Relay spam symbols and virus scanning
Relay addresses have advanced protection features that go beyond basic spam scoring: spam symbol rules that let you block emails based on specific indicators, IP blacklist checking against known spam sources, and ClamAV virus scanning for malware detection. This article explains each feature.
Spam symbol rules
While the spam threshold blocks emails above a certain total score, symbol rules let you block messages that trigger specific spam indicators — regardless of their total score. This is useful when you want a zero-tolerance policy for certain types of forgery or deception.
Spam symbols are organized into three categories:
Authentication symbols
| Symbol | What it means |
|---|---|
| SPF Fail | The sender's IP address is not authorized by the domain's SPF record. This means someone outside the domain's allowed servers sent the email. |
| SPF Softfail | The sender's IP is not listed in the SPF record, but the domain uses a ~all (soft) policy rather than -all (hard). Less certain than a full failure. |
| DKIM Reject | The DKIM cryptographic signature on the email failed verification. The email was modified in transit or the signature is forged. |
| DMARC Reject | The email fails the sender's published DMARC policy. This combines SPF and DKIM alignment checks. |
| Forged Sender | The From header does not match the actual sender identity (envelope sender). Common in phishing. |
Reputation symbols
| Symbol | What it means |
|---|---|
| No rDNS | The sending server has no valid reverse DNS record. Legitimate mail servers almost always have rDNS configured. |
| Bare IP | The Message-ID header contains a raw IP address instead of a hostname. Indicates a misconfigured or suspicious sending server. |
| No Received | The email has no routing headers (Received headers). This means it was likely forged rather than sent through normal email infrastructure. |
Content symbols
| Symbol | What it means |
|---|---|
| Zero Font | The email uses invisible text (font-size: 0 or color matching background) to confuse spam filters. A known spam evasion technique. |
| Hidden Parts | Many visually hidden sections in the email HTML. Used to stuff keywords or mislead filters. |
| Phishing Layout | The HTML body is tiny and contains primarily just a link and an image. This layout is typical of phishing emails designed to get you to click a link. |
How to enable symbol rules
- Go to Relay → select your domain
- Scroll to the Spam symbol rules section
- Toggle individual symbols on or off
- Save your settings
When a symbol rule is enabled, any email that triggers that symbol is automatically rejected — even if its total spam score is below your spam threshold.
IP blacklist checking
When enabled, Cleanbox checks the sending server's IP address against well-known blacklist providers (DNSBL) before delivery. If the IP is listed on any of the selected blacklists, the email is rejected.
This is recommended for relay addresses because it blocks known spam sources at the connection level, before the email content is even analyzed.
ClamAV virus scanning
ClamAV is an open-source antivirus engine. When enabled for your relay domain, every inbound email is scanned for viruses and malware before forwarding. This includes:
- Attachment scanning (ZIP, PDF, Office documents, executables)
- Email body content analysis
- Known malware signature detection
If a virus is detected, the email is automatically rejected. The virus name is logged in the message record so you can see what was caught.
ClamAV scanning is evaluated first in the inbound processing chain — before contact states, Shield, spam scoring, or filters.
Recommended settings
For most relay setups, we recommend:
- ClamAV: Always enabled. There is no downside to virus scanning.
- IP blacklists: Enabled. Blocks known spam sources with minimal false positives.
- Authentication symbols: Enable SPF Fail, DKIM Reject, and DMARC Reject. Leave SPF Softfail and Forged Sender off initially — some legitimate senders trigger these.
- Content symbols: Enable Zero Font and Phishing Layout. These have very low false positive rates.
- Reputation symbols: Enable No Received. Be cautious with No rDNS and Bare IP — some older but legitimate servers lack proper rDNS.
