If you manage a Notion workspace, you may need to restrict which email domains can join automatically or request access. The email domain allowlist feature lets you specify trusted domains so only users with email addresses from those domains can be added or can request to join. This control prevents unauthorized external users from accessing your workspace content. This article explains the prerequisites and provides step-by-step instructions to configure the domain allowlist for your Notion workspace.
Key Takeaways: Setting Up the Domain Allowlist in Notion
- Settings & Members > Settings > Workspace > Allowed Email Domains: The exact location where you add or remove domains from the allowlist.
- Workspace Owner or Admin role required: Only users with these permissions can modify the domain allowlist.
- Domain must be verified if it is a custom domain not associated with a Google Workspace or Microsoft 365 tenant: Verification proves you control the domain before it can be added to the allowlist.
What Is the Notion Workspace Email Domain Allowlist?
The email domain allowlist is a security setting that controls which email domains can join or request to join your Notion workspace. When you add a domain to the allowlist, users with email addresses ending in that domain can be invited by workspace admins and can use the “Request to Join” feature if enabled. Domains not on the list are blocked from these actions.
This feature is available on all Notion plans, including Free, Plus, Business, and Enterprise. However, the ability to add custom domains that are not pre-verified by an identity provider requires manual verification. Pre-verified domains include those associated with Google Workspace or Microsoft 365 tenants that you have already connected to Notion via SAML SSO or SCIM. For all other domains, you must complete a DNS TXT record verification to prove ownership.
Before configuring the allowlist, ensure you have Workspace Owner or Admin permissions. You also need the exact domain name you want to allow, such as example.com. You cannot use wildcard domains like example.com; you must list each subdomain separately if needed. For example, to allow both example.com and sub.example.com, add both explicitly.
Steps to Configure the Email Domain Allowlist
- Open Workspace Settings
In the left sidebar, click Settings & Members. Then click the Settings tab at the top of the page. - Navigate to Allowed Email Domains
Scroll down to the Workspace section. Look for the Allowed Email Domains setting. If you do not see this option, confirm you have Workspace Owner or Admin permissions. - Add a Domain
Click the Add Domain button. In the text field that appears, type the full domain name, for examplecontoso.com. Do not include the @ symbol or any email address — only the domain part. - Verify the Domain (If Required)
If the domain is not already verified through a connected identity provider, Notion will display a verification prompt. Copy the TXT record value provided. Log in to your DNS hosting provider, create a new TXT record for the domain with that value, and wait for propagation (usually a few minutes up to 24 hours). Return to Notion and click Verify. - Confirm the Domain Appears in the List
After successful verification, the domain appears in the Allowed Email Domains list. The status shows a green checkmark. Repeat steps 3 through 5 for each additional domain you want to allow. - Test the Allowlist
Ask a user with an email address from the allowed domain to request to join your workspace or have an admin send them an invite. The user should receive the invitation without errors. For a domain not on the list, the request should be blocked.
If the Domain Allowlist Does Not Work as Expected
Domain does not appear in the list after verification
The DNS TXT record may not have propagated yet. Wait at least 30 minutes and click the Refresh button next to the domain entry. If it still does not appear, double-check the TXT record value you entered in your DNS settings. It must match exactly what Notion provided, including any periods or hyphens.
Users from allowed domains still get blocked
The user’s email domain must match exactly as you entered it. If you added example.com but the user has user@sub.example.com, that user is blocked because sub.example.com is a different domain. Add the subdomain separately. Also confirm that the user’s email address is not already in a blocked list — check the Blocked Email Domains section in the same Settings area.
Cannot add a domain because it is already verified by another workspace
Domain verification is tied to the Notion workspace that completed the DNS challenge. If another workspace already verified the same domain, you cannot add it to your allowlist unless the other workspace removes it. Contact the owner of the other workspace to release the domain verification, or use a different domain.
Allowlist works for invites but not for request to join
The “Request to Join” feature must be enabled separately in Settings & Members > Settings > Workspace > Allow users to request to join. Even with the domain allowlist configured, this toggle must be turned on for external users to submit requests. If it is off, only direct invites work.
Allowed Email Domains: Free vs Plus vs Business vs Enterprise
| Feature | Free / Plus / Business | Enterprise |
|---|---|---|
| Maximum allowed domains | 50 | Unlimited |
| Custom domain verification via DNS | Yes | Yes |
| Auto-verification from connected identity provider | Yes (if SAML SSO or SCIM is set up) | Yes |
| Blocked email domains list | Yes | Yes |
| API access to manage allowlist | No | Yes (via SCIM API) |
The domain allowlist works identically across Free, Plus, and Business plans, with a cap of 50 domains. Enterprise plans remove the cap and provide API-based management for automated provisioning.
You now know how to configure the Notion workspace email domain allowlist. Start by adding the domains your organization uses. If you manage multiple domains, add each one individually. For advanced control, pair the allowlist with the blocked domains list to handle exceptions.