diff --git a/changelog.d/19741.misc b/changelog.d/19741.misc
new file mode 100644
index 00000000000..4910b3e40ca
--- /dev/null
+++ b/changelog.d/19741.misc
@@ -0,0 +1 @@
+Limit the allowed link schemes to `["http", "https", "mailto"]` from messages contained in e-mail push notifications. Contributed by Noah Markert.
diff --git a/synapse/push/mailer.py b/synapse/push/mailer.py
index 1ebbc6d4f39..3316ed70a95 100644
--- a/synapse/push/mailer.py
+++ b/synapse/push/mailer.py
@@ -112,7 +112,7 @@
     "img": ["src"],
 }
 # When bleach release a version with this option, we can specify schemes
-# ALLOWED_SCHEMES = ["http", "https", "ftp", "mailto"]
+ALLOWED_SCHEMES = ["http", "https", "mailto"]
 
 
 class Mailer:
@@ -972,7 +972,7 @@ def safe_markup(raw_html: str) -> Markup:
                 tags=ALLOWED_TAGS,
                 attributes=ALLOWED_ATTRS,
                 # bleach master has this, but it isn't released yet
-                # protocols=ALLOWED_SCHEMES,
+                protocols=ALLOWED_SCHEMES,
                 strip=True,
             )
         )