How to Whitelist ShelfSpace Emails

Q: What do I allowlist for ShelfSpace — a domain or an IP address?

Allowlist the domain shelfspace.pro, never an IP address. Every ShelfSpace message is sent from the shelfspace.pro domain, so a single domain entry covers all of them. The mail is sent through Resend over Amazon SES on shared IPs that rotate, so an IP-based rule will break and isn't safe to scope to.

Q: Is email from shelfspace.pro legitimate?

Yes. shelfspace.pro is the sending domain for ShelfSpace, the cannabis-specific system your retail partner uses to send payment notifications, settlement reports, and account invitations. Every message is authenticated — SPF, DKIM (selector resend._domainkey), and DMARC all pass — so you can verify the sender cryptographically rather than trusting the display name. If you want the longer version, here's whether ShelfSpace is safe for vendors.

Q: Will allowlisting ShelfSpace weaken our email security?

No. Add the allow entry with DMARC = pass required. Because every legitimate ShelfSpace message passes DMARC, the rule lets real mail through while a spoofed message that fails DMARC is still blocked. You're trusting a domain that proves who it is on every message, not a static IP, so there's no security trade-off.

Q: ShelfSpace email is still being filtered after I allowlisted it — what now?

Confirm the allow entry is on the domain (shelfspace.pro) and that an earlier block, quarantine, or content/DLP rule isn't overriding it — most gateways apply block rules before allow rules. Release any held messages and choose "allow sender," then send a test. If it still doesn't arrive, email support@shelfspace.pro and we'll help you find the rule that's catching it.

At a glance

We send from one domain: shelfspace.pro — allowlist the domain, not an IP address

The mail is fully authenticated — SPF, DKIM (selector resend._domainkey), and DMARC all pass — so you can safely require DMARC = pass on the allow rule

It's being delivered, then filtered tenant-side to quarantine or junk — the fix lives in your gateway console, not on our end

Step-by-step entries below for Microsoft 365 / Defender, Google Workspace, Proofpoint, and Mimecast

Sent via Resend over Amazon SES on shared, rotating IPs — don't allowlist by IP

If you're reading this, someone at your organization gets email from ShelfSpace — payment notifications, settlement reports, or an invite to a vendor account — and it keeps landing in quarantine or the junk folder instead of the inbox. This is a quick, one-time fix, and it doesn't require lowering anyone's security.

Here's what's happening. Our mail is fully authenticated — SPF, DKIM, and DMARC all pass — so enterprise gateways like Microsoft 365, Google Workspace, Proofpoint, and Mimecast accept the message, and our logs show it "delivered." Your tenant then applies its own filtering and routes it to quarantine or junk. That second decision lives in your console, which is why it can only be resolved on your side.

The fix is a domain-level allow entry for shelfspace.pro, gated on DMARC = pass so it can't be spoofed. That's spoof-safe and future-proof: you're trusting a domain that proves who it is on every message, not a static IP that can rotate.

Our sending details

Sending domain	`shelfspace.pro` — allowlist by domain, not IP
From addresses	Every message is sent from the `shelfspace.pro` domain — allowlisting the domain covers all of them, so there's no need to list individual mailboxes.
Authentication	SPF + DKIM (`d=shelfspace.pro`, selector `resend._domainkey`) + DMARC — all passing
Email service	Resend, sending over Amazon SES (shared IPs — please do not allowlist by IP; they rotate)
Recommended rule	Allow `shelfspace.pro` with DMARC = pass required — spoof-safe and future-proof

How to allowlist ShelfSpace

Pick your mail security gateway below. Each takes a couple of minutes in the admin console.

Microsoft 365 / Exchange Online

EOP & Defender

Defender portal → Policies & rules → Threat policies → Tenant Allow/Block Lists → Domains & addresses.
Add shelfspace.pro as an Allow.
Have a user open a quarantined message → Report → Not junk → Allow sender.
Optional: a mail-flow rule — if sender domain is shelfspace.pro and DMARC = pass → set SCL to -1.

Proofpoint

Essentials & PPS

Add shelfspace.pro to the Safe Senders / allowed-sender list (Essentials: Administration → Account Management → Features → Sender Lists).
PPS: create a Sender List / allow rule keyed on the From domain shelfspace.pro.
Release the quarantined ShelfSpace messages and choose "Allow sender".
If a content/DLP rule is holding them, add an exception for shelfspace.pro.

Google Workspace

Gmail admin

Admin console → Apps → Google Workspace → Gmail → Spam, phishing and malware.
Under Approved senders, add a list containing shelfspace.pro and enable bypassing spam for it.
Ask end users to mark a filtered message Not spam and add the sender to Contacts.

Mimecast / Other gateways

generic

Add shelfspace.pro to Permitted Senders / a managed-sender allow policy.
Require DMARC = pass on the allow entry so it can't be spoofed.
Release / permit any currently held ShelfSpace messages.

Confirm it worked

Send a test. Reply to whoever shared this guide and ask them to trigger a test notification to any mailbox you choose. It should now arrive in the inbox. If it's still filtered, double-check the allow entry is on the domain (shelfspace.pro) and that an earlier block or quarantine rule isn't overriding it.

Frequently asked questions

Why are ShelfSpace emails going to spam or quarantine?

Because the mail is accepted and then filtered tenant-side. ShelfSpace email passes SPF, DKIM, and DMARC, so your gateway accepts it and the delivery logs read "delivered" — then your tenant applies its own filtering and routes it to quarantine or junk. That second decision lives in your console, so the fix is a domain-level allow entry for shelfspace.pro, ideally gated on DMARC = pass.

What do I allowlist for ShelfSpace — a domain or an IP address?

Allowlist the domain shelfspace.pro, never an IP address. Every ShelfSpace message is sent from the shelfspace.pro domain, so a single domain entry covers all of them. The mail is sent through Resend over Amazon SES on shared IPs that rotate, so an IP-based rule will break and isn't safe to scope to.

Is email from shelfspace.pro legitimate?

Yes. shelfspace.pro is the sending domain for ShelfSpace, the cannabis-specific system your retail partner uses to send payment notifications, settlement reports, and account invitations. Every message is authenticated — SPF, DKIM (selector resend._domainkey), and DMARC all pass — so you can verify the sender cryptographically rather than trusting the display name. If you want the longer version, here's whether ShelfSpace is safe for vendors.

Will allowlisting ShelfSpace weaken our email security?

No. Add the allow entry with DMARC = pass required. Because every legitimate ShelfSpace message passes DMARC, the rule lets real mail through while a spoofed message that fails DMARC is still blocked. You're trusting a domain that proves who it is on every message, not a static IP, so there's no security trade-off.

ShelfSpace email is still being filtered after I allowlisted it — what now?

Confirm the allow entry is on the domain (shelfspace.pro) and that an earlier block, quarantine, or content/DLP rule isn't overriding it — most gateways apply block rules before allow rules. Release any held messages and choose "allow sender," then send a test. If it still doesn't arrive, email support@shelfspace.pro and we'll help you find the rule that's catching it.

How to Whitelist ShelfSpace Emails (Allowlist Guide for IT)