Configuring spam filtering for your mailbox.
Apache SpamAssassin in cPanel — what it catches, how to whitelist senders, and what to do with false positives.
Every mailbox at Rivervo has Apache SpamAssassin filtering enabled by default. Most spam never reaches your inbox.
What SpamAssassin does
For each incoming message, SpamAssassin scores it based on dozens of rules:
- Sender authentication (SPF/DKIM/DMARC failures = +points)
- Content patterns ("viagra", "click here NOW", lots of CAPITALS = +points)
- Header analysis (forged Date, suspicious Received chain = +points)
- Blocklist checks (sender IP on Spamhaus = +points)
Total score >5.0 → marked spam. Score >10.0 → optionally rejected at the gate.
Default behavior at Rivervo
- Messages scored 5+: delivered to your Spam folder (
Junkin some clients) - Messages scored 10+: rejected at the SMTP gate (sender gets a bounce)
- Messages scored under 5: delivered to inbox normally
You can adjust thresholds per-mailbox or per-domain.
Adjusting per-mailbox
cPanel → Spam Filters → Auto-Delete Spam (Spam Box) lets you toggle:
- Move to spam folder (default) — safest
- Reject delivery — for known clean recipients only; otherwise legit mail bouncing is bad
- Disable filtering — only if you have a downstream filter (Google Workspace, etc.)
Whitelist a sender
Mail from a specific sender keeps landing in spam? Whitelist them.
cPanel → Spam Filters → Show Additional Configurations → Edit Whitelist Settings:
whitelist_from user@goodsender.com
whitelist_from *@trustedcompany.comSave. Future mail from these senders skips spam scoring.
Blacklist a sender
Same panel, Edit Blacklist Settings:
blacklist_from user@spammer.com
blacklist_from *@spammydomain.comMail from these is auto-marked spam regardless of content.
Clearing the spam folder
Spam folder retains for 30 days by default, then auto-purges. To force:
cPanel → Email Accounts → mailbox → Manage → Empty Spam folder.
Or in webmail: select Spam folder → Empty.
False positives — pulling legitimate mail back
If a real message lands in spam:
- In your client, mark as Not Spam. This trains the filter (with most clients) and lowers the score for similar future mail.
- Add the sender to your whitelist (above).
- Tell the sender they may need to set up SPF/DKIM/DMARC on their domain — the most common reason their mail gets caught.
False negatives — spam in inbox
Mark as Spam in your client. Some clients submit the message back to SpamAssassin for training. Worst case, add the sender to blacklist.
SpamAssassin score threshold
cPanel → Spam Filters → Spam Threshold Score.
Lower = more aggressive (5.0 default → 3.0 catches more, but more false positives). Higher = more permissive (5.0 default → 7.0 catches less spam, but fewer false positives).
Don't go below 3.0. The marginal spam you'd catch isn't worth the legitimate mail you'd lose.
Server-wide vs per-domain
Settings in Spam Filters are per-mailbox. To change defaults for an entire domain, contact us — we can adjust the domain-level config in Exim.
When SpamAssassin isn't enough
For high-volume business mail with lots of customer support tickets, the default Apache SpamAssassin can be overwhelmed. Consider:
- Rspamd (replaces SpamAssassin, modern, ML-based) — we can install on managed plans
- Forward all mail to Google Workspace — Google's spam filter is industry-best, $6/user/mo
- MXroute or similar — dedicated email-only host