Features
From the LightGBM classifier and Claude LLM evaluation at the core, out through the live console, daily digest, allow/block rules, REST API and Prometheus metrics — every capability you'd expect from an enterprise email gateway, organised so you can find them.
The differentiator
Every feature in this page sits around two capabilities most competing products don’t have together: a real-time ML classifier trained on a live honeypot corpus, and Claude reading the messages that classifier isn’t sure about.
in-process · 3.4 ms median
Gradient-boosted decision-tree ensemble. ~120 features across envelope, headers, body, URLs, attachments and reputation. AUC 0.988. Trained on a continuously-updated honeypot corpus — fresh attacks within hours, not quarterly refreshes.
borderline mail · ~5% of volume
When the classifier scores in the uncertain band (0.50–0.95), Claude reads the body. It evaluates intent, urgency, impersonation, lookalike-domain references and call-to-action structure — producing a verdict plus a written reason logged with the message.
No customer mail is used for training.
Category 01
Every signal that contributes to a verdict, with the layer it runs in.
“The message asks the finance team to act urgently on an invoice from a domain that closely resembles a known supplier but is not a match. Pressure language plus domain similarity is a common pattern for invoice-redirection fraud.”
In-process gradient-boosted classifier. ~120 features. AUC 0.988. Median 3.4 ms.
Anthropic’s LLM reads borderline messages (0.50–0.95) and returns a verdict plus a written reason.
zen.spamhaus, sorbs, cbl.abuseat, mailspike, psbl.surriel — queried in parallel at connect time.
Body URLs cross-referenced against multi.uribl.com, multi.surbl.org, dbl.spamhaus.org.
Every attachment scanned, including archives. Macro-bearing documents and HTML smuggling are scored heavily.
policyd-spf, opendkim, opendmarc — full standards enforcement and alignment checking.
list.dnswl.org bypass for high-reputation senders so banks and trusted brands aren’t false-positived.
Rolling 7-day ham/spam ratio per domain in Redis. Trusted senders score lower automatically.
Mark a sender as good once; future mail from the registrable domain gets a score discount for 30 days.
Homoglyph attacks, doubled letters, ccTLD swaps. Detected at envelope, From and Reply-To.
Recognises bulk-mailer envelopes. No false positives on Mailchimp, Shopify, transactional senders.
Different sensitivity per domain. Strict on accounts@, lenient on marketing@.
30 conn/min, 60 msg/min, 100 rcpt/msg per source. Caps abuse without blocking legitimate spikes.
RFC 2047 encoded-word headers decoded for readable display: emoji, non-Latin scripts, all rendered.
Every verdict shows which signals contributed and by how much. No black box.
Disagree with a verdict? One click releases the message and adds an allow rule. Audit-logged.
Category 02
A single web app per customer. Live feed of every verdict, a quarantine you can search and act on, and a daily digest email that doesn’t need anyone to log in.
Verdicts stream into the dashboard as they happen. Filter by domain, recipient, verdict, or score.
Browse, search, sort by date, sender, score. 30-day retention by default, configurable 0–365.
No drilling into details. Common actions are one click from the list view. Audit-logged either way.
When Claude was involved, its written reason for the verdict is visible inline. You can agree or override.
600px mobile-first HTML. Lists quarantined mail with one-click Release / Delete / Allow buttons.
Per-user delivery time, frequency, recipient filter. Or disable entirely if you live in the console.
Optionally deliver borderline mail with a [SPAM] prefix instead of quarantining. Per-domain.
Mailing-list detection (📬) with one-click unsubscribe in the digest. RFC 8058 + RFC 2369.
Quarantined mail auto-purged after 30 days by default. Configurable 0–365 per deployment. Cron at 04:00.
Full dashboard works on phone and tablet. Digest emails optimised for mobile inbox.
Hello finance@yourcorp.uk, MxGuard quarantined the following messages for you today.
View all in the MxGuard console · manage your digest preferences
Category 03
A gateway is only as good as the mail it lets through. MxGuard preserves the full authentication chain so downstream receivers trust forwarded mail.
RFC 8617 compliant. Preserves DKIM/SPF/DMARC results through forwarding. Compatible with mailing lists and aliases.
opendkim signs all forwarded mail. Per-domain keys, automatic key publication via DNS helper.
opendmarc honours the sender’s DMARC policy (none/quarantine/reject) with strict alignment.
Probes your backend at SMTP time to reject unknown addresses, eliminating backscatter on bad recipients.
Backend probes are cached so spam to non-existent recipients is rejected locally without hammering your server.
AuthservID set to mx1.mxguard.uk. Full results stamped into the headers for downstream filters to consume.
Opportunistic TLS inbound and outbound. Let’s Encrypt certificates with automatic renewal.
Each MX node maintains its own outbound queue. A slow backend on one customer doesn’t stall another’s mail.
If your backend is briefly unavailable, Postfix queues and retries on the standard schedule. No mail lost.
