Skip to content
English
Sign in
Go to acalandscape.com
  • There are no suggestions because the search field is empty.

Not Receiving Emails from ACA Landscape?

If you or your team members are not receiving emails from ACA Landscape (@acalandscape.com), including estimates, invoices, scheduling confirmations, or other communications, this guide will help you resolve the issue. It covers everything from quick personal fixes to detailed instructions for your IT department.

Why This Happens

Most businesses today use layered email security to protect against spam, phishing, and malware. These systems are effective, but they frequently block or quarantine legitimate emails from unfamiliar senders. The problem gets worse in organizations that run a third-party email security gateway (like Proofpoint, Mimecast, or Barracuda) in front of Microsoft 365 or Google Workspace, because filtering happens at two separate layers. Whitelisting at one layer while missing the other is the #1 reason IT teams say "we already added you" but emails still don't arrive.

Common causes include:

  1. Email security gateways quarantining messages from unrecognized senders

  2. Spam filters incorrectly categorizing our emails as junk

  3. Advanced threat features (URL rewriting, attachment sandboxing, impersonation detection) flagging our messages independently of spam filters

  4. SPF, DKIM, or DMARC authentication failures or overly strict policies at the recipient's organization

 

Quick Fixes You Can Try Right Now

1. Check Your Spam, Junk, or Quarantine Folder

Look for emails from @acalandscape.com in your spam or junk folder. If you find any, mark them as "Not Spam" or "Safe Sender."

If your organization uses a security gateway, you may also receive periodic quarantine digest emails (sometimes 2-3 times per day) listing held messages. Look for our emails there and select "Release" or "Release and Allow Sender" if available.

2. Add Us to Your Safe Senders or Contacts

In Outlook: Right-click an email from us and select "Add to Safe Senders," or go to Settings > Mail > Junk Email > Safe Senders and add @acalandscape.com.

In Gmail: Add our email address to your Google Contacts, or open one of our emails and click the three dots menu, then "Filter messages like this" and choose "Never send to spam."

In Apple Mail: Add our email address to your Contacts app.

For other email clients: Look for options labeled "Safe Sender," "Approved Sender," "Allow List," or "Whitelist."

3. Forward This Guide to Your IT Department

If the steps above don't resolve the issue, your IT team will need to add us to your organization's email security platform. This is the most effective and permanent solution. Please forward this entire article to your IT administrator or email security team.

 

For IT Administrators: Allowlisting ACA Landscape

The section below contains everything you need to ensure reliable email delivery from ACA Landscape. If your organization runs a third-party Secure Email Gateway (SEG) in front of Microsoft 365 or Google Workspace, you will likely need to configure allowlisting at both layers.

ACA Landscape Sender Information

Please use the following details when configuring allow rules. Copy and paste directly into your admin console:

  1. Sending domain: @acalandscape.com

  2. Wildcard email: *@acalandscape.com

  3. Envelope/return-path domain: @acalandscape.com

  4. Sending IP addresses: [Contact us and we will provide our current sending IPs and CIDR ranges]

  5. SPF: Check our published SPF record at acalandscape.com via your preferred DNS lookup tool

  6. DKIM: We sign outbound messages with DKIM. Our DKIM signing domain and selector are available on request.

  7. DMARC: Our DMARC policy is published at _dmarc.acalandscape.com

If you need any of these values in a specific format, please contact us and we will provide them.

 

Platform-Specific Instructions

Below are instructions for each major email security platform. We have linked directly to each vendor's official documentation so that if the admin interface has changed since this article was written, you can reference the vendor's own guide.

Instructions verified as of March 2026. If the UI has changed, please use the linked vendor documentation for current steps.

Proofpoint Essentials

Navigate to Security Settings > Email > Sender Lists and add *@acalandscape.com to the Safe Sender List. You can also add our sending IP addresses and CIDR ranges (note: CIDR is capped at /24, so larger blocks must be split).

Important: The Safe Sender List only bypasses spam detection. If your organization uses URL Defense or Attachment Defense (TAP), our domain will still have links rewritten and attachments sandboxed. To prevent this, add our domain to URL Rewrite Policies > Exceptions under your TAP/URL Defense settings.

Vendor documentation: https://help.proofpoint.com/Proofpoint_Essentials/Email_Security/Administrator_Topics/090_filtersandsenderlists/Setting_up_sender_lists

Proofpoint Enterprise (PPS/PoD)

Navigate to Email Protection > Spam Detection > Organizational Safe List. Click "Add" and use the dropdown to select Sender Domain, then enter acalandscape.com. Repeat for Sender IP Address with our sending IPs. Adding both is recommended because Proofpoint may assign a Phish Score of 100 to messages even from safe-listed IPs, which triggers the inbound_phish policy.

