Cleanbox
Features Blog Pricing Developers
Sign in Start free trial

What happens when you receive an email?

Every inbound email goes through a fixed series of checks before it is delivered, forwarded, quarantined, or rejected. This article describes exactly what happens in each situation — and what the sender sees.

You can use Cleanbox in two ways:

  • Regular mailbox or alias — you receive mail in a mailbox that is filtered by Cleanbox; delivery goes straight into the correct folder of your mailbox.
  • Relay (MX protection) — Cleanbox sits in front of your own mail server, filters all inbound mail, and only forwards the clean messages to your server.

Processing is nearly identical for both. Relay has a few extra checks (virus scan, IP reputation, and authentication rules), because it sees the sending server directly. Those extra steps are marked below with Relay only.

How to read the outcomes
The sending mail server always receives one of three types of response:

  • Accepted — the message has been accepted. Whether it then ends up in your inbox, in quarantine, or in a queue is invisible to the sender.
  • Temporarily rejected — something temporary is going on; the sending server will automatically retry later. Nothing is lost.
  • Permanently rejected — the message is refused and the sender receives an error (bounce).

At the door — what happens before the content is examined

Before Cleanbox analyzes a message’s content (spam filter, AI, and for Relay also virus scan), it first passes a number of quick checks “at the door.” The goal: stop abuse early, avoid wasting processing and storage on undeliverable or redundant mail, and keep your message list clean. A message that fails here costs no further processing and does not appear in your list.

1. Connection behavior

As soon as a sending server connects, Cleanbox checks whether it behaves properly:

  • Servers that open an excessive number of connections in a short time are throttled.
  • Servers that repeatedly try non-existent addresses — a sign of address guessing, widely used by spammers — are blocked.

Why at the door? This behavior belongs to botnets and spam campaigns. By blocking such servers immediately, Cleanbox protects the service before a single message is even read.

2. Does the recipient exist?

Cleanbox checks whether the address (mailbox, alias, or relay address) exists and is active:

  • Address does not exist or is inactivepermanently rejected. The sender gets an “unknown mailbox” error.
  • Weekly limit of your account reachedtemporarily rejected; the sending server will retry later.
  • Address exists and is active → on to the basic checks.

Why at the door? There is no reason to accept mail for an address that does not exist or has reached its limit — you reject it directly so the sender knows where they stand.

3. Basic message checks

Once the message arrives, a few quick checks run on the message itself:

  • Invalid sender — if the message has no valid sender address (a “From” without a real email format), it is technically unprocessable — and almost always junk. → permanently rejected.
  • Oversized message — messages above the maximum size (25 MB) → permanently rejected.
  • Duplicate — Cleanbox recognizes identical messages and refuses redundant copies so you don’t see the same mail dozens of times. This happens in two ways:
    • Within 15 minutes — if exactly the same message arrives again within fifteen minutes, the copy is refused. This catches double deliveries (whether the message is spam or not).
    • Up to 30 days after a previous rejection — if identical content was already rejected before (for example, spam sent in waves), every new copy is immediately refused again for up to 30 days.
    In both cases, the copy is permanently rejected and not re-evaluated, stored, or shown in your list. Only the first in such a series goes through normal processing; the repeats disappear silently.

Why at the door? An unprocessable or already-seen message doesn’t need to go through the expensive analysis (spam filter, AI, virus scan) and storage. This saves processing and keeps your message list clean — you won’t see the same mail dozens of times.


Processing

If the message passes through the door, its content is processed. For a regular mailbox and for Relay this works the same, except for the Relay only parts.

Step 1 — Analysis

Cleanbox first gathers all signals about the message:

  • Spam score — a comprehensive spam filter (based on Rspamd) evaluates hundreds of characteristics and assigns a score. The higher the score, the more suspicious.
  • AI check — an AI model evaluates every message as spam or legitimate. That verdict contributes to the spam score — spam raises it, legitimate lowers it — and the brief explanation appears in the message header (X-Cleanbox-Explanation).
  • Relay only — Virus scan (ClamAV) — the full message and attachments are scanned for viruses and malicious content.
  • Relay only — IP reputation (DNSBL) — the IP address of the sending server is checked against international reputation lists (DNS blacklists, such as Spamhaus).
  • Relay only — Authentication signals — individual signals like a failed SPF, DKIM, or DMARC check are detected.

Step 2 — The decision

The checks are weighed in a fixed priority order; the first one that triggers determines the outcome.

1. Virus — Relay only

Did the virus scan find something? → the message is immediately and always permanently rejected, before any other check. There is no exception to this — even a whitelisted sender cannot bypass it. The message is not forwarded and not quarantined.

2. Blocked contact

Is the sender on your block list? → the message is rejected (refused on policy). The sender gets an error.

