Cleanbox
Features Helpdesk Blog Pricing Contact
Sign in Start free trial
Helpdesk Relay

Relay verification token - prevent email bypass

Relay May 28, 2026

When you use Relay, Cleanbox filters inbound email before forwarding it to your mail server. But unless you take extra steps, anyone who knows your server's IP address could bypass Cleanbox and send email directly to your server — skipping all spam filtering, virus scanning, and Shield protection.

The verification token prevents this.

How it works

Every Relay configuration in Cleanbox has a unique verification token — a 64-character hex string generated automatically when you set up Relay. When Cleanbox forwards a filtered email to your mail server, it injects a special header:

X-Cleanbox-Validation: your-token-here

You then configure your mail server to only accept messages that contain this header with the correct token value. Any email arriving without the header (i.e., not coming through Cleanbox) is rejected.

Where to find your token

  1. Go to Relay in the Cleanbox dashboard
  2. Select your relay domain
  3. Scroll to the verification token section
  4. Copy the token value

Configuring your mail server

The configuration depends on your mail server software. Below are examples for common servers.

Postfix

Add a header check in /etc/postfix/main.cf:

header_checks = regexp:/etc/postfix/header_checks

Create /etc/postfix/header_checks:

/^X-Cleanbox-Validation: your-token-here$/ OK
/^X-Cleanbox-Validation:/ REJECT Invalid validation token

Then add a default reject for emails without the header using a milter or policy service. The exact configuration depends on your Postfix setup.

Nginx (as mail proxy)

Use the proxy_set_header directive to verify the header in your mail proxy configuration.

Custom application

If you handle email via a custom application or webhook, simply check for the X-Cleanbox-Validation header in the raw email and verify it matches your token before processing.

Regenerating the token

If your token is compromised or you want to rotate it for security:

  1. Go to your Relay settings
  2. Click Regenerate token
  3. A new 64-character token is generated immediately
  4. Important: Update your mail server configuration with the new token immediately, otherwise legitimate email through Cleanbox will also be rejected

What happens without the token

If you do not configure token verification on your mail server, Relay still works — Cleanbox still filters and forwards your email. But your server accepts email from any source, meaning spammers can bypass Cleanbox entirely by sending directly to your server's IP address.

For maximum protection, always configure both:

  • MX records pointing to Cleanbox (so legitimate email is routed through Cleanbox)
  • Token verification on your mail server (so direct connections are rejected)

This ensures all inbound email passes through Cleanbox's spam detection, virus scanning, and your configured filters and Shield rules.