Frequently Asked Questions

Switching email security feels risky on two fronts: your team has to manage something new, and your clients have to live with it. We build for both. Mike Bloomfield of Tekie Geek saw the difference on the tech side first:

"A week after switching, my techs actually thanked me. What used to take 20 minutes now takes 30 seconds."

Dick Borrelli of Newnan Computers noticed the same thing on the client side:

"Even the most challenging clients we have can use the products. We could not be happier."

For most MSPs, the bigger cost turns out to be waiting too long to make the switch.

Our U.S.-based support team functions less like a helpdesk and more like an extension of your team. When something goes wrong, we invest the time to understand the root cause and help prevent repeat issues. Zac Paulson of ABM Technology Group puts it best:

"Your support team doesn't just fix problems. They explain causes and teach us how to prevent future challenges. It's unlike anything I've experienced from other vendors."

See how we support our partners →

Mailprotector has been focused on email security since 2000, long before it became a commodity. Why? Because email is the most vulnerable channel your clients have, and it deserves more than a feature in someone else’s platform. For over 25 years, that conviction has driven everything we build.

Yes. Shield uses AI in specific and deliberate ways, like generative AI for email summaries in Bundler. Shield also uses multiple layers of established technology—heuristic pattern matching, machine learning, and behavioral analysis—to infer risk signals from every message. But these are simply components doing specific jobs within a greater system. That system is Shield’s zero trust architecture—the foundation everything sits on top of, and what makes Shield fundamentally different from every other email security product.

So when you hear competitors say “AI-powered,” know that they’re likely describing the same tech that’s been in email filtering for years, just rebranded as AI became a marketing buzzword. Shield’s differentiation isn’t the AI. It’s the zero trust architecture that AI supports—a foundation no amount of rebranding can replicate.

Shield starts with zero trust and employs a multi-tiered decision engine to determine what reaches the inbox. The first layer targets high-risk threats—phishing, spoofing, malware, impersonation—and stops them before they ever have a chance. Messages that clear that layer fall to the trust network, where Shield applies each user’s personalized preferences to ensure wanted mail gets through. The third layer catches unwanted noise: messages that aren’t threats but aren’t wanted either. What’s left is tagged with a New Sender banner where users make their own trust/silence decisions. Each interaction sharpens the trust network, and Shield quietly fades into the background.

Not in the traditional sense. Most email security solutions let everything in and try to chase down what’s bad. The result forces users to navigate the gray areas in quarantines where threats can live right beside legitimate messages. Instead, Shield’s zero trust foundation assumes every message is unwanted until it proves it belongs.

Shield’s multi-tiered decision engine factors in multiple risk signals—from spam indicators and authentication failures to suspicious geography, sender reputation and more—to determine where messages are sent before users ever see them. Emails with very high spam scores, viruses, and confirmed phishing and impersonation are immediately classified as high risk and held outside the mailbox in a place we call Jail.

From there, Shield’s composite risk assessment gives borderline emails a comprehensive evaluation, leading to fewer false positives. If a user still believes something to be incorrectly flagged, they can submit a veto request for review by an admin. But with Shield, that’s the exception—not the rule.

Shield is both. It combines our secure email gateway with a patented API integration for full visibility into the email lifecycle. The gateway stops threats before they reach Microsoft 365. The API tracks and acts on messages that make it to the mailbox. And the two parts aren’t just stitched together; they were built as a single system from the ground up to share context in real time—something competitors simply can’t replicate. See the difference.

Shield is built for Microsoft 365 environments and deeply integrated with the platform, enhancing its native security rather than disrupting it. It addresses many of M365’s shortcomings, like messages you want repeatedly landing in junk or getting held in quarantine. Google Workspace support is on the horizon. In the meantime, CloudFilter™—Mailprotector’s powerful and flexible secure email gateway—can be used to support mixed platform environments.

No. Shield integrates with Microsoft 365 via an enterprise app, with transport rules and connectors configured automatically during deployment so your MX records can stay exactly as they are. However, pointing MX records to Mailprotector is an option as well—the choice is yours.

Deployment can take as little as one to three minutes using Shield’s automated setup. The process connects to Microsoft 365 using admin credentials, installs the enterprise app, configures transport rules and connectors, and runs a mail flow test before going live. If any errors are detected during the test, the deployment automatically rolls back. Manual DNS configuration is also available if the client’s domain registrar isn’t supported by the automated flow. In these cases, deployment averages 10–15 minutes.

Shield Pro is an add-on tier for enhanced productivity and privacy features, including Bundler (a dedicated space for non-urgent mail with AI summaries), Lockbox (a secure vault for your most sensitive messages) and Burner Addresses (temporary addresses that can be created and discarded to protect a user’s primary address). Shield Pro is licensed per user, not per domain, so you can deploy it selectively for power users without rolling it out to the entire organization.

