Whitelist Mode: Focus Your Inbox on Trusted Senders

Whitelist mode is a CardanoWall inbox filter you can turn on per identity. When it is on, your inbox defaults to a "Trusted only" view that shows records signed by senders already in your address book, with a "Show all" tab one click away. It is a viewing convenience, not a permission system: it does not change the Label 309 record format, and it cannot stop anyone from publishing a record addressed to you on Cardano.

Think of it as inbox control, not blockchain control.

Why would an inbox need a whitelist?

Because a public receive address attracts traffic you did not ask for.

If you publish a receive address on a website, a public profile, or a support page, anyone can seal a record to it. That openness is the point — it is how strangers reach you without an account. But it also means your inbox can fill with records from people you have never heard of.

Whitelist mode keeps a clean working view for identities that live in high-volume or public contexts, such as:

a public-profile identity that anyone can find;
a newsroom or intake identity;
a legal or compliance team identity;
a security-disclosure identity;
a customer-support evidence identity;
an identity that should mostly see partner traffic.

What exactly does whitelist mode filter?

It filters the inbox view — nothing else.

When whitelist mode is on for an identity, the inbox shows a small switcher with two tabs: Trusted only (the default) and Show all. The trusted view contains records whose sender signature matches a public key in your address book. Everything else stays in Show all, one click away.

Nothing is deleted. The on-chain record still exists, the encrypted payload is untouched, and your other identities are unaffected. The inbox is simply choosing what to surface first. That distinction matters because Cardano is public and append-only: an application can change what you see, never what was published.

The view switch itself is ephemeral. Flipping to "Show all" for a session does not turn whitelist mode off — the per-identity setting persists, but your current view does not.

Does whitelist mode block senders on the blockchain?

No. It cannot, and it is not meant to.

Anyone who can submit a Cardano transaction can publish a conformant Label 309 record addressed to your receive key, whether or not you know them. Whitelist mode creates no on-chain permission, allowlist, or block. It only changes how CardanoWall organizes your inbox for one identity in your account.

The standard stays open. Your interface gets quieter. (CardanoWall also offers a separate "block sender" control that hides a specific signing key from your views — also a local UX choice, not an on-chain action.)

How does the address book power this?

Whitelist mode is only as good as your contacts.

Your address book maps a sender's signing public key to a name and the context in which you verified it. Each incoming record can carry an optional author signature (a record-level COSE_Sign1 signature over an Ed25519 key). When that signing key matches one of your trusted contacts, the inbox recognizes the record as coming from a known sender and places it in the trusted view.

So the address book is more than a composer shortcut — it doubles as inbox triage. And because the match is cryptographic, the quality of the filter depends entirely on the quality of your verification. If you added a contact's key without really confirming who it belongs to, whitelist mode will faithfully trust the wrong person.

What about unsigned sealed records?

They usually have no sender to match, so they land in "Show all".

Author signatures in Label 309 are optional by design. A sender can publish a sealed record with no signature at all, which is genuinely useful for sensitive disclosures where attribution is undesirable. But without a signature there is no key to compare against your address book, so the inbox treats the record as coming from an unknown sender.

State this plainly to anyone relying on the feature:

a signed record from a known key is recognized as trusted;
an unsigned record, or a signed one from a key you have not saved, shows up as unknown;
"unknown" does not mean malicious;
and "filtered out of the default view" never means deleted.

This is an interface policy, not a cryptographic verdict on the sender.

When should you turn it on — and when not?

Turn it on when signal matters more than reach.

Good fits:

an internal team identity that should mostly see known partners;
an executive or legal identity that should not surface unknown records by default;
a public profile drowning in unrelated traffic;
a support workflow that wants verified customer keys first;
an auditor identity focused on an approved set of senders.

Leave it off when discovery is the whole point:

public whistleblower or tip intake;
open submissions and first contact from strangers;
community or creator inboxes;
any workflow where unknown senders are expected and welcome.

Can whitelist mode hide something important?

Yes — that is the tradeoff, and you should plan for it.

If an important sender is not in your address book, their record will not appear in the default "Trusted only" view. It is still there in "Show all," but only if someone looks. For any identity that matters, set a routine:

periodically scan the "Show all" view, not just the trusted one;
add senders to your contacts after you verify them, so future records surface automatically;
write down which identities run with whitelist mode on;
avoid enabling it on open intake addresses unless your process clearly accounts for it.

Filtering should serve your process, not quietly surprise it.

Does whitelist mode improve privacy?

Only indirectly, and it is worth being precise here.

Whitelist mode does not hide your public receive address, remove anything from the chain, make publishing private, or prevent a stranger from sealing a record to you. What it can do is reduce how often you open, inspect, and react to unexpected records — which lowers the chance of an operational mistake.

Real confidentiality still comes from sealing the content itself, careful key handling, and thinking about what your metadata reveals. For where the actual privacy line sits, see what CardanoWall can see.

The short version

Whitelist mode is inbox control, scoped to one identity.

It helps an identity focus on records from contacts you have verified, by defaulting the inbox to a "Trusted only" view. It does not change the Label 309 protocol, block Cardano transactions, or prove that unknown senders are untrustworthy. Use it for controlled, high-volume workflows; leave it off wherever open intake is the goal.