3. Shield (if enabled)

  • Gatekeeper — if the sender is not on your approved list, the message is accepted but not placed in your inbox; it is held for review among your blocked messages. From there you can manually deliver or forward it, and approve the sender so their future messages arrive directly. (Approving a sender does not automatically deliver a message that was already held — you release that one yourself.)
  • Limiter — has this sender reached their maximum number of messages within the configured period? → temporarily rejected; the sending server retries later.

4. Spam (and for Relay: IP reputation + authentication rules)

Evaluated in this order:

  • Spam score ≥ reject thresholdpermanently rejected. The sender gets an error that the message was refused as spam.
  • Relay only — IP reputation (DNSBL) — is the IP address on a configured blacklist with a block classification? → permanently rejected. Not every listing blocks: informational or policy codes can be deliberately ignored; only “block” codes lead to rejection.
  • Relay only — Spam Symbol Rules — have you set an authentication signal (e.g. “DKIM failed,” “SPF failed,” or “DMARC rejected”) to always block and does it trigger? → permanently rejected, regardless of the total spam score. This is an on/off choice per signal; there is no quarantine middle ground.
  • Quarantine threshold ≤ spam score < reject threshold → the message goes to quarantine.
  • Spam score < quarantine threshold → the message passes the spam check.

If you don’t set a reject threshold, messages are never rejected on spam score; if you don’t set a quarantine threshold, messages are never quarantined on spam score.

A whitelisted sender skips this entire step (spam, and for Relay also DNSBL and authentication rules). Virus and your own filters still apply.

5. Filters (your own rules)

The first matching filter determines the action. A filter can:

  • reject the message (the sender gets an error), or
  • forward the message to another address, or
  • (mailbox only) place the message in a specific folder or mark it (read / flagged). For Relay, folder and marking do not apply because delivery goes to your own mail server.

6. Contact preferences

Whitelist, mute, and priority determine how (and whether) the message is delivered — see Contact preferences for what each preference skips exactly.

7. Quarantine

Did the spam score fall in the quarantine zone (step 1)? Then the message is stored separately instead of being delivered or forwarded. The sending server received a normal confirmation that the message was accepted — it waits until you review it and optionally release it.

8. Delivery window (Snoozer, if enabled)

Does the message fall outside your configured delivery times? Then it is accepted but held and automatically delivered at the next window time. (Whitelisted and priority senders skip this and arrive immediately.)

No check triggered? → the message is delivered (mailbox) or forwarded (Relay).

Step 3 — Delivery or forwarding

  • Mailbox — the clean message is placed in the correct folder of your mailbox: your default folder, or a folder chosen by one of your filters. Markings (read, flagged) and forward actions are applied.
  • Relay — the clean message is forwarded to your own mail server.

If delivery fails at that moment (a temporary issue, or your own server is briefly unreachable), nothing is lost: for a mailbox, the sending server is asked to try again later, as it would for any temporary delivery issue. For Relay, Cleanbox holds the message in a queue and automatically retries shortly after — the original sender notices nothing because the message was already accepted.

Relay only — Safety first. If Cleanbox cannot evaluate a message due to an internal issue, the sending server is asked to reoffer it later (temporarily rejected) — instead of forwarding an unchecked message to your server. This way no mail is ever lost, and unchecked mail never reaches your server.

Relay only — Bounces. If your own server later returns an error (for example because a mailbox doesn’t exist), Cleanbox recognizes the bounce and routes it back to the original sender. To achieve this, the sender address is safely rewritten during forwarding (using the SRS standard) so that return messages always come back through Cleanbox.


Settings you control

These settings steer the decision and apply (unless noted otherwise) to both modes of use.

Contact preferences

Per sender you set a preference. Important: virus (Relay) and your own filters always apply, regardless of the preference. Markings (read / flagged) only apply in mailbox mode.

  • Whitelist — trusted sender: the spam check and Shield are skipped (and for Relay also the DNSBL and authentication rule checks), and the Snoozer is skipped so mail arrives immediately.
  • Block — always reject (permanently rejected).
  • Mute — the message is delivered but automatically marked as read. It skips Shield; the spam check still applies (a message with a high spam score can still end up in quarantine or be rejected).
  • Priority — the message is delivered and marked as important. It skips Shield and the Snoozer (arrives immediately, even outside your delivery window); the spam check still applies.
Preference Spam check Shield Snoozer Delivery
Whitelistskippedskippedskippednormal
Muteappliesskippedappliesmarked as read
Priorityappliesskippedskippedflagged as important
Blockrejected

Virus (Relay) and your own filters apply in all cases.

