Greenhouse Security Code Email: Legit, but Your Application Is Not Submitted Yet
The "Security code for your application" email from no-reply@us.greenhouse-mail.io is real, not phishing. It also means Greenhouse paused your submit: until you paste the code back into the form and press Submit again, the company has not received your application.
Ava writes about hiring systems, ATS filters, and what actually moves the needle for job seekers. AI Applyd exists to help talented people get past broken application processes.

- Read
- 6min
- Words
- 1,446
From AI Applyd
Stop scrolling job boards
Browse live roles from active employers, then let AI Applyd auto-apply with a resume tailored to each one.
Browse open jobsShort answer: yes, that email is legitimate, and no, it does not mean your application went through. Greenhouse sends security codes from no-reply@greenhouse.io and from regional addresses like no-reply@us.greenhouse-mail.io and no-reply@eu.greenhouse-mail.io, which is listed in Greenhouse's own support documentation. The code is not a receipt. It is a gate. Your application is not submitted until you paste that code back into the field on the application page and press Submit again.
That distinction is the entire point of this post, because getting it wrong is how people spend twenty minutes on a form and end up applying to nothing.
What actually happened when you pressed Submit
You filled out a job application on a Greenhouse-hosted page (usually job-boards.greenhouse.io/company, or a careers page that embeds the same form). You pressed Submit. Instead of a thank-you screen, you got an email with a subject like "Security code for your application to Acme".
The real sequence: you press Submit, an invisible reCAPTCHA runs in the background and produces no visible change, the submit request fires, Greenhouse decides it wants to verify that the email address on the form is really yours, it emails a one-time code to that address, and it renders a new field on the application page labeled "Security code". Nothing reaches the company until that field is filled and Submit is pressed a second time.
The field is where people get lost. It did not exist while you were filling the form. It appears only after the submit attempt, often below the fold, on a page you have already mentally closed. So the natural move is to tab away to your inbox, see the email, think "good, they got it", and never come back to the tab. The email is not a confirmation. It is a request.
What a real confirmation looks like
When a Greenhouse application actually lands, the page says so in plain language: "Great news! Your application has been successfully submitted, thank you for your interest." If you did not see that sentence, or an equivalent confirmation screen, or a later email that says your application was received, you did not finish. A code email on its own means the opposite of done.
Our own receipts
We build an auto-apply agent, so we watch this exact form get submitted with full instrumentation. Three things we can state from our own logs rather than from guesswork.
The code email lands about nine seconds after the submit click. In one instrumented production run, the Submit button was clicked at 09:05:18 UTC and the "Security code for your application" email arrived at 09:05:27 UTC from no-reply@us.greenhouse-mail.io. It feels instant, and that speed is exactly what makes it read like a confirmation.
The code field does not exist at the moment you press Submit. Our first version of the check looked for the field immediately after the click and found nothing, because the invisible reCAPTCHA had not resolved and the submit request had not fired yet. The field rendered a beat later. A human tabbing to their inbox during that beat sees a form that looks unchanged, and assumes the page is done with them.
A fully filled form, plus a pressed Submit, plus an ignored code, equals zero applications. We have the trace: form complete, Submit pressed, code typed into the field, and then the Submit button never clicked a second time. Nothing reached the company. From the applicant side that is indistinguishable from success. No error, no bounce, no warning. The application simply does not exist, and nobody at the company knows you tried.
Is it phishing?
Almost certainly not, but check three things before you type a code anywhere.
Check the sender domain. greenhouse.io and greenhouse-mail.io (with us., eu., and anz. regional prefixes) are Greenhouse’s real sending domains, per the support page linked above. greenhouse-mail.io looks suspicious precisely because it is an unfamiliar second domain, which is why this gets searched so much. It is genuine.
Check that you actually just applied. A security code email that arrives while you are mid-application on a Greenhouse page is expected. One that arrives out of nowhere, for a company you never applied to, is not. In that case someone typed your address into a form, or it is a phishing attempt, and either way you ignore it. A code is useless to an attacker unless they can talk you into handing it over.
Never send the code to a person. It goes into the form field on the application page you already have open. It never goes into a reply email, a chat, a text message, or a call from someone claiming to be a recruiter. No real recruiter will ask you to read out a Greenhouse security code. That request is the scam.
How to fix it, step by step
Go back to the browser tab with the application form still open. Do not open a fresh one, because a new tab means a new form and you would be starting over.
Scroll to the field labeled "Security code". It sits near the Submit button, and it was not there before.
Paste the code from the email, then press Submit again. Pressing Submit again is the step everyone misses. Typing the code does nothing on its own.
Wait for the confirmation screen and read it. If you do not see explicit success language, you are not done.
If you already closed the tab, reopen the job posting and apply again from the start. You will get a new code, and per Greenhouse's candidate FAQ, only the most recent code works, so ignore the older email entirely. If the code never arrives at all: Greenhouse documents that codes are single-use and time-limited, that you can request a new one after 10 minutes, and that if repeated attempts fail you should contact the company directly about that application. Check spam first. These emails are the exact shape that filters like to eat, with a no-reply sender, an unfamiliar domain, and a short code as the entire payload.
Why this matters more than it sounds
Greenhouse is one of the most common applicant tracking systems in tech hiring. When a verification step this easy to miss sits in front of the submit button, a real number of applications that people believe they sent were never sent. Not rejected. Never seen.
The rule that falls out of it: a "submitted" screen, an email, or a "thanks" toast is not proof of anything. Proof is a confirmation that says the application was received, in the company’s or the ATS’s own words. Anything else is a step you might still owe.
FAQ
Is the Greenhouse security code email legit? Yes. Greenhouse sends from no-reply@greenhouse.io, no-reply@us.greenhouse-mail.io, no-reply@eu.greenhouse-mail.io, and no-reply@anz.greenhouse.io, all listed in its support documentation. The unfamiliar greenhouse-mail.io domain is genuine.
Does the security code email mean my application went through? No, it means the opposite. Greenhouse paused the submission and is waiting for the code. Until you type it into the form and press Submit again, the company has received nothing.
Why did the code field only appear after I pressed Submit? Because the submit attempt itself renders it, after an invisible reCAPTCHA check resolves. It does not exist while you are filling the form, which is why it is so easy to walk past.
What if I closed the tab before entering the code? Start the application again from the job posting. You will get a fresh code, and only the most recent code is valid, so ignore any older ones.
The code never arrived. What now? Check spam. Greenhouse says you can request a new code after 10 minutes, and that if repeated attempts still fail you should contact the company directly about that application.
Should I ever send the code to a recruiter? Never. The code belongs in the form field on the application page and nowhere else. Anyone asking you to read it out is running a scam.
How AI Applyd handles this gate
This is the gate our agent had to solve. AI Applyd applies on the real ATS, so when Greenhouse interrupts the submit, the agent reads the code from its own inbox, types it into the field, presses Submit again, and then checks that the confirmation actually rendered before it counts the application as submitted. For the general version of that problem, see how to tell if your job application was actually received. AI Applyd is free to start, no card.