How to Create an Allowlist / Denylist for Email Addresses in WPForms

Would you like to restrict which email addresses can be used in your WordPress forms? With the built-in Allowlist / Denylist option in WPForms, you can create rules around which email addresses are allowed or not allowed to be used with your forms.

In this tutorial, we’ll show you how to use the Allowlist / Denylist option for email restriction in WPForms.


Choosing Between a Denylist or Allowlist

Before getting started, you’ll first need to make sure that WPForms is installed and activated on your WordPress site.

Once you’ve installed WPForms, you’ll either need to create a new form or edit an existing form.

Once you’ve opened up your form, be sure to add an Email field if you haven’t already. Then, click on the Email field within the builder’s preview panel to open the Field Options panel. This panel is where you can customize your field, including configuring the allowlist / denylist.

Within the Field Options panel, go ahead and click on Advanced Options to open up more configuration options.

Email Advanced Options

Under Advanced Options, you should see a dropdown labeled Allowlist/Denylist. Within this dropdown, you’ll need to select the type of restriction you want to set up:

  • None: No restrictions are placed on emails entered in this field (aside from standard email format requirements). This is the default setting.
  • Denylist: Choose this option if you’d like to set up rules around which email addresses should not be allowed in this field.
  • Allowlist: Choose this option if you’d like to set up rules around which email addresses should be accepted in this field.

Allowlist / Denylist in WPForms

As an example, let’s say we’ve had a history of unwelcome submissions from the email address [email protected]. Since we want to prevent any other forms from being submitted with this email address, we’ll set Allowlist/Denylist to Denylist. This option will let us block specific email addresses from being used in the form.

Choosing either Denylist or Allowlist will cause a box to appear where you can enter your rules. We’ll go into more details about these rules below.

Adding Email Denylist / Allowlist Rules

Now that you’ve selected which type of list you want to set up, you’ll need to add some rules. These “rules” are simply a comma-separated list showing which emails need to be accepted or denied.

Denying/Allowing Specific Email Addresses

In our example, we want to prevent [email protected] from being used in a form submission. So, we’ll go ahead and enter that email address into the box under Allowlist/Denylist and save our form.

Denylist example email

Once changes have been saved, any attempt by a user to enter that email address in the form will result in a validation error stating This email address is not allowed.

Denylist Validation Message

Note: If you’d like to edit the text for this error, please check our tutorial on adjusting validation messages.

If you’d like to block more than one email address, these can be added to the list by simply separating them with a comma.

Comma Separated Denylist

Denying/Allowing Groups of Emails (More General Rules)

Denylists and Allowlists can be more flexible than just specific email addresses. You can also use these options to create broader rules.

As an example, we’ll set up an Allowlist that only accepts emails for our company’s example.com domain. After setting Allowlist/Denylist to Allowlist, we’ll need to enter this value into the box:
*@example.com

Wildcard email example

The asterisk (*) acts as a wildcard. This means that any email address will be accepted, just as long as it ends in @example.com ([email protected], [email protected], etc).

You can add a list of rules like this if you’d like, or you can add a mix of these broader wildcard rules and specific email addresses. Just be sure to separate everything with a comma.

Frequently Asked Questions

Can I prevent an email based on the Top Level Domain (e.g., .com or .org)?

Absolutely! To allow or deny an email address based on the Top Level Domain, you’d just need to add the wildcard symbol (*), followed by the domain type.

For example, if you wanted to block all email addresses ending in .com, you’d need to add *.com to your rules.

Deny Top Level Domain

That’s it! You can now create Allowlists and Denylists for email addresses in your WordPress forms.

Next, would you like to block users from submitting multiple entries? Be sure to check out our tutorial on how to use the Form Locker addon to prevent multiple entries for more details.