Allow / block rules
Allow and block rules let you override the ML score for specific senders. Use these sparingly — the model usually gets it right. Rules are most useful for trusted internal vendors (allow) and known bad actors (block).
Rule scopes
Rules exist at three levels of specificity. More specific scopes win.
| Scope | Applies to | Configured at |
|---|---|---|
| Recipient | A single email address | (Coming soon — per-recipient UI) |
| Domain | All mail to one of your domains | Dashboard → click allow/block rules next to the domain |
| Global (admin only) | All mail, all customers | Admin → Global rules |
Allow vs block
Allow bypasses all scoring and delivers the message as clean. Use only for senders you fully trust and cannot afford to lose.
Block rejects the message at SMTP time with code 550. The sender gets an immediate bounce.
Warning: Allow rules currently
bypass SPF and DKIM checks. Don't allow-list domains you can't be sure
won't be spoofed (e.g. don't add microsoft.com as an allow —
anyone can send mail claiming to be from that domain).
Pattern syntax
Patterns are matched against the envelope-from address, the sender's domain, and the connecting client's IP — whichever fits the pattern shape.
| Pattern | Matches | Example |
|---|---|---|
| spammer@bad.example | Exact envelope address | Only mail from that one address |
| bad.example | Exact sender domain | Any mail from bad.example |
| @bad.example | Sender domain (alternate syntax) | Same as bare domain |
| .bad.example | Domain wildcard (subdomains too) | Matches mail.bad.example, x.bad.example |
| 192.0.2.10 | Exact client IPv4 | Only that connecting IP |
| 192.0.2.0/24 | CIDR network | Any IP in that /24 block |
| 10.0.0.0/8 | Larger CIDR | Entire RFC1918 10.x range |
Precedence
When a message arrives, MxGuard evaluates rules in this order:
- Recipient rules — most specific, checked first
- Domain rules — checked next
- Global rules — checked last
Within each scope, allow beats block. So if you have
a global block on gmail.com but a domain-level allow on
customer@gmail.com, the customer's mail still gets through.
Adding a rule
- Go to your dashboard, find the domain, click allow/block rules
- Choose allow or block
- Enter the pattern using one of the syntaxes above
- Optionally add a reason (shows up in rule lists, useful for documentation)
- Click add
Rules take effect within 60 seconds (rule cache TTL).
Common patterns
Allow your CRM:
action=allow pattern=mail.salesforce.com
Block a persistent spammer's IP range:
action=block pattern=185.220.100.0/22
Block all mail from a specific TLD (use with care):
action=block pattern=.top
(This would block x.top, foo.top, etc.)
Hit counts
Every time a rule matches a message, its hit counter increments and the last hit timestamp updates. Use this to spot rules that have outlived their usefulness — if a block rule hasn't fired in a year, you can probably retire it.