Email spam is not simply “blocked” or “deleted.” Behind it lies a layered evaluation system.
This article explains how mail servers, DNS checks, and filter rules work together to reliably detect spam — from technical checks to content analysis.
1. Technical Evaluation – Mail Quality
On the first level, the mail server checks the technical correctness of a message.
RSPAMD or similar systems analyze, for example:
- Is the SMTP sender properly authenticated?
- Do SPF, DKIM, and DMARC records match?
- Is the MIME structure consistent?
- Is a subject or body missing?
- Are there technical anomalies or malformed headers?
The result is a technical score that indicates how cleanly an email is constructed.
This evaluation says nothing about the content or the sender address – it only concerns the technical quality of the email.
2. Evaluation via DNS Blacklists
The second level concerns the reputation of the sending servers or domains.
Public or private DNS blacklists (RBLs) are queried to check if IPs or domains have previously been used for spam.
Advantages:
- fast, automated assessment of sender reputation
- low resource usage
Risks:
- incorrect or outdated listings may affect legitimate senders
- shared web hosting environments may cause false matches
For this reason, combining blacklists with whitelists is recommended to exempt trusted senders.
3. Content Evaluation – Semantic or Rule-Based
The third level evaluates the content of the message.
This can be done in two ways:
a) Automated
Local spam filters (e.g., SpamAssassin, sometimes used in Thunderbird) or AI-based services analyze text and subject lines for patterns.
This involves probabilistic models and databases trained on millions of emails.
b) Manual Filtering Rules
Users who want full control can define their own rules:
If a message contains specific words, domains, or subject lines, it can be automatically marked, moved, or deleted.
For multiple clients, these rules can be configured centrally in the webmailer, making them global across all devices.
User Decisions and Transparency
Each spam evaluation layer can be used individually.
- Technical evaluation runs automatically on the server and requires no action. Customers can adjust the rewrite and reject thresholds in the control panel (default server values recommended).
- DNS blacklists help assess sender reputation; customers with dedicated servers can use whitelists to protect trusted senders (not available for shared web hosting).
- Content evaluation can be applied on supported clients or the webmailer.
Many mobile mail clients do not offer advanced spam controls like blacklists or SpamAssassin, sometimes by design (e.g., iPhone). Clients like Thunderbird work very well with these filters.
We exclusively serve business customers. Over the years, the practice has become: deliver emails rather than pre-filter. Many business clients rely on client-side filters or other solutions and decide how to handle spam themselves.
For customers with dedicated servers, we support individual wishes such as blacklists, whitelists, or additional filter rules. For shared web hosting, this service is not available, as the policy is clear: deliver emails, the customer manages their mail.
Conclusion
Spam detection is not a monolithic process but a combination of three distinct evaluation layers:
- Technical quality
- Reputation via DNS blacklists
- Content analysis
This multi-layered approach ensures legitimate emails are delivered while actual spam is effectively detected and filtered.
Further reading:
Filtering Email Spam
Handling Spam