Category 04
Customers add domains, configure rules, set thresholds and manage their own data without support tickets.
| Type | Match | Scope | Hits |
|---|---|---|---|
| ALLOW | *@stripe.com | domain | 142 |
| ALLOW | cfo@trusted-co.com | recipient | 28 |
| BLOCK | *@compaany-co.net | global | 7 |
| BLOCK | 45.225.135.0/24 | CIDR | 3,201 |
| ALLOW | newsletter@*.legit-news.uk | wildcard | 61 |
Customers add their own domains, verify by DNS TXT record, point MX. No tickets needed.
Unlimited domains within a mailbox allocation. Per-domain stats, per-domain rules.
Four scope tiers: recipient, domain, customer-wide (all your domains), or global. Exact, wildcard, or CIDR matching for IPs and ranges. Mark-as-spam / mark-as-ham in the live feed creates rules in one click.
Counter and last-hit timestamp per rule. See which rules are doing work and which can be retired.
Optional expiry date on any rule. Useful for temporary allows during a one-off campaign.
Admin, user, view-only. Audit-logged. Customers can grant access to their own staff.
Per-domain verdict stats, top blocked senders, daily volume charts.
Override reject / quarantine / tag thresholds per domain. Strict on finance domains, relaxed on marketing.
Category 05
REST API, Prometheus metrics, exportable audit log. Wire MxGuard into the tools you already use.
Domain management, allow/block rules, verdict lookup, quarantine actions. JSON in, JSON out.
Per-customer API keys, scoped permissions, rotateable. Audit-logged on every call.
Native endpoint with per-domain verdict counters, ML latency histograms, queue depths.
Plug the metrics endpoint into your existing monitoring stack. Dashboards in minutes.
Every release, delete, label change, rule edit. Searchable, exportable as JSON or CSV.
12 pages, 5 categories, every endpoint with examples. Lives at app.mxguard.uk/help.
Built into the console. Feature requests, bug reports, votes on what ships next.
Optional outbound webhook on each verdict. Forward to SIEM, SOAR, ticketing systems.
# HELP mxguard_verdicts_total Total verdicts
# TYPE mxguard_verdicts_total counter
mxguard_verdicts_total{domain="yourcorp.uk",verdict="pass"} 14228
mxguard_verdicts_total{domain="yourcorp.uk",verdict="quar"} 312
mxguard_verdicts_total{domain="yourcorp.uk",verdict="reject"} 1841
# HELP mxguard_ml_latency_seconds Scoring latency
# TYPE mxguard_ml_latency_seconds histogram
mxguard_ml_latency_seconds_bucket{le="0.005"} 16127
mxguard_ml_latency_seconds_bucket{le="0.010"} 16380
mxguard_ml_latency_seconds_sum 55.84
mxguard_ml_latency_seconds_count 16381
# HELP mxguard_llm_calls_total Claude evaluations
# TYPE mxguard_llm_calls_total counter
mxguard_llm_calls_total{verdict="quar"} 287
mxguard_llm_calls_total{verdict="pass"} 612
Scrape with your existing Prometheus · drop into Grafana
Category 06
UK-hosted infrastructure designed for redundancy from the SMTP layer down to the cache.
All processing and storage in the United Kingdom. No cross-border data transfer.
UK-based data controller, defined retention policies, audit trail, DSAR support, no customer data used for training.
Multiple active SMTP nodes behind DNS MX priority. Drain any node for maintenance with zero downtime.
Primary + hot-standby with streaming replication. Automatic failover. Reads can be served from the replica.
Reputation, verify and rate-limit data live in a 3-node Redis cluster. Single-node failure cannot stall scoring.
Per-node health checks; failed nodes are removed from the MX rotation automatically.
No hardware to deploy, no software to install. Set up via DNS in minutes.
New ML model revisions and console features ship continuously without customer-side changes.
Built and run by an independent UK ISP trading since 1993. Brighton-based, UK-staffed.
For the full architecture and pipeline detail, see how it works →
Comparison
A modern alternative to legacy stacks and overpriced enterprise suites.
| Feature | MxGuard | eFa / SpamAssassin | Enterprise suites |
|---|---|---|---|
| ML-based scoring | ✓ | — | ✓ |
| LLM evaluation on borderline mail | ✓ | — | Some |
| Trained on live honeypot corpus | ✓ | — | Varies |
| Sub-5 ms ML scoring | ✓ | — | — |
| Transparent score breakdown | ✓ | — | — |
| Written reasoning per verdict | ✓ | — | — |
| Customer self-service portal | ✓ | — | ✓ |
| Live verdict feed dashboard | ✓ | — | — |
| ARC sealing through forwarding | ✓ | Partial | ✓ |
| Native Prometheus /metrics | ✓ | — | — |
| REST API for everything | ✓ | — | ✓ |
| UK-hosted & supported | ✓ | Depends | — |
| No capital investment | ✓ | — | Sometimes |
| SMB-friendly pricing | ✓ | ✓ | — |
| Month-to-month billing | ✓ | N/A | — |