diff --git a/daemon.py b/daemon.py
index 4f655380..16537f5e 100644
--- a/daemon.py
+++ b/daemon.py
@@ -17,6 +17,7 @@ from webfinger import webfingerMeta
 from webfinger import webfingerLookup
 from person import personLookup
 from person import personKeyLookup
+from inbox import inboxPermittedMessage
 import os
 import sys
 
@@ -74,44 +75,15 @@ class PubServer(BaseHTTPRequestHandler):
             self._404()
         return True
 
-    def permittedDir(self,path):
+    def _permittedDir(self,path):
         if path.startswith('/wfendpoints') or \
            path.startswith('/keys') or \
            path.startswith('/accounts'):
             return False
         return True
 
-    def _permittedMessage(self,message):
-        """ check that we are posting to a permitted domain
-        """
-        testParam='actor'
-        if not message.get(testParam):
-            return False
-        actor=message[testParam]
-        # always allow the local domain
-        if thisDomain in actor:
-            return True
-        permittedDomain=False
-        for domain in federationList:
-            if domain in actor:
-                permittedDomain=True
-                break
-        if not permittedDomain:
-            return False
-        if message.get('object'):
-            if message['object'].get('inReplyTo'):
-                inReplyTo=message['object']['inReplyTo']
-                permittedReplyDomain=False
-                for domain in federationList:
-                    if domain in inReplyTo:
-                        permittedReplyDomain=True
-                        break
-                if not permittedReplyDomain:
-                    return False            
-        return True
-
     def do_GET(self):
-        if not self.permittedDir(self.path):
+        if not self._permittedDir(self.path):
             self._404()
             return
         # get webfinger endpoint for a person
@@ -164,8 +136,9 @@ class PubServer(BaseHTTPRequestHandler):
             return
         message = json.loads(self.rfile.read(length))        
 
-        if not self._permittedMessage(message):
-            self._404()
+        if not inboxPermittedMessage(message,federationList):
+            self.send_response(403)
+            self.end_headers()
         else:                
             # add a property to the object, just to mess with data
             message['received'] = 'ok'
diff --git a/inbox.py b/inbox.py
new file mode 100644
index 00000000..1624120d
--- /dev/null
+++ b/inbox.py
@@ -0,0 +1,42 @@
+__filename__ = "inbox.py"
+__author__ = "Bob Mottram"
+__license__ = "AGPL3+"
+__version__ = "0.0.1"
+__maintainer__ = "Bob Mottram"
+__email__ = "bob@freedombone.net"
+__status__ = "Production"
+
+import json
+import os
+
+def inboxPermittedMessage(self,messageJson,federationList) -> bool:
+    """ check that we are receiving from a permitted domain
+    """
+    testParam='actor'
+    if not messageJson.get(testParam):
+        return False
+    actor=messageJson[testParam]
+    # always allow the local domain
+    if thisDomain in actor:
+        return True
+
+    permittedDomain=False
+    for domain in federationList:
+        if domain in actor:
+            permittedDomain=True
+            break
+    if not permittedDomain:
+        return False
+
+    if messageJson.get('object'):
+        if messageJson['object'].get('inReplyTo'):
+            inReplyTo=messageJson['object']['inReplyTo']
+            permittedReplyDomain=False
+            for domain in federationList:
+                if domain in inReplyTo:
+                    permittedReplyDomain=True
+                    break
+            if not permittedReplyDomain:
+                return False
+
+    return True