How-to

Trace a denied request

Applies to: .NET SDK Last updated: 2026-06-11

Inspect the DenialReason

var msg = await client.DecryptEnvelopeAsync(envelope);

if (msg.Authorized == AuthorizationStatus.Denied)
{
    Console.WriteLine($"DenyTier:     {msg.DenyTier}");        // which tier matched
    Console.WriteLine($"DenialReason: {msg.DenialReason}");    // human-readable rule
}

Sample DenialReason

denied by tier Default (default): p, [email protected], self, default, inbound, deny

If multiple rules could match

Because deny-overrides applies, the first deny rule that matches wins. If you removed a deny rule and a request is still denied, check for additional deny rules in other tiers (user-level, session-level, app-level).

Test a hypothetical sender

// Manually call authorize without an envelope
var decision = await client.Authorization.AuthorizeAsync(
    sender:      "[email protected]",
    destination: "self",
    direction:   "inbound");

Console.WriteLine($"Allowed: {decision.Allowed}");
Console.WriteLine($"Reason:  {decision.Reason}");

See also