What File Extensions Are Not Allowed to Be Sent or Received Through Email?

Our email services block a specific set of file extensions to prevent security threats from reaching users. These include .exe, .bat, .js, .vbs, .ps1 and dozens of others that appear in the full list below. The same extensions are also blocked when found inside compressed archives such as ZIP or RAR files.

Any email sent or received with a blocked attachment is automatically rejected. The sender receives a bounce message explaining the issue; incoming blocked mail never reaches the recipient. This server-level filtering stops execution risks before files touch user devices.

#Why These File Extensions Are Blocked

Certain extensions permit direct code execution, system modification, or exploitation of vulnerabilities in email clients and operating systems. Attackers have used them for decades to deliver viruses, install rootkits, deploy ransomware, or exfiltrate data. Blocking them at the mail gateway provides defense-in-depth and reduces the chance that a user will accidentally open a malicious file.

The list targets file types with a proven history of abuse. Even formats that seem benign, such as compiled help files or registry scripts, can be crafted to compromise a system. The policy is deliberately broad because the cost of a single successful attack far outweighs the minor inconvenience of using an alternative delivery method for legitimate files.

#Complete List of Blocked File Extensions

.ade
.adp
.app
.asp
.bas
.bat
.cer
.chm
.cla
.class
.cmd
.cnt
.com
.cpl
.crt
.csh
.der
.exe
.fxp
.gadget
.grp
.hlp
.hpj
.hta
.inf
.ins
.isp
.its
.jar
.js
.jse
.ksh
.lnk
.mad
.maf
.mag
.mam
.maq
.mar
.mas
.mat
.mau
.mav
.maw
.mcf
.mda
.mdb
.mde
.mdt
.mdw
.mdz
.msc
.msh
.msh1
.msh2
.mshxml
.msh1xml
.msh2xml
.msi
.msp
.mst
.ocx
.ops
.osd
.pcd
.pif
.pl
.plg
.prf
.prg
.pst
.reg
.scf
.scr
.sct
.shb
.shs
.ps1
.ps1xml
.ps2
.ps2xml
.psc1
.psc2
.tmp
.url
.vb
.vbe
.vbp
.vbs
.vsmacros
.vsw
.ws
.wsc
.wsf
.wsh
.xnk
.xbap

#Risks Associated with Specific Extension Types

#Executables and Installers

• .exe, .com - Compiled programs that run arbitrary code with the permissions of the logged-in user.
• .msi, .msp, .mst - Windows installer packages that can execute commands at elevated privilege levels.

#Scripts and Automation Files

• .bat, .cmd, .shs, .shb - Command-line batch and shell scripts that automate potentially destructive operations.
• .js, .jse, .vbs, .vbe, .wsf, .wsh - Scripting languages that can instantiate COM objects, access the filesystem, and download additional payloads.
• .ps1, .ps2, .psc1, .psc2 - PowerShell scripts that attackers favor for fileless malware because they run entirely in memory.

#Shortcuts, Help Files, and Configuration

• .lnk, .url, .scf - Shortcut and configuration files that can launch remote executables or malicious commands.
• .chm, .hlp, .hpj - Compiled help files that can contain executable code and have been used in multiple exploit campaigns.
• .reg, .inf - Registry and setup information files capable of altering system settings or registering malicious components.

#How Blocking Works Inside Archives

The mail filters recursively inspect the contents of compressed files. A .exe renamed and placed inside a .zip, .rar, or .7z archive is still detected and causes rejection. This defeats the common evasion tactic of simply compressing a dangerous payload. The same check applies to nested archives.

#What Happens When a Blocked Email Is Sent or Received

Outbound messages trigger an immediate SMTP rejection. The sending client receives a non-delivery report listing the offending extension. Inbound messages are dropped at the edge server; the sender receives a bounce while the intended recipient sees nothing. No blocked file ever reaches user mailboxes or virus scanners on endpoints.

Review the rejection notice carefully. It identifies which specific extension triggered the block, allowing you to locate and rename the file before retrying.

#Practical Workarounds and Best Practices

When you must transfer a legitimate file whose extension is blocked, rename it to an allowed type such as .txt before attaching, then tell the recipient to restore the original name after saving. Always test delivery by sending the message to your own account first. For larger or repeated transfers, host the file on a secure web server and send only the download link.

Never disable client-side warnings or attempt to obfuscate file types with multiple compression layers; the server-side scanner will still catch them. Keeping attachments limited to standard document formats (.pdf, .docx, .xlsx, images) avoids rejection and reduces overall risk.

Takeaway: Check the blocked list before attaching any file. The restrictions exist to protect every mailbox on the platform. Consistent adherence prevents bounce messages, speeds delivery, and maintains a secure environment for all users.