Shield

Extra protection rules per address:

  • Gatekeeper — only approved senders arrive directly; messages from unknown senders are held among your blocked messages for manual review. Approving a sender lets their future messages through — it does not release the held message.
  • Limiter — limit how many messages a sender may send within a period.
  • Snoozer — set delivery windows (for example business hours); outside those times mail is held and delivered later.

Filters

Your own rules that match messages by sender, subject, content, category, and more, and reject, place in a folder, mark, or forward them. The first matching filter wins. (Folder and marking only apply in mailbox mode.)

Spam thresholds

Per address you configure at what spam score a message goes to quarantine (quarantine threshold) and at what score it is fully rejected (reject threshold).

Spam Symbol Rules (Relay only)

Choose individual authentication signals (such as failed DKIM, SPF, or DMARC) that you want to always block, regardless of the total spam score.

The door checks (connection behavior, valid sender address, message size, and duplicate detection) are always on and cannot be configured per address — they protect the entire service.


Overview of all outcomes

Outcome What happens What the sender sees
Delivered / forwardedMessage placed in your mailbox or sent to your server.Accepted.
QuarantineSuspicious spam score — stored separately for your review.Accepted.
Held for reviewGatekeeper: sender not on approved list — held among blocked messages for you to manually deliver or forward.Accepted.
DeferredOutside delivery window — automatically delivered later.Accepted.
QueuedYour own server (Relay) was briefly unreachable — will be retried.Accepted.
Silently suppressedDuplicate of a message you just received or that was previously rejected — does not appear (again) in your list.Permanently rejected (error).
Temporarily rejectedToo many connections, too many invalid attempts, limit reached, account full, or internal issue.Error; sending server retries later.
Permanently rejectedVirus, spam score too high, blacklist (DNSBL), authentication rule, blocked contact, unknown address, invalid sender, oversized message, or duplicate.Error (bounce).

Frequently asked questions

What does “rejected at the door” mean?

That a message is stopped before Cleanbox analyzes its content — for example because the sending server misbehaves, the address doesn’t exist, the sender has no valid address, the message is too large, or it’s an exact copy of something you just received. This avoids wasting processing and storage on mail that wouldn’t get through anyway.

Why don’t I see the same (spam) mail over and over?

Cleanbox recognizes duplicates: if exactly the same content arrives within 15 minutes again, or that content was rejected in the past 30 days, the copies are rejected at the door. Only the first goes through normal processing; the rest do not appear in your list. This keeps your overview clean, even when spam is sent in waves.

My message was rejected for an “invalid sender” — how?

The sender address (“From”) didn’t have a valid email format. A valid message always has a real sender address; if it’s missing, Cleanbox cannot process it and the message is rejected. This happens almost exclusively with misconfigured senders and spam.

I whitelisted a sender — does everything from them get through?

Not quite. Whitelist skips the spam check and Shield (and for Relay also DNSBL and authentication rules), but a virus is still blocked and your own filters still apply. So if you have a filter that rejects or moves the sender, it works even for a whitelisted sender.

What does “mute” do exactly?

A muted sender is delivered but automatically marked as read. Note: the spam check still applies — if a message scores high, it can still end up in quarantine or be rejected.

Is a virus always blocked?

Yes. For Relay, the virus scan is the very first check and has no exceptions — even a whitelisted sender cannot bypass it. The infected message is permanently rejected and never forwarded or quarantined.

What’s the difference between quarantine and reject?

With reject, the message is refused and the sender gets an error. With quarantine, the message is accepted but stored separately so you can review it and optionally release it — it doesn’t (yet) reach your inbox.

What is a DNSBL?

A DNS blacklist: an international reputation list of IP addresses known as sources of spam or abuse. For Relay, Cleanbox checks the sending server against such lists. Only listings classified as “block” lead to rejection; informational listings can be deliberately ignored.

A legitimate sender is rejected on an authentication rule (e.g. DKIM) — can that happen?

Yes. Authentication rules block hard as soon as the signal triggers. DKIM, SPF, or DMARC can also fail for legitimate mail (for example with forwarded messages or newsletters). If you still want to receive such a sender, disable the rule in question or whitelist the sender.

Why did I receive a message late?

Probably Snoozer is enabled and the message arrived outside your delivery window. It was automatically delivered at the next window time. (Whitelisted and priority senders skip the Snoozer and arrive immediately.)

Can I lose mail during an outage?

No. For a regular mailbox, Cleanbox lets your mail through when in doubt. For Relay, the sending server is asked to retry later in such a case — so nothing is lost and unchecked mail is never forwarded.

Why do virus scan, IP reputation, and authentication rules only apply to Relay?

With Relay, Cleanbox sits as a protection layer in front of your own mail server and sees the sending server directly. This allows extra checks to be applied that are not available for a regular Cleanbox mailbox.