For a more thorough bypass, consider creating an Email Firewall Rule (Email Protection > Email Firewall > Rules) with a "Deliver Now" disposition.

Vendor documentation: https://proofpoint.my.site.com/community/s/article/Spam-Detection (customer login required)

Mimecast

Navigate to Gateway > Policies > Permitted Senders. Create a Profile Group (Directories > Groups) containing @acalandscape.com and our sending IPs, then reference that group in the Permitted Senders policy.

Critical: Permitted Senders only bypasses reputation, greylisting, and spam scanning. Mimecast runs several independent security engines that each require their own bypass. You may also need to configure exemptions for Anti-Spoofing, Impersonation Protection, URL Protection (TTP), Attachment Protection (TTP), and DNS Authentication policies. If emails are still being held after adding a Permitted Senders policy, check these additional engines.

Held messages expire after 14 days. Release from Message Center > Accepted Messages > Held Queue.

Vendor documentation: https://community.mimecast.com/s/article/email-security-gateway-permitted-senders-policy-configuration

Barracuda Email Security Gateway

Navigate to the Sender Filters section and add @acalandscape.com (with subdomains) to the Allow List. Barracuda recommends IP-based allowlisting over domain-based for stronger security, so adding our sending IPs under IP Filters is the preferred approach.

For Barracuda Email Gateway Defense (cloud version): Use Sender Policies > Exempt to add our domain, and IP Address Policies to add our sending IPs.

For Barracuda Sentinel: Add us under Allowed Senders. Note that allowed senders' links are not checked, which is a security trade-off to be aware of.

Vendor documentation (ESG): https://campus.barracuda.com/product/emailsecuritygateway/doc/93197312/allow-list-and-block-list/

Vendor documentation (EGD): https://campus.barracuda.com/product/emailgatewaydefense/doc/96023020/sender-and-recipient-analysis/

Microsoft Defender for Office 365

Microsoft offers several allowlisting methods. Their recommended approach is the Tenant Allow/Block List at Email & collaboration > Policies & rules > Threat policies > Tenant Allow/Block Lists. Add @acalandscape.com as a domain entry. Entry limits depend on license tier (500 without Defender, 1,000 with Plan 1, 5,000 with Plan 2).

Alternatively, create an Exchange mail flow rule (transport rule) that sets the Spam Confidence Level (SCL) to -1 for messages from @acalandscape.com. Pairing this with an authentication condition checking for dmarc=pass is a best practice.

For IPv4 allowlisting, use Threat policies > Connection filter > IP Allow List.

Be aware: Malware and high-confidence phishing verdicts are always quarantined regardless of any allow list configuration. This cannot be overridden. If a legitimate message is caught by these filters, submit it as a false positive at security.microsoft.com/reportsubmission.

If your organization runs a third-party SEG in front of M365, enable Enhanced Filtering for Connectors (Threat policies > Enhanced filtering) so that M365 looks past the SEG's IP to evaluate the original sender's authentication. Without this, all inbound mail appears to come from the SEG's IPs, which breaks SPF/DKIM/DMARC checks.

Vendor documentation: https://learn.microsoft.com/en-us/defender-office-365/create-safe-sender-lists-in-office-365

Google Workspace (Admin-Level)

Google Workspace uses two separate features that both need to be configured:

  1. Email Allowlist (Apps > Google Workspace > Gmail > Spam, Phishing and Malware > Email allowlist): Add our sending IP addresses here. This feature accepts IP addresses only, not domains.

  2. Approved Senders (same admin path > Spam > Configure): Create an Address List containing @acalandscape.com, then create a spam bypass rule referencing that list. Note that approved senders require authentication by default (SPF, DKIM, or DMARC must pass). You can disable this requirement per list, but it increases spoofing risk.

If your organization uses a third-party SEG, configure the Inbound Gateway setting with the SEG's IPs and enable "Automatically detect external IP."

Changes can take up to 24 hours to propagate. Gmail always blocks messages containing viruses regardless of allowlist settings. Quarantined messages auto-delete after 30 days.

Vendor documentation: https://support.google.com/a/answer/60752

Cisco Secure Email (formerly IronPort)

The primary allowlist is the Host Access Table (HAT) at Mail Policies > HAT Overview > ALLOWED_LIST. Add our sending IPs or use .acalandscape.com (with a leading dot) to match hostnames. Important: adding acalandscape.com without the leading dot will not work as expected because HAT matches hostnames, not sender domains.

For email-address or domain-level allowlisting, create a separate Incoming Mail Policy (Mail Policies > Incoming Mail Policies) with sender conditions matching @acalandscape.com and disable AntiSpam for that policy. Remember to both Submit and Commit Changes.

