Policies
MailGuard policies define how inbound emails are analyzed, scored, and handled. Learn about all configuration options here.
What Are MailGuard Policies?
A policy is a comprehensive set of rules that determines how inbound emails are analyzed and scored. Each policy combines multiple protection modules — from spam detection to link analysis to attachment filtering — and defines thresholds and actions for different threat levels.
A tenant can have multiple policies that are applied to specific senders, recipients, or domains via routing rules.
Creating a Policy
- Navigate to MailGuard > Policies.
- Click + to create a new policy.
- Configure the modules (see below).
- Save the policy.
General Settings
| Setting | Description |
|---|---|
| Policy Name | Unique name for identification (e.g., "Standard Policy", "Strict – Finance") |
| Enabled | Enable/disable the policy without deleting it |
| Maximum Message Size | Emails exceeding this size (in MB) will be rejected |
Scoring & Thresholds
Each email is assigned a spam score. The higher the score, the more likely it is a threat. You configure two thresholds:
| Threshold | Effect | Recommended Range |
|---|---|---|
| Flagging Threshold | Email is flagged (header, subject prefix) | 5–15 |
| Blocking Threshold | Email is blocked or moved to quarantine | 20–30 |
Actions on Flagging
- Set Header:
X-Conbool-Flag: YESis set in the email header. The mail server can react to this. - Modify Subject: A configurable prefix (e.g.,
[SPAM]) is prepended to the subject line. - Alternative Delivery: Forward the email to a catch-all address (e.g.,
spam@yourdomain.com). - Move to Quarantine: Email is moved directly to quarantine (mutually exclusive with header/subject marking).
Actions on Blocking
- Quarantine: The email is isolated; the recipient receives a quarantine notification.
- Rejection: The email is rejected (bounce to sender with an optional rejection template).
Protection Modules of a Policy
Each policy can activate the following modules:
1. Content Filter
Checks email content for suspicious terms and patterns.
| Setting | Description |
|---|---|
| Enabled | Enable/disable content filter |
| Action | Increase score, Quarantine, or Block |
| Score Delta | Points added to the spam score upon a match |
Filter Rules:
- Keyword Rules: List of spam words (e.g., "sweepstakes", "Bitcoin", "invoice overdue"). Each keyword has a position for prioritization.
- Regex Rules: Regular expressions for more complex patterns (e.g.,
\b(?:paypal|amazo[n])\bfor phishing detection).
2. Header Protection
Analyzes email headers for manipulation attempts.
| Check | Description |
|---|---|
| Reply-To Mismatch | Detects when the Reply-To address does not match the sender (common in phishing) |
| Display Name Spoofing | Detects when the display name impersonates an internal employee |
| Homograph Domains | Detects look-alike domains using Unicode characters (e.g., сonbool.com instead of conbool.com) |
| Setting | Description |
|---|---|
| Enabled | Enable/disable header protection |
| Action | Increase score, Quarantine, or Block |
| Score Delta | Points added upon detected manipulation |
3. Network & Geo Filter
Filters emails based on network origin.
IP Rules:
- IP Blocklist: Block individual IP addresses or ranges.
- IP Whitelist: Only accept from these IPs.
Domain Rules:
- Domain Blocklist: Block emails from specific domains.
- Match Scope:
Sender Domain,Header From Domain, orReply-To Domain.
Country Rules:
- Geo Filter: Block emails from specific countries (based on GeoIP lookup of the sender IP).
- Uses ISO country codes (e.g.,
RU,CN,NG).
4. Link Protection
Analyzes all links in the email for threats. See the separate documentation at Link Protection for full details.
Feature overview:
- URL resolution and redirect following
- Domain reputation checking
- QR code detection and defanging
- Login page detection (credential harvesting)
- URL shortener detection
- Tracking parameter detection and removal
- Click-time recheck (links are re-checked when clicked)
5. Attachment Filter
Checks file attachments for threats. Configurable per file category:
| Category | Example File Types | Available Actions |
|---|---|---|
| Office Files | .docx, .xlsx, .pptx | Increase score, Block, Remove attachments, Sanitize |
| Archives | .zip, .rar, .7z | Sanitize (unpack and inspect contents) |
| Scripts & Batch | .js, .vbs, .bat, .ps1 | Increase score, Block, Remove attachments |
| Executables | .exe, .dll, .msi | Increase score, Block, Remove attachments |
| HTML Files | .html, .htm | Increase score, Block, Remove attachments |
| PDF Files | Increase score, Block, Remove attachments, Sanitize | |
| Custom | Custom file types and filename patterns | Increase score, Block, Remove attachments |
Office-Specific Options:
- Macro detection and removal (toggle)
- Action on sanitization failure: Increase score, Remove attachments, or Block
PDF-Specific Options:
- Strip active content (scripts, forms)
- Remove external references
- Action on sanitization failure: Increase score, Remove attachments, or Block
Archive-Specific Options:
- Archive inspection (unpack ZIP/RAR and check contents)
- Maximum unpacking depth (1–50, default: 5)
- Action when depth is exceeded: Increase score, Allow, Remove attachments, or Block
- Action on sanitization failure: Increase score, Remove attachments, or Block
Custom Rules:
- File Type Rules: Custom rules based on file extensions (e.g.,
.scr,.cab). - Filename Patterns: Custom rules based on filename patterns (e.g.,
*.scr,invoice_*.exe).
6. Quarantine Integration
Configures how emails in quarantine are handled.
| Setting | Description |
|---|---|
| Quarantine Enabled | Enable/disable quarantine for this policy |
| Sender Address | From address for quarantine notifications |
| Subject | Subject line of the quarantine notification |
| HTML Template | Custom notification template with placeholders |
| Admin Release Threshold | Maximum score up to which users can release emails themselves |
| Delivery Mode | notify (notification via email) or portal_only (portal only) |
Rejection Template: When an email is blocked (not quarantined) by the policy, a rejection notification can be sent to the sender:
- Rejection Subject: Subject line of the rejection email.
- Rejection HTML Template: Custom template with rejection information.
Policy Priority
Policies are assigned via routing rules. When multiple policies apply to an email, the policy with the highest priority (lowest index) is applied.
Required Permissions
- View: Owner, Operator, Analyst, Auditor
- Configure: Owner, Operator