SpamAssassin is an open-source spam filtering engine used by many hosting providers, corporate mail servers, and security gateways. It analyzes incoming email and assigns a numeric score indicating how likely a message is to be spam.
While major mailbox providers like Google and Microsoft use proprietary filtering systems, SpamAssassin is still widely deployed in business and self-hosted environments. Understanding how it scores messages helps identify content and configuration issues before sending.
How the Scoring System Works
SpamAssassin runs hundreds of rule-based tests against an email.
Each triggered rule adds or subtracts points.
The total score is the sum of all triggered rules.
- Negative score → legitimacy signals detected
- 0 → neutral
- Positive score → spam-like characteristics
- 5.0+ → commonly marked as spam (default threshold)
Mail server administrators can change the threshold. Some use 3.0 or lower.
For safety, aim for a score below 3–4, with 0–2 being ideal.
What SpamAssassin Evaluates
SpamAssassin analyzes five primary areas:
1. Headers
Authentication results (SPF, DKIM), sending patterns, routing integrity.
2. Body Content
Spam phrases, excessive capitalization, poor HTML structure.
3. Raw Message Structure
Encoding issues, malformed MIME parts, obfuscation tricks.
4. Links (URIs)
Blocklisted domains, URL shorteners, mismatched anchor text.
5. External Reputation
DNS blocklists and other reputation databases.
SpamAssassin can also use Bayesian filtering, which evaluates word patterns statistically based on previously classified spam and legitimate mail.
Understanding Negative Scores
Some tests subtract points when legitimacy signals are present.
Examples include valid DKIM signatures and trusted authentication results.
Large negative scores usually indicate that the recipient server has explicitly allowlisted the sender. This is configured by the receiving administrator and cannot be controlled by the sender.
Important Context
SpamAssassin primarily evaluates message-level signals: structure, content, and authentication.
Modern consumer mailbox providers evaluate far more:
- Sender reputation
- Engagement behavior
- Sending consistency
- Historical complaint patterns
Passing SpamAssassin does not guarantee inbox placement, but failing it can cause delivery problems — especially in corporate environments.
Best Practices
To maintain a strong SpamAssassin profile:
- Ensure SPF, DKIM, and DMARC are correctly configured
- Use clean, well-structured HTML
- Avoid URL shorteners
- Monitor domain and IP reputation
- Avoid spam-trigger language
- Maintain list hygiene
SpamAssassin is a diagnostic layer, not a full deliverability system. It helps identify technical and content risks before campaigns are sent.