I had a customer ask how inbound email approvals were handled with vRealize Automation. The official documentation shows how to configure the inbound email server but not a whole lot of information beyond that. Since I collected some screenshots I thought I would post this up in the event it may help others.
Here is what an approval email looks like, you can see at the bottom there are links for Approve and Reject. These links are mailto: links that will populate with a specific subject. One of the concerns was: if someone finds out this email address, can they spoof email to initiate approvals/rejections? The first step is it checks the sender email address, it needs to be from the same address that the approval was sent to. The second part of it is the machine GUID and the Approve/Reject GUID that are populated into the subject.
Here is an example of clicking the Approve link:
And an example of clicking the Reject link, the Machine GUID remains the same but the first section before the | delimiter is different from the Approve.
This can also be done from mobile devices, I tested with my iPhone and it auto-populated the subject line for me. As soon as I logged into vRA to check the status the request had already been rejected: