Cleanbox
Features Helpdesk Blog Pricing Contact
Sign in Start free trial
Blog
technical spam email security

Rspamd Spam Symbols Explained: What Your Spam Report Is Telling You

12 min read Jan 27, 2026

If you have ever looked at the spam report on an email, you have seen a wall of cryptic names with numbers next to them: BAYES_SPAM +5.1, FORGED_SENDER +0.3, ZERO_FONT +1.0. These are Rspamd symbols — the building blocks of spam detection.

Rspamd is the open-source spam scanning engine that powers Cleanbox (and many other email services). Every incoming email is analyzed against hundreds of rules, each producing a symbol with a score. The scores are summed, and if the total exceeds your threshold, the email is flagged as spam.

Understanding these symbols helps you read spam reports, troubleshoot false positives, and create smarter filter rules.

How scoring works

Each symbol has a weight (score):

  • Positive scores = spam signals (the higher, the more suspicious)
  • Negative scores = legitimacy signals (the lower, the more trusted)
  • Zero scores = informational only (triggered but does not affect the total)

The total score determines the outcome. A typical Cleanbox setup uses two thresholds:

  • Quarantine threshold (default ~3.0): messages above this are held for review
  • Reject threshold (default ~6.0): messages above this are rejected outright

The 15 most common symbols

1. BAYES_SPAM (+5.1) and BAYES_HAM (-3.0)

The Bayesian classifier is Rspamd's machine learning engine. It analyzes word patterns, phrases, and structures learned from millions of emails. BAYES_SPAM means the classifier is confident the message is spam. BAYES_HAM means it is confident the message is legitimate.

What to do: If a legitimate email triggers BAYES_SPAM, mark it as legitimate to retrain the classifier.

2. R_SPF_ALLOW (-0.2) and R_SPF_FAIL (+1.0)

SPF (Sender Policy Framework) checks whether the sending server's IP is authorized by the sender's domain. R_SPF_ALLOW means the check passed. R_SPF_FAIL means the sending server is not in the domain's SPF record.

What it means: SPF failure alone is not proof of spam — email forwarding legitimately breaks SPF. But combined with other failures, it is a strong signal.

3. R_DKIM_ALLOW (-0.2) and R_DKIM_REJECT (+1.0)

DKIM (DomainKeys Identified Mail) verifies that the email content was not modified since the sender signed it. R_DKIM_ALLOW means the signature is valid. R_DKIM_REJECT means the signature failed — the email was altered in transit or the signature is forged.

4. DMARC_POLICY_ALLOW (-0.5) and DMARC_POLICY_REJECT (+2.0)

DMARC combines SPF and DKIM alignment. DMARC_POLICY_REJECT means the sender's domain explicitly says "reject emails that fail DMARC" — and this email failed. This is a strong indicator of forgery or spoofing.

5. FORGED_SENDER (+0.3)

The "From" header (what you see) does not match the envelope sender (the actual SMTP sender). Common in phishing ("From: PayPal" but actually sent by a random server). However, many legitimate mailing lists also trigger this, which is why the score is low.

6. ZERO_FONT (+1.0)

The email contains text with font-size set to zero — invisible to humans but visible to spam filters. Spammers use this to inject random words that confuse Bayesian classifiers while the visible content remains a spam message. No legitimate email needs invisible text.

Filter tip: ZERO_FONT is one of the safest symbols to use as a deny filter. False positive rate is near zero.

7. PHISHING (+4.0)

A URL in the email has been identified as a phishing link — the visible link text shows one URL while the actual href points somewhere else, or the URL is in a known phishing database (OpenPhish, PhishTank).

8. SPOOF_DISPLAY_NAME (+8.0)

The sender's display name contains an email address that is different from the actual From address. Example: the display name says "support@paypal.com" but the From address is hacker@random.xyz. This is a classic impersonation technique.

9. FUZZY_DENIED (+12.0)

The email matches a known spam fingerprint in Rspamd's distributed fuzzy hash database. This is one of the highest-scoring symbols — if it triggers, the email is almost certainly spam. Fuzzy hashing catches spam even when the text is slightly modified between campaigns.

10. R_WHITE_ON_WHITE (+4.0)

The email contains low-contrast text — white text on a white background, or similar color tricks. Like zero-font, this is used to hide content from human readers while feeding it to spam filters.

11. RDNS_NONE (+0.5)

The sending server has no reverse DNS (PTR) record. Legitimate mail servers almost always have rDNS configured. Missing rDNS suggests the server is a compromised machine, a residential IP, or hastily set up infrastructure.

12. LEAKED_PASSWORD_SCAM (+7.0)

The email contains a Bitcoin wallet address combined with scam language patterns. This catches sextortion emails that claim "I hacked your webcam, pay me Bitcoin." These are almost always mass-sent from leaked email databases.

13. CLEANBOX_BLOCK (+8.0)

Unique to Cleanbox. 10+ Cleanbox users have reported this sender as spam, with a 90%+ spam ratio. This is crowd-sourced protection — when a spammer targets multiple Cleanbox users, the first few reports protect everyone else.

14. CLEANBOX_TRUSTED (-2.0)

Unique to Cleanbox. 5+ teams have whitelisted or prioritized this sender. This is a strong positive signal — real humans trust this sender. The negative score makes it less likely to be flagged as spam.

15. MIME_BAD_ATTACHMENT (+4.0)

The email contains an attachment with an invalid or dangerous MIME type. Common in malware distribution — executables disguised as documents, double extensions (.pdf.exe), or types that should never be in email.

Reading a full spam report

A typical spam report looks like this:

BAYES_HAM                    -3.0
R_DKIM_ALLOW                 -0.2
R_SPF_ALLOW                  -0.2
DMARC_POLICY_ALLOW           -0.5
MIME_GOOD                    -0.1
RCVD_COUNT_THREE              0.0
RCVD_TLS_ALL                  0.0
---
Total:                       -4.0

This email scored -4.0 — very legitimate. Bayesian classifier says ham, all authentication passed, good MIME structure. This email will be delivered without issue.

Compare with a spam report:

BAYES_SPAM                   +5.1
R_SPF_FAIL                   +1.0
FORGED_SENDER                +0.3
ZERO_FONT                    +1.0
CLEANBOX_GREYLIST            +2.0
RCVD_NO_TLS_LAST             +0.1
---
Total:                       +9.5

This email scored +9.5 — well above any reasonable threshold. Bayesian says spam, SPF failed, sender is forged, invisible text detected, and Cleanbox users have reported this sender before.

Using symbols in Cleanbox filters

You can create filters that match on specific symbols, regardless of total score. This is useful for zero-tolerance rules:

  • Block all emails with ZERO_FONT (invisible text = always spam)
  • Block all emails with PHISHING (verified phishing URL)
  • Flag emails with DMARC_POLICY_REJECT for manual review
  • Sort bulk ESP emails (CLEANBOX_BULK_ESP) to a "Marketing" folder

For the full list of symbols available in filters, see our Spam symbols available in filters helpdesk article. For step-by-step filter setup, see Creating your first filter rule.

Related articles

Cleanbox vs Traditional Email Security: Why Spam Gateways Are Overkill for SMBs

16 min read

Email Security Threats in 2026: A Comprehensive Overview

20 min read

The Best Free Email Tools for Privacy in 2026

10 min read

Ready to take control of your inbox?

Start protecting your email with Cleanbox — free plan available, no credit card required.

Get started free