Group training webinars are held every Tuesday and Thursday. One-on-one sessions with the support team are available on request at no additional cost. Partners also receive free NFR licenses so they can deploy and use Shield themselves before rolling it out to clients, which is strongly recommended.

We designed the Shield Onboarding Kit with everything you need to prepare your clients for a smooth rollout. The kit includes a getting started video that walks users through their first week, an intuitive and approachable onboarding guide, a pre-deployment email campaign, and even a custom GPT to help tailor your own rollout communications. As Todd Davis from Obsidian IT shared:

"Thank you for putting this kit together. It makes a huge difference when onboarding new clients and significantly improves the overall satisfaction with this amazing product."

Bracket will trigger by default anytime there is a square bracket in the first value of the subject and a closing square bracket anywhere else in the subject. For example:

• [Bracket works great] or [Bracket works] great—encrypts.
• Bracket is [not working] for me—doesn't.

The subject rule trigger can also be changed to {curly} or |pipes|.

Nothing. Senders use whatever email client and device they prefer. No apps, plugins or passwords are required. The Bracket portal opens in any browser, providing a clean and organized view of every encrypted conversation. Recipients access encrypted messages through a secure link without having to create an account, so there’s no friction on either end.

Password reset emails are one of the most exploited attack vectors, and a source of a lot of support tickets. Bracket eliminates both obstacles. What replaces them is more secure, not less. AES-256 is just the beginning.

Sign-in links are one-time-use, expire after 15 minutes, and are invalidated if opened from a different device. Each request also carries an IP-based geolocation signature to flag unexpected access attempts.

For extra security, users can enable MFA at sign-in. For maximum control, personal data keys create a zero-access boundary. Note: personal data keys are shown only once at setup and never stored by Mailprotector. If they are misplaced, account recovery requires a full reset and all previously stored data will be irrecoverable.

Yes. Bracket meets HIPAA technical security safeguard standards for secure transmission of Electronic Protected Health Information (ePHI). Mailprotector holds the HIPAA Seal of Compliance from the Compliancy Group and is also SOC 2 Type 2 certified, providing independent verification of our security practices.

Bracket messages are stored for one year by default and cannot be extended beyond that in accordance with the compliance retention requirements for most industries. For retention beyond one year, Bracket supports journaling to Mailprotector’s SecureStore™ or a third-party archiving service via SMTP journal or BCC addresses. Expiration can also be shortened on a per-message basis.

Bracket is available as a standalone email encryption solution. For Microsoft 365 environments, it can also be deployed without changing MX records.

However, Bracket works best as part of the Mailprotector ecosystem. If you have configured your outbound relay through CloudFilter™, there’s no additional work to enable Bracket. Simply switch it on.

With Shield, Bracket becomes part of a deeper outbound security workflow via Email Traffic Control. Messages containing sensitive content can be automatically encrypted, adding a powerful layer of DLP at a fraction of the cost of a Microsoft E5 license.

Yes. Admins can configure a company profile—name, address, phone, website, and logo—that appears in Bracket notifications sent by any licensed user in the organization. This makes messages more recognizable to recipients and verifies the sender is authentic. Individual users can also personalize their own profile with a photo, name, and title. Admins control whether users can adjust company details from their own portal settings.

Every Bracket notification and message also includes a prompt for unlicensed recipients who may want to learn more about using Bracket in their own company. Those inquiries route to an email address you control—giving you a warm lead from someone who has already experienced Bracket firsthand.

Bracket Share is Mailprotector’s encrypted file transfer service, included with every Bracket license at no additional cost. It supports files up to 1GB, with up to 25 files per secure message. Anyone who regularly sends or receives sensitive files—whether that’s financial data, legal documents, or patient records—has a use for Bracket Share.

CloudFilter protects any platform where you have MX record control—Microsoft 365, Google Workspace, on-prem servers, hosted environments, and POP/IMAP. That flexibility makes it the right fit for MSPs managing diverse client environments.

Every message is scored by multiple detection tools, each contributing a weighted score toward an overall threat assessment. The default quarantine threshold is 200 points. Messages that cross it are held outside the mailbox for review. Sensitivity is fully tunable at any level, from your entire client base down to individual users, so filtering behavior matches each client’s needs without rebuilding policy from scratch for every domain.

CloudFilter’s probabilistic detection is designed to minimize false positives, but when one does occur, the process is straightforward. Users can safely preview any held message before deciding what to do, and if admin permissions allow, deliver or block with one click.

For admins, every quarantined message includes a full breakdown: reasons held, sending source data, and geographic origin. And if a pattern emerges, filtering sensitivity is fully tunable at every level so the fix is a configuration change, not a recurring task.

