FAQ
Why was a legitimate email quarantined?
Click the row in the feed to see the score breakdown. Common reasons:
- URIBL hit — the body contained a URL on a public block list. Sometimes legitimate marketing emails get caught because they link to tracker domains that got listed.
- No reverse DNS — the sending IP has no PTR record. Often misconfigured small mail servers.
- Random-looking sender — gibberish_local fired on the envelope localpart.
- High model score — the ML model picked up patterns associated with spam in the body text.
Release the message and the sender's domain gets a ham discount, so future mail from them is less likely to be quarantined.
What does no_rdns mean?
The connecting mail server's IP address has no reverse DNS (PTR) record. Legitimate mail servers always have rDNS; lack of it is a strong spam indicator. MxGuard adds +0.20 to the score and forces the verdict to reject when this happens.
What does gibberish_local mean?
The envelope-from address's local part (the bit before the @) looks structurally random — long, low vowel ratio, runs of consonants, or long digit sequences. Common in spammer-generated addresses.
MxGuard doesn't apply this to legitimate bulk-mailer VERP
envelopes (Shopify's b3.HASH...@mailer3.shopifyemail.com,
Mailchimp's bounce-XX_NN-user=domain@bnc.mailchimp.com,
and many others). VERPs are detected by structural patterns and exempted.
My ML model score is low (0.10) but it's obviously spam — why?
The v2 model is trained on English/UK mail with around 34,000 examples. It's strong at obvious spam (gambling, phishing, malware) but can miss:
- Cold B2B sales pitches — they often look stylistically like real business mail
- Foreign-language marketing — the model was trained mostly on English
- Newer spam patterns the model hasn't seen yet
Mark these as spam in the feed. The labels accumulate in the training corpus and the next model retrain (v3) will learn them.
How do I whitelist a sender?
Go to Dashboard → click allow/block rules next to your domain → Add a rule with action=allow. See Allow/block rules for pattern syntax.
For one-off ham, releasing a quarantined message from the same sender also acts as a soft allow (30-day −0.30 score discount on their registrable domain).
Why does the same sender keep getting quarantined even after I mark ham?
The ham discount applies to the sender's registrable domain,
not the exact address. So marking news@em1538.currensea.com
as ham will discount *.currensea.com, but not em1538.othersender.com.
If a different domain keeps coming through quarantine, mark a few of its messages as ham too — or add an explicit allow rule.
What's the difference between reject and quarantine?
Reject means MxGuard returned a 5xx SMTP error to the sending server. The sender's server gets a bounce — they know the mail wasn't delivered.
Quarantine means MxGuard accepted the message (SMTP 250) but held it for you to review. The sender thinks it was delivered.
Can I see exactly what triggered a score?
Yes — click the row in the live feed. The detail panel shows every score component: model_score, URIBL hits, reputation, attachments, threat feeds, heuristics, and ham/spam adjustments. You can see exactly which signals contributed.
Is mail content stored?
Quarantined messages are held in Postfix's hold queue until you act on them. Released messages pass through to your backend and aren't stored on MxGuard afterwards. Rejected messages aren't stored at all (they never made it past SMTP).
Subject lines and metadata for scanned messages are logged for 48 hours so the live feed has reasons/scores to display. Bodies of scanned messages are written to a training corpus log for the next model retrain — this only contains the body text used by the model, not attachments.
What happens if MxGuard goes down?
Sending servers will retry for typically 3–5 days when an MX is unreachable — that's standard SMTP behaviour. Brief outages don't lose mail. For longer outages, a secondary MX is on the roadmap.