SecureAgentMail

Policies

Configure outbound policies for domain restrictions, rate limits, keyword filters, and PII redaction.

Policies

Policies are configurable rules that enforce security constraints on outbound email. They are evaluated every time an agent sends a message through SecureAgentMail (L3+ inboxes).

Policy types

Domain allowlist

Restrict which domains your agent can send to. Messages to unlisted domains are rejected.

{
  "name": "Approved domains only",
  "type": "domain_allowlist",
  "config": {
    "domains": ["example.com", "partner.org", "*.internal.co"]
  },
  "enabled": true
}

Domain blocklist

Block specific domains. Useful for preventing replies to competitor or known-bad domains.

{
  "name": "Block competitors",
  "type": "domain_blocklist",
  "config": {
    "domains": ["competitor.com", "phishing-domain.xyz"]
  },
  "enabled": true
}

Rate limiting

Cap the number of outbound emails per time window to prevent spam or runaway agents.

{
  "name": "Send rate limit",
  "type": "rate_limit",
  "config": {
    "max_per_hour": 50,
    "max_per_day": 500
  },
  "enabled": true
}

Keyword filter

Block messages containing sensitive terms. Supports exact match and regex patterns.

{
  "name": "Block sensitive content",
  "type": "keyword_filter",
  "config": {
    "keywords": ["confidential", "internal only"],
    "patterns": ["\\b\\d{3}-\\d{2}-\\d{4}\\b"]
  },
  "enabled": true
}

PII redaction

Automatically redact personally identifiable information from outbound messages. Available on Startup plan and above.

{
  "name": "Redact PII",
  "type": "pii_redaction",
  "config": {
    "redact_emails": true,
    "redact_phone_numbers": true,
    "redact_ssn": true,
    "redact_credit_cards": true
  },
  "enabled": true
}

Managing policies

List all policies

# API
curl https://secureagentmail.com/api/v1/policies \
  -H "Authorization: Bearer $SAM_API_KEY"

# CLI
sam policies list

Policy evaluation order

Policies are evaluated in this order:

  1. Rate limits — checked first to fail fast
  2. Domain allowlist/blocklist — recipient validation
  3. Keyword filters — content scanning
  4. PII redaction — content transformation (does not reject, only modifies)

If any policy rejects the message, evaluation stops and the message is returned with status: "rejected" and zero credits consumed.

Credit costs

  • List policies: 1 credit per API call
  • Create/update policy: 2 credits per change
  • Policy evaluation: No additional cost (included in the send operation)
  • Rejected messages: 0 credits

Credits

How the credit system works, operation costs, and plan allocations.

CLI Guide

Install and use the sam command-line tool for managing SecureAgentMail.

On this page

PoliciesPolicy typesDomain allowlistDomain blocklistRate limitingKeyword filterPII redactionManaging policiesList all policiesPolicy evaluation orderCredit costs