CloudFilter combines open source and proprietary technology—machine learning, heuristic analysis, URL and domain reputation checks, multiple anti-virus and malware engines, and more—into a sophisticated detection system that identifies nuance other filters miss. Every message is evaluated across multiple layers simultaneously, generating a probabilistic threat score that accounts for signals other tools treat in isolation.

Automated impersonation detection combines organizational insights and behavioral analysis to identify impersonation attempts in real time. A confidence level and risk score are assigned to every flagged message, with controls for administrators to tune sensitivity down to the individual user. To help prevent phishing and spoofing attempts, CloudFilter provides complete DMARC enforcement with the ability to customize behavior.

For most partners, CloudFilter is up and running in 5–15 minutes with no email outage during the transition. Setup follows four steps: add users, set the inbound mail destination, verify the domain via TXT record, and update MX records. The recommended approach is to add Mailprotector’s MX records before removing the existing ones. This starts DNS propagation in the correct order and ensures no email is lost in the transition.

User Sync is CloudFilter’s automated user management feature. It connects to Microsoft 365, Google Workspace, or any LDAP/Active Directory source to pull users over automatically. And because it inherits account classifications from the source, distribution lists, shared mailboxes, and equipment accounts are excluded from billing automatically. User Sync also feeds CloudFilter’s impersonation detection layer with organizational data, which is what makes automated impersonation detection possible.

One-on-one new partner training sessions are available on request at no additional cost. A recorded training video is also available in the help center for self-paced onboarding. Partners receive free NFR licenses to deploy and test CloudFilter themselves before rolling it out to clients.

CloudFilter includes core outbound filtering, and SafeSend is bundled with it to add advanced content controls and compliance tools on top.

SafeSend gives administrators visibility into the outbound quarantine and the ability to define what content is permitted to leave using pre-built lexicons or custom rules. When a rule is triggered, senders are notified immediately and can self-release the message with one click if permissions allow. For organizations with more stringent requirements, SafeSend can automatically trigger Bracket® encryption on sensitive outbound content, so data is protected in transit rather than simply stopped.

No. CloudFilter is Mailprotector’s platform-agnostic gateway solution for MSPs managing a diverse mix of client environments. For MSPs who primarily support organizations on Microsoft 365, Mailprotector also offers Shield™, a zero trust email security solution that combines our secure email gateway with a patented API integration for full edge-to-inbox visibility and control.

Radar is completely free to use.

As often as needed. Radar is useful any time changes are made to an email configuration, or as a regular health check. Down the road, we’ll add even more features to help you view the big picture of your email security over time, so stay tuned.

Most tools check whether records like SPF, DKIM, and DMARC are present and correctly formatted. Radar tests whether they actually work in practice by sending a real email and analyzing a full delivery loop.

Radar checks eight key areas: SPF, DKIM, DMARC, inbound TLS encryption, outbound TLS encryption, reverse DNS, email spy tracking, and IP reputation. Each is scored and weighted toward a maximum of 850.

Scores fall into one of four categories:

• 0–399: Critical vulnerabilities that should be addressed immediately.
• 400–599: Several warning factors that need to be looked into.
• 600–749: Solid measures are in place, but there's still room for improvement.
• 750–850: You've nailed it and can now go brag to all your friends.

It’s used only to run your security test. Mailprotector does not use it for marketing, does not sell it, and does not share it with anyone.

SecureStore is a journaling-based email archive. Once a journaling address is set, all inbound, outbound, and internal messages are automatically captured on a go-forward basis only.

SecureStore works seamlessly with CloudFilter™ to support mixed platform environments. SecureStore can also be configured for Shield™ to support M365 only environments.

The default retention period is 7 years, but it can be configured up or down as needed.

Yes. Advanced search and Boolean logic make it straightforward to locate and produce specific messages in response to legal requests or regulatory inquiries. Results can be held with a documented reason to preserve them and exported in bulk when needed.

Yes. SecureStore logs and reports on all activity within the archive. This feature is useful for compliance reviews and internal accountability.

One admin account is created by default. Additional users can be added and assigned granular access by role.

XtraMail stores a rolling 30-day copy of inbound and outbound email. Messages older than 30 days are automatically removed.

XtraMail requires CloudFilter and works exclusively within that ecosystem. It is not compatible with Shield.

CloudMail uses standard POP3 and IMAP protocols, so it works alongside whatever email platform your client is already running. That’s what makes split-domain configurations straightforward. Power users can stay on the full-featured platform; light users can be moved to CloudMail without disrupting the rest of the environment.

CloudMail requires CloudFilter and works exclusively within that ecosystem. It is not compatible with Shield.