Compliance

Safety & Policies for AI Agents

Name: Molted Email Safety & Policies
Author: Molted Email

Every send is policy-evaluated before it leaves. Duplicate prevention, cooldowns, suppression lists, rate limits, and canary tokens are enforced automatically — your agent just sends.

How it works

Agent requests a send

Your agent calls POST /v1/agent/request-send with a recipient, template, and dedupe key. The request enters the policy engine before anything is sent.

Policy rules evaluated

Twelve rules are checked in order: tenant pause, template approval, suppression list, global DNC, active opportunity, duplicate, cooldown, hourly rate limit, daily budget, monthly budget, risk score, and negative signals.

Decision logged

Every decision is logged with a full policy trace — which rules passed, which blocked, and why. Blocked sends return status "blocked" with the specific reason.

Canary token protection

Outbound emails are scanned for leaked canary tokens before sending. If an attacker injects a prompt that tricks your agent into echoing a canary token, the send is blocked automatically.

Safety settings configurable

Configure quarantine for high injection risk, hold emails with thread anomalies, and block canary violations. Settings can be applied at the tenant level or per-mailbox.

Configure safety settings

PUT /v1/me/safety-settings

GET /v1/me/safety-settings

PUT /v1/me/safety-settings
{
  "quarantineHighInjection": true,
  "holdCriticalAnomalies": true,
  "blockCanaryViolations": true
}

Built-in protections

Duplicate prevention

Same dedupeKey is rejected. Contacts never get the same email twice.

Cooldown windows

Same template to same recipient is blocked within 10 minutes.

Suppression lists

Global, tenant, or campaign-scoped suppressions. Auto-suppression on bounces and complaints.

Rate limiting

Hourly, daily, and monthly send quotas enforced per plan. Exceeding any limit blocks the send.

Risk budgets

Daily risk score budget and negative signal budget (bounces + complaints). Protects domain reputation.

Canary tokens

Integrity check for AI agents. Leaked canary tokens in outbound content are caught and blocked before delivery.

Full policy traces

Every send decision includes a full trace showing which rules passed and which blocked. Inspect any request to understand exactly why it was allowed or rejected.

// Policy trace from a blocked send
{
  "status": "blocked",
  "reason": "cooldown",
  "policyTrace": {
    "decision": { "allow": false, "reason": "cooldown" },
    "rules": [
      { "rule": "tenant_paused", "pass": true },
      { "rule": "suppression", "pass": true },
      { "rule": "duplicate", "pass": true },
      { "rule": "cooldown", "pass": false }
    ]
  }
}

Send with confidence

Policy enforcement is automatic. Your agent sends intents, and Molted Email ensures every email is compliant, deduplicated, and rate-limited.

Get started free