Every email security tool on the market will tell you when an email has been blocked. Almost none of them will tell you why. This gap — between a decision and an explanation — is not a minor product omission. It is the reason most users eventually stop trusting the systems protecting them. Glance was built on a different premise: that explainability is not a bonus feature. It is the foundation of trust.
The Black Box Problem in Security
Legacy email security operates as a black box. An email arrives. A decision is made — blocked, quarantined, or delivered. The user sees the outcome. They do not see the reasoning.
This creates three compounding problems. First, users cannot learn from the system. If you do not know why an email was flagged, you cannot adjust your behavior to send emails that will not be flagged — or to recognize the patterns the system is catching. Second, users cannot improve the system. A false positive that you cannot explain is a false positive you cannot contest. Third, and most corrosively, trust erodes. After a legitimate email from your doctor or pharmacy is silently quarantined with no explanation, the rational response is to check your junk folder obsessively and release everything you are unsure about — which is exactly the behavior that makes the security system useless.
The trust erosion cycle
Black box blocks a legitimate email → User notices the legitimate email is missing → User checks spam folder → User releases legitimate email without understanding why it was blocked → User begins checking spam folder for all important mail → User accidentally releases actual threats → User loses trust in the system entirely and disables it.
What Explainable AI Means in Practice
Explainability in Glance means that every automated decision produces a human-readable audit trail. For every email that is held or blocked, you can see:
- The composite threat score (0–100) and the threshold that triggered the action
- Every signal that contributed to the score, with its individual weight
- The tier at which the decision was made (Technical, Reputation, Behavioral, or AI Semantic)
- For Tier 4 AI analysis: a plain-English summary of the AI's reasoning, including the specific patterns it identified
Here is what a real signal breakdown looks like for a blocked phishing email:
Threat Report — Blocked Email
AI Semantic Analysis (Tier 4):
“This email impersonates PayPal using a lookalike domain registered 4 days ago. It employs account-suspension urgency language and directs to a credential harvest form. Confidence: 97%. Classification: Phishing.”
The Four Signal Categories
Glance's detection engine operates across four distinct signal categories, each contributing independent evidence to the threat score:
Technical signals
- SPF (Sender Policy Framework) — verifies the sending server is authorized for the domain
- DKIM (DomainKeys Identified Mail) — cryptographic signature verification
- DMARC policy alignment — checks that the From address matches the authenticated domain
- Email header analysis — detects inconsistencies between visible and actual sender routing
Reputation signals
- VirusTotal domain reputation — cross-referenced against 70+ threat intelligence feeds
- AbuseIPDB sending IP score — community-reported malicious IP addresses
- Glance network reputation — aggregated signals from across the user community
- Community scam reports — manually flagged senders confirmed as threats
Behavioral signals
- Domain age — newly registered domains are a strong fraud indicator
- Reply-to mismatch — when the reply address differs from the from address
- Urgency pattern density — frequency and severity of pressure language
- Homoglyph detection — lookalike characters designed to impersonate trusted brands
AI Semantic signals
- Intent classification — distinguishes legitimate urgency from manufactured pressure
- PII harvest pattern detection — forms or links designed to collect personal information
- Psychological manipulation indicators — fear, authority, scarcity, and reciprocity signals
- Brand impersonation analysis — semantic similarity to known legitimate senders
Why This Matters for False Positives
False positives — legitimate emails incorrectly blocked — are the primary reason people disable email security tools. The conventional response is to tune the sensitivity down, which reduces false positives by also reducing true positives.
Explainability offers a better path. When you can see exactly why a legitimate email was flagged — for example, your accountant uses a recently registered domain and does not have DMARC configured — you can make an informed decision. You can release the email and add the sender to your allowlist. You can flag it as a false positive to recalibrate the signal weight for that specific pattern. You can even share the explanation with the sender so they understand why their email is being flagged and can address it.
One-click remediation
When Glance blocks a legitimate email, you see exactly why. You release it with one tap. The sender is added to your allowlist. The system logs your correction. The next email from that sender is delivered instantly. The whole process takes under 15 seconds.
Explainability as Compliance
For enterprise customers, explainability is not merely a usability feature — it is a compliance requirement. GDPR Article 22 establishes the right of individuals to receive a meaningful explanation for automated decisions that significantly affect them. An email blocked by an opaque algorithm, with no explanation, may not satisfy this right.
SOC 2 Type II certification requires a complete audit trail for security decisions. Glance's signal-level logging — capturing every data point that contributed to every decision, with timestamps and confidence scores — provides exactly the audit evidence that SOC 2 reviewers require.
For enterprise security teams, this matters beyond compliance. When a business email compromise attempt is blocked, the security team needs to understand what happened: which signal caught it, what the attack vector was, and whether any similar emails made it through before the pattern was identified. A black box answer of “blocked” does not support incident response. A complete signal breakdown does.
Black Box Security
- ✗Decision: Blocked
- ✗Reason: Unknown
- ✗False positive: Cannot diagnose
- ✗Compliance: Possible gap
- ✗User response: Disable the tool
Explainable AI (Glance)
- ✓Decision: Blocked — score 100
- ✓Reason: 6 signals, each explained
- ✓False positive: One-tap release + recalibrate
- ✓Compliance: Full GDPR/SOC 2 audit trail
- ✓User response: Trust improves over time
See Glance's explainable threat reports in action. Free account, no credit card required. Every blocked email shows its full signal breakdown.
Try Glance FreeFrequently Asked Questions
How do I see why a specific email was blocked?
Every quarantined email in Glance has a 'Why was this blocked?' panel accessible with one click. The panel shows the full signal breakdown: which tier caught it, which specific checks contributed to the threat score, and — for emails that reached Tier 4 AI analysis — a plain-English summary of the AI's reasoning. The total score and each contributing factor are shown with their individual weight.
Can I dispute a block decision?
Yes. Any gatekeeper can release a held email with one tap, which immediately delivers it to the recipient's inbox and adds the sender to the allowlist. When you release an email, you are optionally prompted to mark whether it was a false positive. This feedback is used to recalibrate signal weights for your account over time.
How does gatekeeper feedback improve the system?
When gatekeepers release an email as a false positive or confirm a blocked email was a genuine threat, that signal is used to adjust the weight of the signals that contributed to the decision — both for your account and, in aggregate, for the platform. Over time, your account's detection calibration reflects your specific email environment. A senior who regularly corresponds with medical institutions will see lower false-positive rates on medical email than a fresh account.
Do enterprise customers get more detail?
Enterprise customers have access to an extended audit log that includes raw signal values, API response payloads from reputation services, DMARC policy evaluation details, and a complete chain-of-custody record for each email decision. This level of detail supports SOC 2 Type II audit requirements and provides the documentation needed for internal security reviews.
Security You Can Understand Is Security You Can Trust
Every Glance decision comes with a full explanation. Free to start — see exactly what your inbox protection is doing and why.
Get Protected Free