MailGuard - Phishing Detector for Gmail

Tracking since May 26, 2026.

Changelog

• Jun 8, 2026
  description

  # MailGuard - Chrome Web Store Submission Guide
  
  This is everything you'll paste / upload to the store form.
  
  ---
  
  ## Package to upload
  
  `dist/mailguard-v1.0.0.zip` (31 KB). Don't rezip - the store wants the
  manifest at the root of the archive, which is what we built.
  
  ---
  
  ## Listing fields
  
  ### Item name (max 75 chars)
  
  ```
  MailGuard - Phishing Detector for Gmail
  ```
  
  ### Short description (max 132 chars - this is what shows in search results)
  
  ```
  Flags phishing emails in Gmail. Checks every link against Safe Browsing, VirusTotal, and urlscan in real time.
  ```
  
  ### Detailed description (the body of the listing)
  
  ```
  MailGuard is a real-time phishing detector for Gmail. It works quietly in the
  background and only inspects an email when you actually open it.
  
  WHAT IT CATCHES
  
  - Lookalike domains (paypa1.com vs paypal.com)
  - Display-name spoofing ("Microsoft Support" sending from a free webmail)
  - Hidden link destinations (text says chase.com, link goes to an IP address)
  - Dangerous attachment patterns (.docm invoices, double-extensions)
  - Known phishing/malware URLs from Google Safe Browsing
  - URLs flagged by 70+ antivirus engines via VirusTotal
  - Hosts with bad community reputation on urlscan.io
  - Urgency, credential-asking, and money/payment language
  
  HOW IT WORKS
  
  When you open an email, MailGuard injects a small banner at the top showing
  one of four verdicts: Safe, Caution, Suspicious, or Dangerous. The reasons
  behind each verdict are explained in plain language - no jargon.
  
  If you click a link that MailGuard has flagged, an interstitial appears
  asking you to confirm before navigating. This catches the moment of danger
  between "this looks slightly off" and "I just gave my password to a scammer."
  
  WHAT'S NOT COLLECTED
  
  We don't store your emails. We don't track you. We don't sell or share data.
  We have no ads. The cache on our server is keyed by URL, not by user. The
  extension is open source.
  
  The only data that leaves your browser is the email currently in front of
  you: sender, subject, body text, link URLs. URL checks against the three
  intelligence services use the URL only - never your email content. Read the
  full privacy policy at https://mailguard-backend.lazizbek.workers.dev/privacy
  
  WHY IT EXISTS
  
  Phishing is the most common way real accounts get compromised. Built-in
  spam filters catch some of it. Your eyes catch some of it. MailGuard is the
  third line of defense, looking at every email you open from multiple angles
  at once - and stopping you mid-click if it sees danger.
  ```
  
  ### Category
  
  ```
  Productivity
  ```
  
  ### Language
  
  ```
  English (default; the extension itself is language-agnostic)
  ```
  
  ---
  
  ## Privacy disclosures (the "Privacy practices" tab)
  
  ### Single purpose
  
  ```
  Detect phishing and malware in Gmail emails the user opens, and warn the
  user before they click on flagged links.
  ```
  
  ### Permission justifications
  
  - **`storage`**:
    ```
    Used to remember the user's settings (custom backend URL, click-guard
    on/off). No personal data is stored.
    ```
  
  - **`activeTab`**:
    ```
    Used to interact with the Gmail tab the user is currently viewing so we
    can inject the verdict banner and the click-guard interstitial. No other
    tabs are accessed.
    ```
  
  - **Host permission `https://mail.google.com/*`**:
    ```
    Required to read the email currently open in Gmail and inject the safety
    banner. The extension only runs on mail.google.com.
    ```
  
  - **Host permission `https://mailguard-backend.lazizbek.workers.dev/*`**:
    ```
    The extension sends the parsed email content to our Cloudflare Worker
    backend for analysis. No other endpoints are contacted.
    ```
  
  - **Remote code**:
    ```
    None. All extension code is bundled in the package. The backend at the
    worker URL is a separate service that does not deliver code to the
    extension.
    ```
  
