[brightball]

This looks really solid. I know one of the big methods to work around something like this is to change the destination of included links after successful delivery.

Does this provide a way to replace links in a message so that they can be evaluated on click for continuous protection? Optionally of course since this would be more of a company policy type of protection than anything else.

[cebka]

Rspamd itself does not alter message in any way. However, it keeps all urls with their relative positions during scan. Moreover, it can resolve redirects for urls (e.g. for t.co or goo.gl) and provide 'real' links. But the second part of job: links analysis and rewriting is not provided by rspamd.