Application-level emails (e.g., creating an application API token) will be sent to anyone with the following scopes:

owner
admin:full

To reduce phishing risks, these system emails will never include links. We will include our support email address in the body text (support@revenuehq.com). Some mail clients might automatically convert this text to a link, but we encourage you to always type our email address by hand to ensure that a bad actor isn't spoofing us.

Similarly, if you have questions about a specific notification, or suspect abuse, rather than reply to the email we recommend that you forward it to our support address. This will further reduce the attack surface of a bad actor (by eliminating the risk of someone spoofing an email header).

🚧
Deliverability and phishing
All system emails will come from the sender support@notices.revenuehq.com with a reply-to of support@revenuehq.com. We recommend that you whitelist these addresses in your email provider to ensure that you receive system notifications.
To reduce phishing attack surfaces, we use strict DMARC rules on all of our sending domains (and reject all non-matching). If in doubt, forward an email to us for confirmation that it is legit.