Vendor documentation: https://www.cisco.com/c/en/us/support/docs/security/secure-email-gateway/217140-how-do-you-whitelist-a-trusted-sender.html

Fortinet FortiMail

Navigate to Security > Block/Safe List and add @acalandscape.com and/or our sending IPs. FortiMail supports wildcards (* and ?) and offers three scope levels: system-wide, per-domain, and per-user. System-wide takes precedence over per-domain, which takes precedence over per-user. Safe-listed entries bypass antispam only; antivirus and content filters still run.

A useful feature: FortiMail can auto-add senders to the personal safe list when a user releases a message from quarantine.

Vendor documentation: https://docs.fortinet.com/document/fortimail/7.6.3/administration-guide/598555/configuring-the-block-lists-and-safe-lists

Sophos Email Security

Navigate to General Settings > Email Security > Inbound Allow/Block and add @acalandscape.com. Sophos supports wildcards and IP ranges (/16 through /32).

Sophos has a unique security feature: if all authentication checks (SPF, DKIM, and DMARC) fail, the allowed status is completely disregarded and full scanning runs. Make sure our emails are passing at least one authentication check. The "Release and Allow" button in both the admin quarantine view and the end-user Self Service Portal combines delivery with automatic allowlist addition.

Vendor documentation: https://docs.sophos.com/central/customer/help/en-us/ManageYourProducts/GlobalSettings/EmailAllowBlock/index.html

Trend Micro Email Security

Navigate to Inbound Protection > Connection Filtering > Sender Filter > Approved Senders. Add *@acalandscape.com or our sending IPs. Under the Settings tab, explicitly select which scanning criteria approved senders bypass (connection filtering, spam filtering, and Correlated Intelligence are configurable; virus scanning and content filtering always apply).

Note: Blocked sender lists at the organizational level override approved sender lists at the user level.

Vendor documentation: https://docs.trendmicro.com/en-US/documentation/article/trend-micro-email-security-online-help-configuring-approved

Abnormal Security

Abnormal Security is API-based and uses behavioral AI rather than traditional allowlisting. It connects to Microsoft 365 or Google Workspace without changing MX records. If our emails are being flagged, the correct action is to report the message as a false positive through the Abnormal portal, which retrains the AI model. Over time, Abnormal's auto-safelisting will learn our sending patterns. Manual allowlisting is not the primary workflow for this platform.

Vendor documentation: https://abnormalsecurity.my.site.com/knowledgebase (customer login required)

Check Point Harmony Email (formerly Avanan)

Check Point maintains separate allow-lists for each security engine. Navigate to Security Settings > Exceptions and add @acalandscape.com and/or our sending IPs to the Anti-Phishing Allow-List (the most commonly needed). You may also need to add entries to the Anti-Malware, URL Reputation, and Click-Time Protection allow-lists depending on which engines are flagging our emails.

Check Point can be configured to honor Microsoft's SCL = -1 decisions if you are also running M365. Up to 10,000 entries per allow-list.

Vendor documentation: https://sc1.checkpoint.com/documents/Harmony_Email_and_Collaboration/Topics-Harmony-Email-Collaboration-Admin-Guide/Managing-Security-Exceptions/Anti-Phishing-Exceptions.htm

 

The Dual-Layer Problem: Why Allowlisting Once Isn't Enough

If your organization uses a third-party SEG (Proofpoint, Mimecast, Barracuda, Cisco, etc.) in front of Microsoft 365 or Google Workspace, allowlisting must happen at both layers. The SEG replaces the original sender's IP with its own relay IP in the mail headers, which means M365 or Gmail can no longer properly evaluate SPF or sender reputation for the original sender. Messages that pass the SEG can still be junked or quarantined by the underlying platform.

For M365: Enable Enhanced Filtering for Connectors (Defender portal > Threat policies > Enhanced filtering) so M365 looks past the SEG to find the original sender's IP.

For Google Workspace: Configure the Inbound Gateway setting with the SEG's IPs and enable "Automatically detect external IP."

For API-based tools (Abnormal Security, Check Point Harmony): This dual-layer problem does not apply because these tools connect via API without changing MX records.

 

After Configuring: Please Verify

After making changes, please send us a quick note and we will send a test email to confirm delivery. In multi-layer environments, "configured" and "working" are frequently not the same thing, so a quick test saves everyone time.

 

Still Having Issues?

If you continue to have trouble receiving our emails after your IT team has configured allowlisting:

  1. Provide us with an alternate email address where we can send communications temporarily

  2. Let us know what email security platform(s) your organization uses

  3. Ask your IT team to check email logs or provide any bounce-back/NDR messages showing why our emails are being blocked

  4. We are happy to work directly with your IT team to resolve delivery issues

Contact Us

If you need our sending IPs, DKIM details, or any other technical information to complete the allowlisting process, please reach out to our team. We can also schedule a brief call with your IT administrator if that would be helpful.