SpamAssassin Tuning – Reducing Spam Without Losing Real Mail

SpamAssassin is the spam filter built into cPanel’s mail stack. It scores every incoming email against hundreds of rules — sender reputation, suspicious phrasing, header anomalies, content signatures — and tags messages above a threshold as spam. The default settings work for most accounts, but if you’re getting too much spam (or worse, missing legitimate mail), a few configuration adjustments make a big difference.

How SpamAssassin scores work

Every rule that matches an email adds (or subtracts) points to the message’s spam score:

• “Subject contains all caps” → +1.0.
• “Body contains phrase associated with phishing” → +2.5.
• “Sent from blocklisted IP” → +3.5.
• “Sender has good DKIM signature” → -0.5.
• “Mail to a recipient who replied recently” → -0.2.

Final score is the sum. The threshold (typically 5.0) decides spam vs. clean. Higher score = more spammy.

Accessing SpamAssassin settings

1. cPanel → Email → Spam Filters (or “SpamAssassin” depending on cPanel version).
2. Status: shows whether SpamAssassin is enabled. Usually enabled by default on iWebVault.

From here you control:

• Spam Threshold Score — score at which mail is marked spam.
• Spam Auto-Delete — score at which mail is silently discarded.
• Whitelist — senders that bypass filtering.
• Blacklist — senders that are always treated as spam.

Setting the spam threshold

Default is 5.0. The trade-off:

Start at 5.0. If you’re seeing too much spam in inbox, drop to 4.0. If legitimate mail keeps going to spam, raise to 6.0 or 7.0.

The threshold change is per-account. To apply it: Spam Filters → Configure → set Spam Threshold → Update Scoring Options.

Setting the auto-delete threshold (use carefully)

Above the auto-delete score, mail is silently discarded — never delivered to spam folder, never seen by you. Useful for high-volume spam-targeted accounts.

Recommended setting: 10.0 or higher. Mail scoring that high is almost certainly spam, with very low false-positive risk.

Risks of auto-delete: if it’s set too aggressively, you’ll lose legitimate mail permanently. Start conservative; lower only after observing what scores your real spam gets (check the X-Spam-Score header on actual spam in your spam folder).

Whitelisting senders

Whitelisted senders bypass scoring entirely — mail goes straight to inbox regardless of content. Useful for:

• Critical correspondents whose mail occasionally gets false-positived.
• Automated systems sending alerts (monitoring, accounting tools).
• Newsletters you actually want.

1. Spam Filters → Configure → Edit Spam Whitelist Settings.
2. Add senders. Format options:
   • specific@sender.com — single address.
   • *@sender.com — whole domain.
   • *@*.sender.com — domain and all subdomains.
3. Update Whitelist.

Whitelist is powerful — spammers spoofing the From address bypass filtering when whitelisted. Use specific addresses where possible rather than wildcards.

Blacklisting senders

Mail from blacklisted senders is always marked spam (or auto-deleted if you set that). Format same as whitelist.

Use for:

• Persistent spammers SpamAssassin keeps missing.
• Senders you’ve unsubscribed from but still get mail from.
• Specific addresses you want to never hear from again.

Reading the X-Spam headers

SpamAssassin adds headers to every scanned email. View an email’s full headers (in most mail clients: “View source” or “Show original”):

• X-Spam-Flag: YES — message scored above threshold.
• X-Spam-Score: 8.3 — actual score.
• X-Spam-Status: Yes, score=8.3 required=5.0 tests=BAYES_99,SPF_FAIL,… — which rules triggered.
• X-Spam-Bar: ++++++++ — visual indicator (each + is a point).

The test names show specifically why a message was flagged. Examples:

• SPF_FAIL — sender’s SPF check failed.
• DKIM_INVALID — DKIM signature couldn’t be validated.
• HTML_MIME_NO_HTML_TAG — malformed HTML email.
• FROM_EXCESS_BASE64 — sender address suspiciously encoded.
• BAYES_99 — Bayesian filter highly confident it’s spam.

Useful for diagnosing why legitimate mail keeps getting flagged — check the X-Spam-Status of a false-positive and address the specific issue (often SPF or DKIM misconfiguration on the sender’s end).

Training Bayesian filter (advanced)

SpamAssassin’s Bayesian filter learns from your spam/ham (legitimate) examples over time. The auto-learn feature improves over time as you process mail.

Manual training requires SSH access:

# Train on spam
sa-learn --spam /path/to/spam/folder

# Train on legitimate mail
sa-learn --ham /path/to/inbox

Reasonable for VPS users; on shared hosting, the server-wide Bayesian filter is already trained on huge volumes — your individual training has limited additional benefit.

Reducing spam at the source

SpamAssassin filters what reaches you. Better strategy: reduce what gets sent in the first place.

• Don’t publish raw email addresses on websites. Use contact forms or obfuscate addresses with JavaScript / “@” replacements.
• Use disposable aliases for signups. When one starts spamming you, delete just that alias. Forwarder strategy guide.
• Disable catch-all if it’s bringing in dictionary attacks. Specific addresses + named forwarders only.
• Unsubscribe from legitimate-but-unwanted mail. Don’t just delete — actually unsubscribe so the volume drops.

Common SpamAssassin questions

“All my legitimate mail is going to spam.” Threshold too low. Raise to 6.0 or 7.0. Also check X-Spam-Status headers to see what rules are firing — often a fixable sender-side issue.

“Spam still flooding my inbox despite SpamAssassin.” Threshold too high. Lower to 4.0. Also consider blacklisting top offenders. Verify SpamAssassin is actually enabled (status check at Spam Filters page).

“How do I move all flagged spam to a Junk folder automatically?” Create an Email Filter (cPanel → Email → Email Filters): rule “Spam Bar contains +++++” or “Spam Status contains Yes” → action “Deliver to folder Junk”.

“My mail client (Gmail, Outlook) has its own spam filter — does SpamAssassin still matter?” Yes — SpamAssassin acts before mail enters your IMAP folders, while your client filters within them. Both running together gives better protection.

“Can I see what’s been auto-deleted?” No — auto-delete is irreversible. That’s why the threshold should be set high (10+). Lower thresholds risk losing legitimate mail permanently.

What’s next

• Authentication makes mail less likely to be filtered as spam at receivers: SPF/DKIM/DMARC.
• If your OUTGOING mail is going to spam at receivers: Deliverability guide.
• Filtering and forwarding routing: Email filters and catch-alls.

SpamAssassin’s defaults are good. Most accounts only need to tune the threshold and add a handful of whitelist entries for specific correspondents. Spend 10 minutes once, save hours of inbox triage over time.