  ### Data usage disclosures (check the boxes for):
  
  - [x] Personally identifiable information - "Email or other contact information" - we receive sender addresses
  - [x] Authentication information - NO (we never see passwords)
  - [x] Personal communications - emails are personal communications, even when content is treated transiently
  - [x] Location - NO
  - [x] Web history - NO (we only see URLs in emails the user opens, not browsing)
  - [x] User activity - NO
  - [x] Website content - we receive the body text of emails (which is "website content" in store taxonomy)
  
  Then certify:
  - [x] I do not sell or transfer user data to third parties, outside of the approved use cases
  - [x] I do not use or transfer user data for purposes that are unrelated to my item's single purpose
  - [x] I do not use or transfer user data to determine creditworthiness or for lending purposes
  
  ### Privacy policy URL
  
  ```
  https://mailguard-backend.lazizbek.workers.dev/privacy
  ```
  
  ---
  
  ## Screenshots (you'll need to take these)
  
  The store accepts 1-5 screenshots at **1280x800** (preferred) or **640x400**.
  Take these in Chrome and crop to those exact dimensions.
  
  Suggested set (in order shown):
  
  1. **The green banner on a clean email** - shows "✅ No phishing signals detected" at the top of a real email.
  2. **The amber/red banner on a phishy email** - open an EICAR test email or the testsafebrowsing.appspot.com test URL. Show the verdict + the reasons list expanded.
  3. **The click-time interstitial** - capture the red modal that appears when clicking a flagged link.
  4. **The popup** - click the toolbar icon, screenshot showing the status, version, and the click-guard toggle.
  5. **The privacy page** - browse to /privacy on the worker URL, screenshot the top.
  
  Save them in `dist/screenshots/`.
  
  ---
  
  ## Promotional images (optional but recommended)
  
  The store also lets you upload "promotional tiles":
  
  - Small promo tile: 440x280 (for the search results page)
  - Marquee: 1400x560 (for featured spots)
  
  Skip if you don't have time. They're not required.
  
  ---
  
  ## Submission checklist
  
  - [ ] `dist/mailguard-v1.0.0.zip` uploaded
  - [ ] All listing copy pasted from above
  - [ ] At least 1 screenshot uploaded (5 is better)
  - [ ] Privacy policy URL set
  - [ ] All permission justifications filled in
  - [ ] Data usage disclosures checked correctly
  - [ ] Single purpose statement filled in
  - [ ] Submit for review
  
  Review typically takes 1-3 business days. Google may come back with
  questions about specific permissions - the justifications above should
  cover the common ones.
  
  ---
  
  ## After approval
  
  Once approved, your extension gets a public URL like:
  `https://chromewebstore.google.com/detail/<extension-id>`
  
  The first time it goes live, **install it from the store URL yourself** to
  make sure everything works end-to-end. The packaged extension uses your
  deployed backend so this is a true end-to-end check.
  
  If you need to push an update later:
  
  1. Edit code in `mailguard/extension/`
  2. Bump `manifest.json` version (e.g. `1.0.0` -> `1.0.1`)
  3. Re-zip: `cd extension && zip -r ../dist/mailguard-v1.0.1.zip .`
  4. Upload the new zip to the same store listing's "Package" tab
  5. Submit for review
  
  ---
  
  ## If review fails
  
  The most common rejection reasons and what to do:
  
  - **"Functionality not clear"** → Add a screenshot showing the banner in action.
  - **"Privacy practices need clarification"** → The "Data usage disclosures" boxes are wrong. Re-check.
  - **"Permission not justified"** → Tighten the host_permissions list further; we already dropped the dev URL.
  - **"Remote-hosted code"** → Should not happen - all code is bundled. Reply explaining that the worker is a backend service, not code delivery.
  
  Reply to the reviewer politely with a one-paragraph explanation and resubmit. Most rejections are resolved on the second try.

  Flags phishing emails in Gmail. Checks every link against Safe Browsing, VirusTotal, and urlscan in real time.

Permissions & access

Permissions

storage

Host access

https://mail.google.com/*, https://mailguard-backend.lazizbek.workers.dev/*

Screenshots