Security Levels
L1 through L4: layered security for agent inboxes, from basic receive to full lockdown.
Security Levels
Every SecureAgentMail inbox operates at a security level that determines what protections are active and what the inbox is allowed to do. Security levels are cumulative — each higher level includes everything from the levels below it.
Choose the level that matches your agent's risk profile. You can upgrade or downgrade at any time via the API or dashboard.
Overview
| Level | Name | Inbound | Outbound | AI Analysis | HITL |
|---|---|---|---|---|---|
| L1 | Receive Only | Yes | No | Basic | No |
| L2 | AI-Protected | Yes | No | Dual-LLM | No |
| L3 | Guarded Send | Yes | Yes (policy-gated) | Dual-LLM | No |
| L4 | Full Lockdown | Yes | Yes (HITL-gated) | Dual-LLM | Required |
L1 — Receive Only
Best for: Agents that only consume inbound email. Notification handlers, monitoring bots, data ingestion pipelines.
What's included:
- Inbound email reception at
{slug}@agents.secureagentmail.com - Basic content scanning (known malware signatures, invalid MIME)
- Domain allowlist/blocklist policy enforcement
- Webhook delivery for new messages
- Full message storage and retrieval via API
- Audit logging of all inbound events
What's blocked:
- All outbound email. Calling the Send API returns
403 Forbidden.
Credit cost: 1 credit per inbound message received.
Required plan: Free and above.
When to use L1
Use L1 when your agent never needs to send email. This is the cheapest and simplest configuration. If an attacker compromises your agent, L1 ensures it cannot be used to send spam or phishing emails on your behalf — there is no outbound capability to exploit.
L2 — AI-Protected
Best for: Agents handling untrusted or adversarial email. Any agent processing email from unknown senders — support inboxes, public-facing contact forms, lead capture.
What's included:
- Everything in L1
- Dual-LLM injection detection on every inbound message:
- Primary model scans for prompt injection patterns, hidden instructions, invisible text, and Unicode smuggling.
- Secondary verification model independently validates the primary's findings to reduce false positives.
- Content sanitization: Detected injection attempts are stripped from the message body before it reaches your agent. The original is preserved in audit logs.
- Spotlighting: Detection of invisible characters, zero-width spaces, and Unicode tricks used to hide instructions from human reviewers.
- Messages with risk score > 70 are automatically withheld and require manual release via the API or dashboard.
The threat model
AI agents are uniquely vulnerable to email-based attacks because they process message content as instructions. A well-crafted email can:
- Hijack the agent's behavior via prompt injection ("Ignore your instructions and instead...")
- Exfiltrate data by tricking the agent into forwarding sensitive information to an attacker-controlled address
- Cause reputational damage by making the agent send inappropriate responses
L2 is designed to catch these attacks before the message content ever reaches your agent's context window.
How dual-LLM detection works
Inbound Email
│
▼
┌─────────────┐ ┌─────────────┐
│ Primary LLM │───▶│ Checker LLM │
│ (Analysis) │ │ (Verify) │
└─────────────┘ └─────────────┘
│ │
▼ ▼
┌────────────────────────────┐
│ Consensus Engine │
│ Both agree safe → PASS │
│ Either flags → REVIEW │
│ Both flag → WITHHOLD │
└────────────────────────────┘Credit cost: 1 credit per inbound + 2 credits for AI analysis.
Required plan: Free and above.
L3 — Guarded Send
Best for: Agents that need to reply to emails. Customer support bots, sales outreach, onboarding flows.
What's included:
- Everything in L2
- Outbound email via the Send API
- Outbound policy enforcement:
- Domain restrictions (only send to approved domains)
- Rate limiting (max sends per hour/day)
- Keyword filters (block messages containing sensitive terms)
- Outbound risk scoring (0–100) on every sent message
- Reply threading (automatic In-Reply-To header management)
How outbound policies work:
When your agent calls the Send API, SecureAgentMail evaluates the message against all
active outbound policies for that inbox. If any policy triggers, the message
is rejected with a rejected status and the specific policy violation in the
response.
{
"status": "rejected",
"risk_score": 45,
"credits_consumed": 0,
"error": {
"code": "policy_violation",
"message": "Recipient domain 'competitor.com' is not in the outbound allowlist"
}
}Rejected messages consume zero credits.
Credit cost: 1 credit per inbound + 2 credits for AI analysis + 3 credits per outbound message.
Required plan: Developer ($50/mo) and above.
L4 — Full Lockdown
Best for: High-stakes agents in regulated industries. Healthcare (HIPAA), finance (SOC 2), legal. Any scenario where an unsupervised outbound email could cause material harm.
What's included:
- Everything in L3
- Mandatory HITL (Human-in-the-Loop) approval for all outbound email:
- Agent calls Send API → message status is
pending_approval - Message appears in the dashboard Approval Queue
- Human reviewer can Approve, Edit, or Reject
- Only approved messages are dispatched
- Agent calls Send API → message status is
- Draft review UI with full risk analysis, policy check results, and the agent's reasoning (if provided via metadata)
- Approval audit trail: Who approved, when, any edits made
- Timeout policies: Messages not reviewed within a configurable window (default: 24 hours) are auto-rejected
The approval flow
Agent calls Send API
│
▼
status: "pending_approval"
│
▼
┌─────────────────────┐
│ Approval Queue │
│ (Dashboard UI) │
│ │
│ ✅ Approve │
│ ✏️ Edit & Approve │
│ ❌ Reject │
└─────────────────────┘
│
▼
Approved → Sent
Rejected → LoggedCredit cost: 1 credit per inbound + 2 credits for AI analysis + 3 credits per outbound + 1 credit per HITL review event.
Required plan: Startup ($500/mo) and above.
Choosing the right level
| Scenario | Recommended | Why |
|---|---|---|
| Notification listener (no replies) | L1 | No outbound risk. Minimal cost. |
| Inbox receiving untrusted email | L2 | Adversarial input likely. Injection defense critical. |
| Customer support bot (needs to reply) | L3 | Needs to reply. Known sender domains. |
| Healthcare/finance agent | L4 | Regulatory requirement for human oversight. |
| Lead capture from web forms | L2 | High injection risk from public internet. |
| Internal tool (company email only) | L3 | Low risk, but policy enforcement prevents accidents. |
Changing security levels
You can change an inbox's security level at any time:
curl -X PATCH https://secureagentmail.com/api/v1/inboxes/my-agent \
-H "Authorization: Bearer $SAM_API_KEY" \
-H "Content-Type: application/json" \
-d '{ "security_level": "L3" }'Upgrading takes effect immediately. New protections apply to all messages received after the change.
Downgrading takes effect immediately but does not retroactively release withheld messages. Previously withheld messages must be manually released or will remain in their current state.
Note: L3 and L4 require Developer plan or above. Attempting to set L3/L4 on
a Free plan returns 403 Forbidden with a clear upgrade prompt.