Havenoro CP
Log In
Home/ Tutorials/ Spam & Filtering

Spam & Filtering Explained

Understand how spam filtering works and how to keep your inbox clean while ensuring legitimate email gets through.

On This Page

Spam is an unfortunate reality of email. Havenoro CP includes several layers of protection to minimize unwanted email while ensuring legitimate messages reach your inbox. This page explains how each layer works and how to configure them for your needs.

What is Spam?

Spam is unwanted, unsolicited email sent in bulk — typically for advertising, phishing, or spreading malware. Think of it like unwanted flyers being shoved through your mailbox. Without spam filtering, your inbox would be overwhelmed with these messages, making it hard to find important emails from customers, colleagues, and services.

Havenoro CP uses SpamAssassin, the industry-standard spam filtering engine, to automatically classify incoming email. SpamAssassin checks each message against hundreds of rules and assigns a score. Higher scores mean the message is more likely to be spam.

How SpamAssassin Works

SpamAssassin evaluates every incoming email against hundreds of rules and assigns a spam score. Each rule that matches adds or subtracts points. For example, an email with a suspicious subject line like "BUY NOW!!!" might get +2.5 points, while a valid DKIM signature (proving the email is authentic) might subtract 1 point. The total score determines what happens to the message.

Score Range Classification Default Action
0.0 – 4.9 Legitimate (ham) Delivered to the inbox normally
5.0 – 9.9 Suspected spam Delivered to the Spam/Junk folder
10.0+ High-confidence spam Delivered to Spam folder or rejected

Examples of factors that increase the spam score:

  • Message comes from a known spam sender or a suspicious IP address
  • Missing or invalid SPF, DKIM, or DMARC authentication
  • Trigger words in the subject or body (e.g., "Free money!", "Act now!", "Guaranteed")
  • Excessive use of images with very little text
  • Broken HTML or mismatched email headers
  • Sender domain is newly registered or has a poor reputation

Configuring Spam Settings

You can configure spam filtering at the mail domain level in Havenoro CP. Each mail domain can have its own spam settings.

1

Go to the Mail tab

Click the Mail tab and click the domain you want to configure.

2

Edit the mail domain

Click the Edit icon (pencil) next to the domain name.

3

Adjust the spam threshold

In the Spam filter section, you can set the spam threshold. The default is 5.0. Lowering it (e.g., to 3.0) makes the filter stricter — more email will be flagged as spam, but you will also have more false positives (legitimate email marked as spam). Raising it (e.g., to 8.0) makes the filter more lenient — less email is flagged, but more spam reaches your inbox.

4

Choose what happens to spam

You can choose one of three actions for messages that exceed the spam threshold:

  • Deliver to spam folder — the email is placed in the Spam/Junk folder. You can check it later for false positives. This is the safest option for beginners.
  • Delete — the email is discarded immediately. Use with caution, as legitimate email will be lost.
  • Add subject tag — the email is delivered to the inbox but the subject line is prefixed with [SPAM] so you can easily identify it.
5

Save your changes

Click Save to apply the settings. Changes take effect immediately for all new incoming email.

Too-strict filtering can block real email If you set the spam threshold too low (very strict), you risk blocking legitimate customer inquiries, order confirmations, or password reset emails. Start with the default settings and adjust gradually based on your experience.
SpamAssassin configuration section showing threshold, action, and whitelist settings.

What is Greylisting?

Greylisting is a spam reduction technique that temporarily rejects email from unknown senders. Here is how it works:

When a server tries to deliver an email to your domain for the first time, your mail server temporarily rejects it with a "try again later" message. Legitimate mail servers will retry delivery after a few minutes. Spam bots, which send millions of emails and do not care if they all arrive, typically do not retry. After the sender successfully retries, your server adds them to a whitelist so future emails from that sender are delivered immediately.

Greylisting is very effective at blocking spam — it can stop 80–90% of junk email before SpamAssassin even sees it. However, it can also cause a slight delay (typically 5–15 minutes) for the first email from a new sender.

Greylisting is enabled by default In most Havenoro CP setups, greylisting is pre-configured and works automatically. You generally do not need to adjust it. If you are expecting an important email and it has not arrived after 30 minutes, check your spam folder and consider adding the sender to your whitelist.

Email Authentication (DKIM, SPF, DMARC)

SpamAssassin filters incoming email, but what about the email you send? Email authentication technologies help prove to receiving servers that your email is legitimate and not forged. Configuring these correctly is the single most important thing you can do to prevent your outgoing email from being marked as spam.

SPF (Sender Policy Framework)

SPF is like a guest list for your domain. It publishes a list of all servers that are authorized to send email for your domain. If a server that is not on the list tries to send email claiming to be from your domain, the receiving server can reject it or flag it as spam.

An SPF record is a TXT record in your DNS:

example.com.  TXT  "v=spf1 mx ~all"

This means: "Only my mail server (listed in MX records) can send email for my domain. For any other sender, mark it as a soft fail." You can also include third-party services:

example.com.  TXT  "v=spf1 mx include:_spf.google.com ~all"

This includes Google's sending servers, which is useful if you use Google Workspace for email.

DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to every outgoing email. Think of it like a wax seal on a letter — it proves the letter is genuinely from you and has not been opened or altered. The signature is created using a private key stored on your server. Receiving servers look up your public key (published as a TXT record in your DNS) to verify the signature.

Havenoro CP generates DKIM keys automatically when you enable the DKIM option for a mail domain. The public key is published as a TXT record like:

default._domainkey.example.com.  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."

If you manage DNS externally, click the DNS icon next to the mail domain in Havenoro CP to view the exact DKIM record to add at your provider.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC tells receiving servers what to do if an email fails both SPF and DKIM checks. It also sends you reports about who is sending email claiming to be from your domain, which helps you detect spoofing attempts.

_dmarc.example.com.  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"
Policy (p=) What it does
p=none Monitor only — no action taken. Start here to see how your email is being handled without affecting delivery.
p=quarantine Failing emails are sent to the spam/junk folder. A good intermediate step.
p=reject Failing emails are rejected entirely. The most secure option — only enable this once you are confident SPF and DKIM are working correctly for all your legitimate email.
Authentication is essential Major email providers like Gmail and Outlook now require SPF or DKIM for all incoming email. Without these records, your emails are very likely to be rejected or marked as spam, even if they are perfectly legitimate.

Checking and Managing the Spam Folder

Even with the best filtering, legitimate emails sometimes end up in the spam folder. This is called a false positive. It is important to check your spam folder regularly:

  • In webmail (Roundcube): Look for a "Spam" or "Junk" folder in the folder list on the left side of the screen.
  • In email clients: Messages may appear in the Junk folder depending on the client's settings.

If you find a legitimate email in the spam folder, mark it as "Not Spam" or "Not Junk" and move it to your inbox. In Roundcube, you can right-click the message and select "Mark as Not Spam." This helps train the spam filter to recognize similar messages as legitimate in the future.

Check your spam folder regularly Make it a habit to scan your spam folder every few days. Automated messages — order confirmations, password resets, newsletters — are sometimes incorrectly flagged. You do not want to miss an important customer inquiry because it was caught in the filter.

Next Steps

  • Configure an SMTP relay: If you send bulk or transactional email, learn how to use a relay service for better deliverability in the SMTP Relays tutorial.
  • Set up DMARC reporting: Enable DMARC with rua=mailto: to receive reports about who is sending email using your domain. This helps you detect spoofing and identify configuration issues.
  • Test your email configuration: Use a tool like Mail-Tester.com to check your spam score and identify issues before sending important campaigns.
Previous ← Setting Up Mail Domains Next SMTP Relays →