diff --git a/.github/workflows/production_pipeline.yml b/.github/workflows/production_pipeline.yml
index 693c75c22..bd3069e73 100644
--- a/.github/workflows/production_pipeline.yml
+++ b/.github/workflows/production_pipeline.yml
@@ -41,6 +41,7 @@ jobs:
       DB_DATABASE: data_collector
       DB_USERNAME: postgres
       DB_PASSWORD: password
+      RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
 
     steps:
       - name: Get latest release with tag
diff --git a/.github/workflows/staging_pipeline.yml b/.github/workflows/staging_pipeline.yml
index 5304c9138..e743f4504 100644
--- a/.github/workflows/staging_pipeline.yml
+++ b/.github/workflows/staging_pipeline.yml
@@ -41,6 +41,7 @@ jobs:
       DB_DATABASE: data_collector
       DB_USERNAME: postgres
       DB_PASSWORD: password
+      RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
 
     steps:
       - name: Checkout
diff --git a/app/mailers/devise_notify_mailer.rb b/app/mailers/devise_notify_mailer.rb
index cd5500d86..7fd2e256f 100644
--- a/app/mailers/devise_notify_mailer.rb
+++ b/app/mailers/devise_notify_mailer.rb
@@ -6,6 +6,8 @@ class DeviseNotifyMailer < Devise::Mailer
   end
 
   def send_email(email, template_id, personalisation)
+    return true if intercept_send?(email)
+
     notify_client.send_email(
       email_address: email,
       template_id:,
@@ -41,6 +43,15 @@ class DeviseNotifyMailer < Devise::Mailer
     )
   end
 
+  def intercept_send?(email)
+    email_domain = email.split("@").last.downcase
+    !(Rails.env.production? || Rails.env.test?) && email_allowlist.exclude?(email_domain)
+  end
+
+  def email_allowlist
+    Rails.application.credentials[:email_allowlist]
+  end
+
   # def unlock_instructions(record, token, opts = {})
   #   super
   # end
diff --git a/config/credentials.yml.enc b/config/credentials.yml.enc
index 070903dfd..d0612bbd1 100644
--- a/config/credentials.yml.enc
+++ b/config/credentials.yml.enc
@@ -1 +1 @@
-NrH9ar+0L80hqUK6sTWxA8KMuWIyC2rPmKj9kanuIxvak5haHJQYQZDGx+fPFxsfzNTcSIQIQ1jbHCGeHg3U+lclKj/JpWGlzBl0cnGKPT2r7ZSUxtru4OlwdJpH7+dZAmSVXUl4yLb6pHElF3tnk4C9QGPfI/9tkNjE/3gD+fmJqaIym7m+bxOYD6P3DSSVZApjyygMXk0eGk0h7X/uKbODHBuZRjt4l4NlZp1yWvrcGuXJzT6R2vovDzrvclf/ng0t96/l/WOwOc95pF+KogomAoMw0PCJeQS9rhDZMJm+7YSPZ1hM5SPFp7MygTwWbUR33Gc+tSt3507xCwbEtJwtUn3BgtpC1Kv+ZhsLtpl60C9LTS9RmxMiShgR/IS6cKh9CzkUg9dh7ySdoETYQ7So2u2rtRA2XVbt--1g8FBT3NrEcb3POD--4eGL6AQnVUgL3JJEfRMUPw==
\ No newline at end of file
+hLcfjxH/Ka+pWAH9SAfyAso/IjAzGysRE96eNAuT3vVzPhlHhMytX0eaGu0LE/GMwXryK5h00xuQMoYreCpnaZ+2RvfW1gucACFTJ6Kxpf+2JNseDQDCKvFLn1y2Vu2l2AqipCht9fcpENEInp5ch2G8Qrk6fiM5fVJE/3+MHZ/7wpEkKfOyB9xRBuQdq2jwwgDIpB1K6+oigHMsKQNHL9IPCj2nI16goIy3C6qP/kw5E+i3l6GocWt2Hfpb5SESiLSR9RiTFtNPTYQITVfY9cj+8/wAIMbNWW8cpuJ9pQ9SC1ubMh1EXq/cn8v+RTefAss/e6pv1eWdhMKYKZEWfLtZAigv2E+FhOwaKsD8BL7jzxFyf25r491iTaMr7jTCEZ+Ag/y/114Z029noJJnX7P1k0e1lN7tLiTtObQxWmmoFIz+Z7Ih3i2ojyRZ6Rr1zZTBn/FG2dyeYMAG480f9TtduUzlg9LxuWkua+Zh26zGIscAW407xfXdkCAKxAdLjohWBqe5hyNXo8Vnbo6HGiUVLL0um5ufC7vw--ag3NbQnjBzTn6Hog--p7F0N82TTip3adYucCH96Q==
\ No newline at end of file
diff --git a/spec/mailers/devise_notify_mailer_spec.rb b/spec/mailers/devise_notify_mailer_spec.rb
new file mode 100644
index 000000000..a086eddaf
--- /dev/null
+++ b/spec/mailers/devise_notify_mailer_spec.rb
@@ -0,0 +1,55 @@
+require "rails_helper"
+
+RSpec.describe DeviseNotifyMailer do
+  describe "Intercept mail" do
+    let(:notify_client) { instance_double(Notifications::Client) }
+    let(:devise_notify_mailer) { described_class.new }
+    let(:organisation) { FactoryBot.create(:organisation) }
+    let(:name) { "test" }
+    let(:password) { "password" }
+    let(:role) { "data_coordinator" }
+
+    before do
+      allow(described_class).to receive(:new).and_return(devise_notify_mailer)
+      allow(devise_notify_mailer).to receive(:notify_client).and_return(notify_client)
+      allow(notify_client).to receive(:send_email).and_return(true)
+    end
+
+    context "when the rails environment is staging" do
+      before do
+        allow(Rails.env).to receive(:test?).and_return(false)
+        allow(Rails.env).to receive(:staging?).and_return(true)
+      end
+
+      context "when the email domain is not in the allowlist" do
+        let(:email) { "test@example.com" }
+
+        it "does not send emails" do
+          expect(notify_client).not_to receive(:send_email)
+          User.create!(name:, organisation:, email:, password:, role:)
+        end
+      end
+
+      context "when the email domain is in the allowlist" do
+        let(:domain) { Rails.application.credentials[:email_allowlist].first }
+        let(:email) { "test@#{domain}" }
+
+        it "does send emails" do
+          expect(notify_client).to receive(:send_email).once
+          User.create!(name:, organisation:, email:, password:, role:)
+        end
+      end
+    end
+
+    context "when the rails environment is not staging" do
+      context "when the email domain is not in the allowlist" do
+        let(:email) { "test@example.com" }
+
+        it "does send emails" do
+          expect(notify_client).to receive(:send_email).once
+          User.create!(name:, organisation:, email:, password:, role:)
+        end
+      end
+    end
+  end
+end