Security

Security And Controls

LiteMX separates human dashboard authentication from API, CLI, and MCP authorization. Mailbox-level access is enforced through LiteMX-owned scoped tokens.

Scoped Tokens

Human dashboard auth is planned through Clerk. API, CLI, and MCP access use LiteMX-owned scoped tokens because mailbox-level access is a core product boundary.

  • Listing mailboxes.
  • Reading messages.
  • Searching messages.
  • Creating drafts.
  • Sending drafts.
  • Reading audit logs.

Read scope does not imply send scope.

Audit Logs

LiteMX records CLI/API/MCP actions in D1 audit events, including message reads, searches, draft creation, send attempts, successful sends, blocked sends, and token lifecycle events.

audit.sh
litemx audit list [--mailbox <mailbox>] [--action <action>] [--resource-type <type>] [--limit <n>]

Mailbox-scoped tokens only read audit rows tied to their granted mailboxes.

Retention

The Worker cron runs daily and applies the v0 retention policy. Message content is deleted after each mailbox retention window, defaulting to 60 days, while metadata and audit rows are kept longer for operational history.

  • Raw MIME, text bodies, HTML bodies, and attachment objects are removed from R2.
  • Message rows remain as metadata with sender, recipients, subject, thread id, mailbox id, and timestamps.
  • Attachment rows are tombstoned and hidden from normal message reads.
  • Message metadata and audit rows are pruned after 365 days.
  • Each cleanup run writes a retention.cleanup audit event.

Outbound Controls

  • Explicit send scope.
  • Recipient limits per message.
  • Daily send limits per mailbox and per account.
  • Monthly send limits per account.
  • Provider bounce and complaint suppression.
  • Fast disablement for abusive domains, mailboxes, tokens, or accounts.

LiteMX is not for bulk marketing, newsletters, cold outreach, lead generation, or purchased recipient lists. See the public policies before enabling outbound sending.

Plan Send Limits

PlanMailbox/dayAccount/dayAccount/monthRecipients/message
Free10010050010
Starter3003003,00010
Scale1,0001,00015,00010

AWS SES production access is separate from domain verification. LiteMX can receive provider-ingested mail while SES outbound remains blocked for arbitrary external recipients if AWS keeps the account in sandbox or denies production access.