules/{rule_id}Fetch a single contact rule by ID.
Path parameters
| Parameter | Type | Description |
|---|---|---|
email_address | string | Mailbox email address |
rule_id | UUID | Rule ID |
Code examples
cURLUpdate contact rule PATCH
PATCH /mailboxes/{email_address}/contact-rules/{rule_id}Update a rule's action or status.
Auth: admin API key or Clerk JWT only.
match_type and match_target are immutable — delete the rule and create a new one to change the target.
Path parameters
| Parameter | Type | Description |
|---|---|---|
email_address | string | Mailbox email address |
rule_id | UUID | Rule ID |
Request body
At least one of:
| Field | Type | Description |
|---|---|---|
action | string | "allow" or "block" |
status | string | "active" or "paused" (only these two values are accepted on PATCH; use DELETE to remove a rule) |
Sending null for either field is a client error (422) — omit the field to leave it unchanged.
Code examples
cURLDelete contact rule DELETE
DELETE /mailboxes/{email_address}/contact-rules/{rule_id}Delete a contact rule. Returns 204 No Content on success.
Auth: admin API key or Clerk JWT only.
Path parameters
| Parameter | Type | Description |
|---|---|---|
email_address | string | Mailbox email address |
rule_id | UUID | Rule ID |
Code examples
cURLList org mail contact rules GET
GET /mail/contact-rulesOrg-wide aggregate list of mail contact rules across every mailbox the caller can see. Intended for admin dashboards that render rules org-wide without fanning out one per-mailbox request per mailbox.
Auth: admin API key or Clerk JWT only.
Results are ordered created_at descending, with id as a stable tiebreaker so pagination stays consistent when rules from different mailboxes share a microsecond.
Query parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
mailbox_id | UUID | — | Narrow to a single mailbox; omit to list across every mailbox in the org |
action | string | — | Filter by "allow" or "block" |
match_type | string | — | Filter by "exact_email" or "domain" |
limit | integer | 50 | Max rules (1–200) |
offset | integer | 0 | Offset for pagination |
Response (200)
Returns an array of contact rule objects — same shape as the per-mailbox list.
Code examples
cURLContact rule object
| Field | Type | Description |
|---|---|---|
id | UUID | Unique rule identifier |
mailbox_id | UUID | Owning mailbox |
action | string | "allow" or "block" |
match_type | string | "exact_email" or "domain" |
match_target | string | Canonicalized match value |
status | string | "active", "paused", or "deleted" |
created_at | string | Creation timestamp (ISO 8601) |
updated_at | string | Last-updated timestamp (ISO 8601) |
Additional resources
- Filtering guide — narrative walk-through of whitelist/blacklist semantics across mail and phone
- Mailboxes — includes the
filter_modefield that interprets these rules - Phone contact rules — the phone-side equivalent