How-to
Trace a denied request
Inspect the DenialReason
var msg = await client.DecryptEnvelopeAsync(envelope);
if (msg.Authorized == AuthorizationStatus.Denied)
{
Console.WriteLine($"DenyTier: {msg.DenyTier}"); // which tier matched
Console.WriteLine($"DenialReason: {msg.DenialReason}"); // human-readable rule
} Sample DenialReason
denied by tier Default (default): p, [email protected], self, default, inbound, deny If multiple rules could match
Because deny-overrides applies, the first deny rule that matches wins. If you removed a deny rule and a request is still denied, check for additional deny rules in other tiers (user-level, session-level, app-level).
Test a hypothetical sender
// Manually call authorize without an envelope
var decision = await client.Authorization.AuthorizeAsync(
sender: "[email protected]",
destination: "self",
direction: "inbound");
Console.WriteLine($"Allowed: {decision.Allowed}");
Console.WriteLine($"Reason: {decision.Reason}"); See also
- Read the audit log How-to
- Inspect the policy file How-to