A short guide for a firm's IT team. Section 250 declarations are sent by email and completed through a secure link. This page lists exactly what to allowlist so those emails arrive and the links are never broken or pre-opened by email security.
Last updated: 3 June 2026
If your compliance team has sent CoverProof declarations and some recipients say the email never arrived, or the link shows an error before they click it, the cause is almost always email security (Microsoft 365 Safe Links / Defender for Office 365 “ATP”, Google, or a spam gateway) rather than CoverProof. Forward this page to whoever manages your mail filtering — the changes below take a few minutes.
Declaration and counterparty emails are sent from:
declarations@coverproof.co.ukcoverproof.co.uk — allowlist the whole domain rather than a single address, so reminders and counterparty requests are covered too.We send through Resend, an established email provider, on shared sending infrastructure. Because those sending IP addresses are pooled and can change, allowlist by authenticated sender domain (below) rather than by IP address — an IP allowlist would silently break the day the provider rotates pools.
coverproof.co.uk publishes the standard authentication records, so a well-configured filter can verify our mail without an IP allowlist:
include: in its SPF record.coverproof.co.uk.If your gateway supports it, allow mail that passes SPF/DKIM and is DMARC-aligned for coverproof.co.uk.
Microsoft 365 Safe Links and similar “link protection” features pre-fetch links to scan them. CoverProof is built to survive this — a scanner’s automated visit never opens or consumes a declaration — but adding our link domains to the “do not rewrite” / allowed-URLs list keeps the recipient experience clean. Allow:
coverproof.co.ukdeclarations.coverproof.co.uk — the secure subdomain that hosts the declaration and counterparty forms.coverproof.co.uk (and the address declarations@coverproof.co.uk).coverproof.co.uk and declarations.coverproof.co.uk to Safe Links / ATP “do not rewrite”.Still stuck? Your CoverProof contact can re-send a declaration once the allowlist is in place, or you can use the declarations dashboard to re-trigger it.