Policies

What Are MailGuard Policies?

A policy is a comprehensive set of rules that determines how inbound emails are analyzed and scored. Each policy combines multiple protection modules — from spam detection to link analysis to attachment filtering — and defines thresholds and actions for different threat levels.

A tenant can have multiple policies that are applied to specific senders, recipients, or domains via routing rules.

Creating a Policy

1. Navigate to MailGuard > Policies.
2. Click + to create a new policy.
3. Configure the modules (see below).
4. Save the policy.

General Settings

Scoring & Thresholds

Each email is assigned a spam score. The higher the score, the more likely it is a threat. You configure two thresholds:

Actions on Flagging

• Set Header: X-Conbool-Flag: YES is set in the email header. The mail server can react to this.
• Modify Subject: A configurable prefix (e.g., [SPAM]) is prepended to the subject line.
• Alternative Delivery: Forward the email to a catch-all address (e.g., spam@yourdomain.com).

Actions on Blocking

• Quarantine: The email is isolated; the recipient receives a quarantine notification.
• Rejection: The email is rejected (bounce to sender with an optional rejection template).

Protection Modules of a Policy

Each policy can activate the following modules:

1. Content Filter

Checks email content for suspicious terms and patterns.

Filter Rules:

• Keyword Rules: List of spam words (e.g., "sweepstakes", "Bitcoin", "invoice overdue"). Each keyword has a position for prioritization.
• Regex Rules: Regular expressions for more complex patterns (e.g., \b(?:paypal|amazo[n])\b for phishing detection).

2. Header Protection

Analyzes email headers for manipulation attempts.

3. Network & Geo Filter

Filters emails based on network origin.

IP Rules:

• IP Blocklist: Block individual IP addresses or ranges.
• IP Whitelist: Only accept from these IPs.

Domain Rules:

• Domain Blocklist: Block emails from specific domains.
• Match Scope: Exact (only the domain) or Subdomain (including all subdomains).

Country Rules:

• Geo Filter: Block emails from specific countries (based on GeoIP lookup of the sender IP).
• Uses ISO country codes (e.g., RU, CN, NG).

4. Link Protection

Analyzes all links in the email for threats. See the separate documentation at Link Protection for full details.

Feature overview:

• URL resolution and redirect following
• Domain reputation checking
• QR code detection and defanging
• Login page detection (credential harvesting)
• URL shortener detection
• Tracking parameter detection and removal
• Click-time recheck (links are re-checked when clicked)

5. Attachment Filter

Checks file attachments for threats. Configurable per file category:

Office-Specific Options:

• Macro detection and removal
• OOXML sanitization (Office Open XML)
• Legacy format sanitization (.doc, .xls)
• Relationship parsing (embedded content)

PDF-Specific Options:

• Active content detection (scripts, forms)
• Removal of external references
• PDF object analysis
• Full PDF sanitization

Archive-Specific Options:

• Archive inspection (unpack ZIP/RAR and check contents)
• Maximum unpacking depth (default: 5)
• Action when depth is exceeded

Custom Rules:

• MIME Type Rules: Custom rules based on MIME types (e.g., application/x-msdownload).
• Filename Rules: Custom rules based on filename patterns (e.g., *.scr, invoice_*.exe).

6. Quarantine Integration

Configures how emails in quarantine are handled.

Rejection Template: When an email is blocked (not quarantined) by the policy, a rejection notification can be sent to the sender:

• Rejection Subject: Subject line of the rejection email.
• Rejection HTML Template: Custom template with rejection information.

Policy Priority

Policies are assigned via routing rules. When multiple policies apply to an email, the policy with the highest priority (lowest index) is applied.

Required Permissions

• View: guardian.read (Analyst, Auditor, Operator, Owner)
• Configure: mailguard.manage (Operator, Owner)