Spam filtering
EmailConnect provides built-in spam filtering powered by Rspamd to protect your webhooks from unwanted emails. For Maker+ users, spam analysis is automatically enabled on all custom domains.
How spam filtering works
Every email sent to your Maker+ custom domains is automatically analyzed by Rspamd, which:
- Checks SPF, DKIM, and DMARC authentication
- Analyzes email headers and content patterns
- Detects phishing attempts (suspicious URLs, display text mismatches)
- Checks URLs against known phishing databases (OpenPhish, PhishTank)
- Assigns a spam score from 0 (ham) to 15+ (definite spam)
The spam score and analysis results are included in every webhook payload, giving you full visibility into email authenticity.
Phishing protection
EmailConnect automatically detects phishing attempts using multiple techniques:
What we detect
| Technique | Description |
|---|---|
| Display text mismatch | Links showing "paypal.com" but pointing to "evil-site.com" |
| Known phishing URLs | URLs matching OpenPhish and PhishTank databases |
| Suspicious redirects | Short URLs and redirect services often used in phishing |
| Brand impersonation | Emails mimicking legitimate services (banks, tech companies) |
How it works
Phishing detection analyzes the content of emails (URLs, HTML, text patterns) rather than sender IP addresses. This means phishing protection works reliably regardless of how the email was delivered.
When phishing is detected, the spam score increases and a phishing indicator appears in the webhook symbols array:
{
"spam": {
"score": 6.5,
"symbols": [
{ "name": "PHISHED_URL", "weight": 4.0, "description": "evil-site.com" }
]
}
}
Common phishing symbols include:
PHISHED_URL- URL matches known phishing databasePHISHING- General phishing indicators detectedPHISHED_DISPLAYED_URL- Display text doesn't match actual URL
Phishing vs spam score
Phishing detection contributes to the overall spam score. A detected phishing URL typically adds 3-5 points, pushing the email into the "likely spam" or "very likely spam" range.
You can use alias rules based on spam score to block suspected phishing emails:
- Score >= 5 for moderate protection
- Score >= 7 for stricter protection
What's included in webhooks
When spam filtering is active, your webhook payload includes a spam object:
{
"message": {
"sender": { "email": "user@example.com" },
"subject": "Hello world",
...
},
"spam": {
"score": 2.3,
"threshold": 15.0,
"isSpam": false,
"symbols": [
{ "name": "DKIM_VALID", "weight": -0.1, "description": "example.com" },
{ "name": "R_SPF_ALLOW", "weight": -0.2, "description": null }
],
"authentication": {
"dkim": { "result": "pass", "domain": "example.com" },
"spf": { "result": "pass" },
"dmarc": { "result": "pass" }
},
"engine": "rspamd"
}
}
| Field | Description |
|---|---|
score |
The spam score (0 = clean, higher = more likely spam) |
threshold |
The threshold at which rspamd considers an email spam |
isSpam |
Whether the email exceeds the spam threshold |
symbols |
Array of detection symbols that contributed to the score |
authentication |
DKIM, SPF, and DMARC verification results |
engine |
The spam detection engine used |
Controlling spam behavior with alias rules
While spam analysis runs automatically, you decide what happens based on the results. Use alias rules to define actions based on spam score:
Example: Block high-scoring spam
Create a rule to reject emails with a spam score >= 7:
- Go to your alias settings
- Click "Configure rules"
- Add a condition: Spam score >= 7
- Set action: Block
- Optionally enable sender notification
Example: Tag suspicious emails
For moderate spam scores, you might want to deliver but tag:
- Add a condition: Spam score >= 5
- Set action: Tag
- Save the rule
Tagged emails are delivered with an X-EmailConnect-Tagged: spam header and X-EmailConnect-Spam-Score header, allowing your webhook endpoint to handle them differently.
Example: Allow trusted senders regardless of score
Combine spam score with sender rules:
- Condition 1: Sender domain equals @trusted-partner.com
- Set action: Allow
This ensures emails from trusted partners are never blocked, even if they trigger spam detection.
Understanding spam scores
| Score range | Interpretation | Recommended action |
|---|---|---|
| 0 - 2 | Clean email | Allow |
| 2 - 5 | Slightly suspicious | Allow or monitor |
| 5 - 7 | Likely spam | Tag or block |
| 7 - 10 | Very likely spam | Block |
| 10+ | Definite spam | Block |
These are guidelines - adjust thresholds based on your use case.
Best practices
For public-facing addresses (support@, info@)
- Set a rule to block spam score >= 7
- Consider tagging scores >= 5 for manual review
- Enable sender notifications for blocked emails
For transactional addresses (orders@, invoices@)
- Be more conservative - block only score >= 10
- Allow known sender domains explicitly
- Monitor for false positives initially
For internal automation
- Consider lower thresholds since automated emails can sometimes trigger spam detection
- Use sender allowlists for known automation sources
Availability
| Plan | Spam filtering |
|---|---|
| Free | Not available |
| Maker | Automatic on all custom domains |
| Platform | Automatic with custom configuration |
System aliases (@user.emailconnect.eu) use basic processing and do not include spam analysis.
FAQ
Is spam filtering automatic for Maker+ users?
Yes. Once you have a Maker+ subscription, spam analysis runs on all emails to your custom domains. You don't need to enable anything.
Do I have to create rules?
No. Without rules, all emails are delivered to your webhook with spam data included. You can filter in your own application using the spam score, or set up rules in EmailConnect to block/tag before delivery.
What happens to blocked emails?
Blocked emails are rejected at delivery time. If you enable sender notification, the sender receives a bounce message explaining the rejection.
Can spam filtering block legitimate emails?
It's possible. If you suspect false positives:
- Check the spam score in your webhook logs
- Create an allow rule for the sender domain
- Lower your blocking threshold
- Contact support if issues persist
Does spam filtering affect email speed?
No. Spam analysis runs in real-time as part of email processing with negligible latency impact.
Can I see why an email was flagged?
Yes! Check the symbols array in your webhook payload. Each symbol shows what was detected and how much it contributed to the spam score. Common symbols include authentication results (DKIM_VALID, R_SPF_ALLOW), phishing indicators (PHISHED_URL), and content patterns.
Is phishing detection automatic?
Yes. Phishing detection is part of the standard spam analysis for Maker+ users. No additional configuration needed. When phishing is detected, you'll see phishing-related symbols in your webhook payload and an increased spam score.
How do I block phishing emails specifically?
Phishing detection contributes to the overall spam score (typically +3 to +5 points). Create an alias rule to block emails with spam score >= 5 or >= 7 depending on how strict you want to be. All detected phishing attempts will be caught by this threshold.
Related documentation
- Alias rules - Configure actions based on spam score and other conditions
- Email processing - Understanding the email processing pipeline
- Domain setup - Setting up custom domains