Security
Security And Controls
LiteMX separates human dashboard authentication from API, CLI, and MCP authorization. Mailbox-level access is enforced through LiteMX-owned scoped tokens.
Scoped Tokens
Human dashboard auth is planned through Clerk. API, CLI, and MCP access use LiteMX-owned scoped tokens because mailbox-level access is a core product boundary.
- Listing mailboxes.
- Reading messages.
- Searching messages.
- Creating drafts.
- Sending drafts.
- Reading audit logs.
Read scope does not imply send scope.
Audit Logs
LiteMX records CLI/API/MCP actions in D1 audit events, including message reads, searches, draft creation, send attempts, successful sends, blocked sends, and token lifecycle events.
litemx audit list [--mailbox <mailbox>] [--action <action>] [--resource-type <type>] [--limit <n>]Mailbox-scoped tokens only read audit rows tied to their granted mailboxes.
Retention
The Worker cron runs daily and applies the v0 retention policy. Message content is deleted after each mailbox retention window, defaulting to 60 days, while metadata and audit rows are kept longer for operational history.
- Raw MIME, text bodies, HTML bodies, and attachment objects are removed from R2.
- Message rows remain as metadata with sender, recipients, subject, thread id, mailbox id, and timestamps.
- Attachment rows are tombstoned and hidden from normal message reads.
- Message metadata and audit rows are pruned after 365 days.
- Each cleanup run writes a
retention.cleanupaudit event.
Outbound Controls
- Explicit send scope.
- Recipient limits per message.
- Daily send limits per mailbox and per account.
- Monthly send limits per account.
- Provider bounce and complaint suppression.
- Fast disablement for abusive domains, mailboxes, tokens, or accounts.
LiteMX is not for bulk marketing, newsletters, cold outreach, lead generation, or purchased recipient lists. See the public policies before enabling outbound sending.
Plan Send Limits
| Plan | Mailbox/day | Account/day | Account/month | Recipients/message |
|---|---|---|---|---|
| Free | 100 | 100 | 500 | 10 |
| Starter | 300 | 300 | 3,000 | 10 |
| Scale | 1,000 | 1,000 | 15,000 | 10 |
AWS SES production access is separate from domain verification. LiteMX can receive provider-ingested mail while SES outbound remains blocked for arbitrary external recipients if AWS keeps the account in sandbox or denies production access.