Choosing the Right Spam Threshold: A Data-Driven Guide
Every alias and relay address in Cleanbox has a spam threshold — the score at which incoming messages are flagged as spam. Set it too low and legitimate emails get caught. Set it too high and spam gets through. The sweet spot depends on who emails that address and how much risk you can tolerate.
This guide helps you choose the right threshold for every alias, based on its purpose and risk profile.
How spam scores work
Every incoming email is analyzed by Rspamd (see how spam filters work), which checks authentication (SPF, DKIM, DMARC), content patterns, URL reputation, sender reputation, and dozens of other signals. Each check adds or subtracts from the score.
| Score range | What it typically means |
|---|---|
| -2 to 0 | Verified legitimate email (passed all checks, trusted sender) |
| 0 to 2 | Probably legitimate (minor issues, first-time sender) |
| 2 to 4 | Grey area (marketing email, weak authentication, bulk sender) |
| 4 to 7 | Likely spam (multiple red flags, failed authentication) |
| 7 to 10 | Almost certainly spam (known spam patterns, blacklisted sender) |
| 10+ | Definite spam (phishing URL, virus attachment, known scam) |
The two thresholds
Cleanbox uses a two-threshold system per address:
- Quarantine threshold — Score at which messages are held for review (you can release or delete them)
- Reject threshold — Score at which messages are rejected outright (sender gets a bounce)
Score 0 ............... quarantine threshold ............... reject threshold
[ delivered ] [ quarantined ] [ rejected ]The quarantine zone is your safety net. It catches borderline messages without losing them permanently.
Recommended thresholds by use case
| Use case | Quarantine | Reject | Why |
|---|---|---|---|
| Public contact form (info@, contact@) | 3 | 6 | Highest spam exposure. Be aggressive. Anyone important will pass. |
| Shopping alias (shop-amazon@) | 4 | 7 | Order confirmations score low. Marketing scores higher. Catches promo spam. |
| Newsletter alias (news@) | 5 | 8 | Newsletters often score 2-4 due to marketing content. Do not quarantine them. |
| Personal alias (shared with friends) | 5 | 8 | Mostly known senders. Whitelist the important ones for extra safety. |
| Business alias (client communication) | 6 | 9 | Missing a client email is worse than getting spam. Be lenient. |
| Financial alias (banking, invoices) | 5 | 8 | Use Gatekeeper instead of low thresholds. Only approved senders. |
| Relay: public inbox (info@domain.com) | 3 | 5 | Public addresses are spam magnets. Aggressive filtering + DNSBL checks. |
| Relay: internal (admin@domain.com) | 6 | 9 | Internal addresses receive less spam. Prioritize delivery over filtering. |
The decision framework
For any alias, ask these three questions:
1. How exposed is this address?
- Published online (website, forums, social media) → Lower thresholds (more aggressive)
- Shared with services (shopping, subscriptions) → Medium thresholds
- Shared with known people only (friends, colleagues) → Higher thresholds (more lenient)
2. What is the cost of a false positive?
- Low cost (newsletter alias — missing one issue is fine) → Lower thresholds
- Medium cost (shopping alias — might miss an order confirmation) → Medium thresholds
- High cost (client email — missing a message loses business) → Higher thresholds + whitelist
3. What is the cost of a false negative?
- Low cost (personal alias — seeing spam is annoying but harmless) → Higher thresholds
- Medium cost (work alias — spam wastes time) → Medium thresholds
- High cost (financial alias — phishing email could lead to fraud) → Lower thresholds + Gatekeeper
Using whitelists instead of high thresholds
A common mistake is setting very high thresholds (9-10) to avoid false positives. This lets most spam through. A better approach:
- Set a moderate threshold (5-6)
- Whitelist the specific senders you trust
- Whitelisted senders bypass spam checks entirely — they always deliver regardless of threshold
This gives you strong spam protection for unknown senders while guaranteeing delivery for known contacts. It is the best of both worlds.
The quarantine safety net
The quarantine threshold is your buffer zone. Messages in quarantine are held — not lost. You can review and release them if they are legitimate.
Tips for using quarantine effectively:
- Check quarantine regularly — At least weekly. A dashboard badge shows the count.
- When you release a message, whitelist the sender — Prevents the same sender from being quarantined again.
- When you delete a quarantined message, mark it as spam — Trains the Bayesian classifier.
- Quarantined messages are retained for 30 days regardless of your plan retention period.
Adjusting over time
Your initial threshold is a starting point, not a permanent setting. Monitor and adjust:
- Too many false positives in quarantine? → Raise the quarantine threshold by 1 point. Or whitelist the specific senders being caught.
- Spam getting through to inbox? → Lower the reject threshold by 1 point. Or create a filter rule for the specific spam pattern.
- Quarantine is always empty? → Your quarantine threshold may be too high (the gap between quarantine and reject is too narrow). Widen the gap.
- Quarantine is always full of spam? → Your reject threshold may be too high. Lower it so obvious spam gets rejected instead of quarantined.
Aim for a quarantine that catches 2-5 messages per week. Fewer means the threshold might be too high. More means you should lower the reject threshold to catch the obvious ones automatically.
Final recommendations
- Default starting point: Quarantine at 4, reject at 7. Adjust from there.
- Always whitelist critical senders. Do not rely on thresholds alone for important contacts.
- Use Gatekeeper for high-security aliases. Thresholds are about scoring; Gatekeeper is about identity. For financial and sensitive aliases, identity-based protection is stronger.
- Review quarterly. Your email patterns change. Reassess thresholds every 3 months.
