Overview
EmailConnect applies three independent security layers to every inbound email before it reaches your webhook endpoint. Each layer operates independently — a failure in one does not affect the others. Together they provide spam filtering, authentication verification, and virus scanning.
Spam filtering
Rspamd scores every email. Phishing detection, content analysis, sender reputation. All plans.
Authentication
DKIM, SPF, and DMARC verified against DNS records. Results in every payload. Maker+.
Virus scanning
ClamAV scans every attachment. Infected files rejected, clean files delivered with metadata. Business+.
Layer 1 — Spam filtering
Spam filtering is powered by rspamd, which replaced SpamAssassin in January 2026. It runs before any application logic on every inbound email, regardless of plan.
Rspamd uses composite scoring: negative scores indicate cleaner emails, while higher scores indicate more suspicious content. The engine combines multiple signals to produce a final verdict.
Phishing detection
URLs in the email body and headers are checked against the OpenPhish and PhishTank databases. Known phishing domains are flagged immediately.
Content analysis
Rspamd examines header patterns, sender reputation, and applies bayesian filtering to the message body. Individual rule matches are returned as symbols in the payload so you can see exactly which rules triggered.
What’s in the payload
Every webhook payload includes the spam analysis result. The key fields are spam.score, spam.isSpam, and spam.symbols (individual rule matches):
"spam": {
"isSpam": false,
"score": 0.2,
"engine": "rspamd"
}For a detailed breakdown of scoring and symbol meanings, see the spam filtering help article.
Layer 2 — Authentication
Three independent checks run during SMTP reception to verify that the sender is who they claim to be:
DKIM
DomainKeys Identified Mail uses a cryptographic signature to prove the email was not altered in transit. A “pass” result means the content is exactly what the sender signed.
SPF
Sender Policy Framework confirms the sending server is authorised to send for that domain. This prevents spoofing by checking the sender’s IP against the domain’s published DNS records.
DMARC
Domain-based Message Authentication, Reporting, and Conformance is the domain owner’s published policy on what to do when DKIM or SPF fail. It ties the other two protocols together into an actionable policy.
Authentication results are included in the spam.authentication object:
"authentication": {
"dkim": { "result": "pass" },
"spf": { "result": "pass" },
"dmarc": { "result": "pass" }
}Layer 3 — Virus scanning
Virus scanning uses the ClamAV engine and is available on Business+ plans. It runs in a separate pipeline from rspamd and scans all attachments before delivery.
Clean files are delivered normally with a virusScan.status: "clean" field and the scan duration in milliseconds.
Infected files are rejected. The attachment object includes excluded: true, excludeReason: "virus-detected", and the specific threat name from ClamAV. No download URL is provided — your application never receives the malicious content.
Every Business+ payload includes a top-level security.virusScan summary:
"security": {
"virusScan": {
"scanned": true,
"engine": "clamav",
"attachmentsScanned": 1,
"threatsFound": 0
}
}For step-by-step testing instructions, see the testing virus scanning with EICAR guide.
Why virus scanning is separate from spam filtering
Rspamd runs at the SMTP layer — before application logic, before we know which plan the recipient is on. It needs to be fast because it processes every email for every plan.
Virus scanning involves heavier compute: loading the full ClamAV engine with current virus definitions and scanning each attachment individually. It is a Business+ feature, so it runs in a separate post-reception flow after plan identification.
This architecture means spam filtering stays fast for everyone, while virus scanning adds depth for higher-tier plans without slowing down the core pipeline.
Plan availability
| Security layer | Free | Maker | Business | Platform |
|---|---|---|---|---|
| Spam filtering (basic) | + | + | + | + |
| Spam analysis (rspamd details) | - | + | + | + |
| Authentication (DKIM/SPF/DMARC) | - | + | + | + |
| Virus scanning (ClamAV) | - | - | + | + |
For compliance teams
These three layers provide an auditable security trail for every email processed through EmailConnect. Every scan result, authentication check, and spam score is included in the webhook payload — nothing is hidden or summarised away.
All processing happens on EU infrastructure (Scaleway France, Hetzner Germany). No email data leaves the European Union at any point in the pipeline.
Virus scan metadata — including engine version, definitions version, and scan duration — supports incident response and forensic analysis. If an attachment is flagged, you have the exact threat name, the engine version that detected it, and the timestamp of the scan.
What compliance teams get
- Full spam analysis with individual rule matches
- DKIM/SPF/DMARC verification results per email
- Per-attachment virus scan results with threat names
- Engine versions and definitions timestamps for audit trails
- EU-only processing — no data transfers outside the European Union
Related
Questions about email security or compliance? Get in touch at hello@emailconnect.eu.