Skip to main content

Enabling User Access to dealhead: Required Domains & Email Senders

Instructions for IT teams on how to whitelist *.dealhead.com and allow required dealhead domains, including login and application URLs.

Updated over 3 months ago

Why access may be blocked

Many organizations enforce network and email security policies that restrict access to external applications. These policies include but are not limited to: Domain filtering, SSL inspection rules, email scanning, blocked CDN traffic, or Remote Browser Isolation (RBI). Because dealhead relies on multiple sub-domains, CDNs, and authenticated email flows, restrictive security controls may cause:

  • Inability to log in or maintain a session

  • Blocked API calls or missing data

  • Visual artifacts in tab titles or watermarks indicating the session is isolated

  • Pages, dashboards, or documents failing to load

  • 2FA or password reset emails routed to spam or quarantine

  • Loss of real-time collaboration or updates

To ensure seamless access, dealhead must be reachable over the organization’s network and email security systems without interference.

What we are requesting

To ensure your users can fully access and authenticate into dealhead — including application functionality and required system emails — please allow the following domains and email senders.

1. Domain Allow-Listing (Network Access)

Please allow the following domains within your organization’s firewall, proxy, and networking tools:

*.dealhead.com 
*.azurefd.net 
*.msedge.net

dealhead uses Azure Front Door, a Microsoft-managed global CDN and traffic optimization layer. Some IT environments block CDN domains by default, which can prevent pages, authentication flows, or static assets from loading. Allowing the domains above ensures consistent platform access.

Core dealhead Domains

These are actively used in production and must be reachable:

  • www.dealhead.com — Corporate website and public resources

  • app.dealhead.com — Primary production application

  • login.dealhead.com — Authentication (Azure AD B2C)

If wildcard domain rules are not permitted, these domains should be explicitly added.

2. Email Allow-Listing (Authentication & Notifications)

To ensure delivery of invitations, password resets, and two-factor authentication codes, your mail gateway must allow authenticated messages (SPF, DKIM, DMARC) from:

[email protected] 
[email protected]

Displayed sender example for 2FA emails:
Microsoft on behalf of dealhead

To prevent login failures or broken authentication links:

  • Do not rewrite or “link-sanitize” URLs in dealhead emails

  • Do not quarantine or bulk-filter these senders

  • Ensure deep-link URLs pointing to *.dealhead.com are allowed

  • Ensure no anti-spoofing rules block Microsoft-initiated messages

3. Browser Isolation & Endpoint Security

If your organization uses Remote Browser Isolation (RBI) or Secure Web Gateway (SWG) agents (e.g., Netskope, Zscaler, Cisco Umbrella, Menlo Security), the dealhead application may be forced into a "read-only" or "isolated" container if categorized as "Uncategorized" or "Unknown."

Symptoms of interfering security agents:

  • Users see an asterisk * in the browser tab title (often confused with "unsaved work").

  • Users cannot copy/paste data into or out of the application.

  • File uploads (drag-and-drop) fail silently.

Request: Please create a policy exception to bypass isolation (send traffic direct-to-net) for *.dealhead.com.

Recommended IT Configuration Steps

Network & Firewall

  • Allow HTTPS (TCP 443) to all domains listed above

  • If SSL inspection is enabled, ensure:

    • TLS interception does not break dealhead authentication

    • Your appliance trusts the certificate chain used by dealhead

  • Allow scripts, embedded content, and authentication flows from *.dealhead.com

  • Permit long-lived requests or WebSocket-type connections

DNS & Filtering

  • Ensure DNS resolution for all dealhead sub-domains

  • Do not block .azurefd.net or .msedge.net (Azure CDN traffic)

Email Systems

If your IT environment requires IP allow-listing instead of domain allow-listing, contact us for the most up-to-date ranges.

Security & Compliance

We understand that many organizations operate under strict security, governance, and compliance requirements. dealhead is architected to meet enterprise-grade expectations and to ensure that network and email allow-listing introduces no additional security risk.

Platform Security Highlights

  • All traffic between users and the dealhead platform is encrypted using TLS 1.2+

  • User authentication and identity management are handled through Microsoft Azure AD B2C

  • All sub-domains and services are hosted within secure, SOC-compliant cloud infrastructure

  • Wildcard allow-listing applies only to the dealhead.com domain — no third-party domains or external services are included

  • System emails (including 2FA and authentication flows) are fully authenticated using SPF, DKIM, and DMARC

Security Documentation & Trust Center

For detailed security documentation, audit reports, policies, and continuous compliance information, please visit our Trust Center:


https://trust.dealhead.com

Next steps

  • Please provide this document to your internal IT/security team.

  • Once your configuration updates are completed, let your dealhead account manager or our support team know so we can verify access and assist with any final checks.

  • If your security team requires additional information — such as data flow diagrams, penetration testing summaries, or IP ranges — we will provide it upon request.

Getting Support

For questions or further assistance, please contact [email protected] or open a ticket through our Help Center. Our technical team is available to work directly with your IT department to ensure full and secure access.

Did this answer your question?