Sending Security & Scanning | Owlat Docs

Owlat's security scanning: a content check for spam and phishing, an attachment scan for malware, and a Google Safe Browsing URL check. Suspicious content goes to a review queue.

Owlat runs three kinds of security scan over your mail. Each has a flag under Settings > Features: content and file scanning are on by default; URL reputation is opt-in because it needs an external API key.

What the flags do today

These flags express intent and drive setup (for example, prompting for the Google Safe Browsing key and selecting Docker profiles) — see Feature Flags. They do not currently switch the runtime scanners on and off: content and attachment scanning run regardless of the flag. Developers can read the full scanning architecture in Email Security.

Content scanning

Flag: scan.content · on by default.

Before a transactional email publishes, Owlat scans the subject line and HTML body for spam, phishing, and homoglyph (look-alike character) attacks. Each finding adds to a content score.

A blocked score refuses to publish — the send is rejected and you must edit the content before trying again. A lower suspicious score doesn't block; instead it moves the email to Pending review with a reason describing what tripped the scanner. An admin then either:

Approves it — the email proceeds, or
Rejects it — so you can edit and try again.

This keeps a borderline send from going out automatically while still letting a human override a false positive.

Scope

Content scanning is wired on the transactional sending path. Scanning campaign content before it sends is planned but not currently wired.

Attachment scanning (ClamAV)

Flag: scan.files · on by default.

Email attachments are scanned for malware by a local ClamAV daemon (the clamav Docker profile). An attachment that fails the scan is rejected before the message is sent.

First boot is slow

ClamAV downloads its full virus-signature database on first start, which can take several minutes on a small server. Sends that include attachments wait for the scanner to be ready.

URL reputation

Flag: scan.urls · off by default.

When enabled with a GOOGLE_SAFE_BROWSING_API_KEY, Owlat checks links in inbound mail against Google Safe Browsing as part of the inbound security scan. A link with a bad reputation contributes to that message's phishing assessment.

This check requires the GOOGLE_SAFE_BROWSING_API_KEY environment variable — set it before turning the flag on. See Environment Variables.

Outbound link checking is planned

Checking outbound campaign links before sending is not currently wired — Safe Browsing lookups today run only on the inbound path.

The scanner flags

The three flags live under Settings > Features. Leaving content and file scanning on is strongly recommended — they protect your sending reputation and your recipients. URL reputation is the only one that needs extra setup, so it ships off until you add the API key. Note that the content and attachment scanners currently run regardless of their flag; turning a flag off does not stop the corresponding scan.

Next steps

Deliverability — SPF, DKIM, DMARC, and sending reputation
Feature Flags — toggle every scanner
Email Security — the developer-level scanning pipeline