Brevo logs every IP address that tries to use your API keys and SMTP keys. To protect your keys, Brevo can automatically block requests from unknown IP addresses. You can also manually authorize trusted IP addresses. The authorized IP list is shared across both API and SMTP keys, so any IP you authorize applies to both.
Good to know
- Only account owners or users with the SMTP & API – Authorized IPs permission can manage this feature. This includes blocking unknown IP addresses and manually authorizing IP addresses. To learn more, check our dedicated article Add users and assign permissions in Brevo.
- On an Enterprise plan with a New Admin account, admin users can authorize IP addresses directly from the Admin account and share them with their sub-organizations. To learn more, check our dedicated article New Admin account - Authorize and share IP addresses with your sub-organizations for API security.
Why block unknown IP addresses?
Blocking unknown IP addresses helps protect your API keys and SMTP keys by:
- Preventing unauthorized access from unknown or suspicious IPs.
- Allowing requests only from trusted IP addresses you have used or approved.
- Detecting unusual behavior early, such as calls from unexpected sources.
This adds an extra layer of security and helps you respond quickly to potential threats.
How blocking unknown IP addresses works
The blocking process works differently depending on whether you are using API keys or SMTP keys.
API keys: two-phase process
For API keys, blocking happens in two phases:
🟢 Phase 1: IPs are automatically authorized
When you first use an API key, Brevo automatically authorizes the IP addresses that make API calls. This "learning phase" means IP blocking is inactive, so you can set up and test your integration without restrictions.
🔐 Phase 2: Blocking is activated
If no new IPs are detected for 30 days, Brevo automatically:
- Activates the blocking of unknown IP addresses.
- Blocks all API calls from unknown IP addresses.
- Sends you an email notification with the blocked IP address and the API key used.
From the notification, you can:
- Authorize the IP address and add it to the Authorized IP addresses list.
- Deny authorization and rotate the API key if needed.
- Deactivate the automatic IP blocking to allow all IP addresses again.
192.168.1.25, Brevo will
authorize the entire
range from 192.168.1.0 to 192.168.1.255 (256
IP addresses).
We also recommend reviewing your Authorized IP addresses
list before blocking
becomes active, to make sure no legitimate IPs are missing.
SMTP keys: manual authorization required
For SMTP keys, there is no automatic learning phase. If you already have IP blocking active for API keys, you can extend it to your SMTP keys — but you need to manually authorize all IP addresses your SMTP clients use first. Enabling blocking before doing so will immediately block your SMTP traffic.
Activate blocking of unknown IP addresses
You can activate blocking independently for API keys and SMTP keys. Select the key type you want to configure:
- Authorize all IP addresses that make API calls on your account.
- Click the account dropdown and select Settings > Security > Authorized IPs.
- Under Blocking unauthorized IP addresses, find the API keys row.
- If the status is Deactivated, click Activate for API.
- Click Activate blocking to confirm.
Once activated, calls from unknown IP addresses using your API keys are blocked. Each time an IP address is blocked, you receive an email notification and the blocked IP address is added to the Unauthorized IP addresses list. If you recognize and trust it, you can authorize the blocked IP address.
- Authorize all IP addresses your SMTP clients use.
- Click the account dropdown and select Settings > Security > Authorized IPs.
- Under Blocking unauthorized IP addresses, find the SMTP keys row.
- If the status is Deactivated, click Activate for SMTP.
- Click Activate blocking to confirm.
Once activated, calls from unknown IP addresses using your SMTP keys are blocked. Each time an IP address is blocked, you receive an email notification and the blocked IP address is added to the Unauthorized IP addresses list. If you recognize and trust it, you can authorize the blocked IP address.
Deactivate blocking of unknown IP addresses
You can deactivate blocking independently for API keys and SMTP keys. Select the key type you want to configure:
- Go to the account dropdown and select Settings > Security > Authorized IPs.
- Under Blocking unauthorized IP addresses, find the API keys row.
- If the status is Activated, click Deactivate for API.
- Click Deactivate blocking to confirm.
Once deactivated, all IP addresses can make API calls using your API keys.
- Go to the account dropdown and select Settings > Security > Authorized IPs.
- Under Blocking unauthorized IP addresses, find the SMTP keys row.
- If the status is Activated, click Deactivate for SMTP.
- Click Deactivate blocking to confirm.
Once deactivated, all IP addresses can make SMTP calls using your SMTP keys.
Manually authorize an IP address
You can manually authorize an IP address to ensure it is always allowed. Authorized IP addresses apply to both API keys and SMTP keys. This includes:
- A trusted IP address that you want to allow in advance
- A blocked IP address that was automatically blocked by Brevo
Manually authorize a trusted IP address
You can manually authorize IP addresses to ensure trusted sources are always allowed.
- Go to the account dropdown and select Settings > Security > Authorized IPs.
-
Click Authorize IP address.
-
From the IP address format dropdown, select the format
of
the IP
address you want to authorize:
- IPv4
- IPv4 range (CIDR format)
- IPv6
- IPv6 range (CIDR format)
- Enter the IP address or IP address range you want to authorize.
-
Click Authorize IP address.
The IP address appears in your Authorized IP addresses list and will not be blocked for either API or SMTP calls.
Manually authorize a blocked IP address
You can authorize a blocked IP address if you recognize and trust it:
- Directly from the email notification, or
- From the Unauthorized IP addresses list
Once authorized, the IP address can make API and SMTP calls again.
Manually remove an authorized IP address
If an IP address is no longer in use or should no longer have access, you can manually remove it from your list of authorized IPs.
- Go to the account dropdown and select Settings > Security > Authorized IPs.
- From the Authorized IP addresses list, click the bin icon next to the IP address you want to remove.
- Click Delete IP address to confirm.
The IP address will be removed from your list and will no longer be able to make API or SMTP calls if the automatic IP blocking feature is active.
Best practices for API and SMTP security
- Manually authorize all trusted IP addresses in advance, especially all SMTP client IPs before activating SMTP blocking.
- Keep API keys and SMTP keys secure and rotate them regularly.
- Monitor API and SMTP usage for unusual patterns or errors.
🤔 Have a question?
If you have a question, feel free to contact our support team by creating a ticket from your account. If you don't have an account yet, you can contact us here.
If you’re looking for help with a project using Brevo, we can match you with the right certified Brevo Agency partner.