Tutorials12 min read

Fix Custom Domain Spam: Rspamd Tuning Guide (2026)

Stop spam on your custom domain. Real Rspamd thresholds, RBL tuning, greylisting tactics.

By JustEmails Platform Team

Last Tuesday, I opened my inbox to 47 unread messages. Eleven were legitimate. The rest: crypto investment pitches, fake invoice PDFs, three offers to sell me my own domain back, and one creative attempt at a Nigerian prince scam updated for 2026 (they're doing AI assistants now, apparently).

Forty-seven messages. Eleven real.

This was a custom domain I'd set up two months ago. Clean WHOIS privacy. No public contact form. I did everything "right." Still got hammered. (I'll admit I spent an embarrassing amount of time wondering if I'd somehow signed up for spam newsletters in my sleep.)

Here's the thing — switching to custom domain email trades Gmail's 15-year spam-filter advantage for control over your own mail. That control comes with work. And honestly? Most tutorials gloss over this part because it's tedious. If you're seeing more spam than you did on a @gmail.com address, it's not because your provider is broken. It's because your domain is new, your filters are at defaults, and spammers have ways of finding you that have nothing to do with how careful you were.

We're the JustEmails team — JustEmails is built by Velocity Digital Labs, and we run Rspamd + ClamAV as the filtering stack across every mailbox. This is the tuning guide we give to anyone whose inbox is drowning. Real thresholds, real trade-offs, real fixes. If you're still evaluating email hosts, our Google Workspace alternatives comparison covers the full landscape.

Why Custom Domains Attract Spam

Before you touch settings, understand the attack surface.

WHOIS records. Even with privacy protection, domain registrations create a paper trail. Registrars get breached. Privacy services have gaps. The moment you register a domain, it's in databases that spammers scrape daily. This isn't paranoia — it's the business model.

Catch-all addresses. If you configured *@yourdomain.com to route to your inbox, congratulations: you're accepting mail to every address spammers can guess. sales@, info@, admin@, and 10,000 variations generated by dictionary attacks. Catch-alls are convenient. They're also a spam magnet. I've made this mistake more times than I'd like to admit — set up a catch-all "just in case," then wondered why I'm drowning a month later. (More on this below.)

Scraped websites. If your email address is anywhere on the public web — contact page, footer, GitHub profile, LinkedIn — bots have it. The scraping-to-spam pipeline runs in hours, not days. A fresh domain with a contact form can start receiving junk within 48 hours of launch.

New domain reputation. Gmail, Outlook, and Yahoo have sender reputation systems that track billions of addresses. Your brand-new domain has no reputation. Filters that would auto-junk something on a known-bad domain give yours the benefit of the doubt. That doubt gets exploited. Understanding how email authentication works helps here — SPF, DKIM, and DMARC won't stop inbound spam, but they're foundational to overall mail hygiene.

None of this means custom domain email is a mistake. It means the default filter settings are calibrated for mature domains with established traffic patterns. New domains need tuning.

And yes, that's annoying. Nobody tells you this upfront.

How Rspamd Actually Filters Mail

Most custom domain hosts use Rspamd (open-source, fast, actively maintained) or SpamAssassin (older, slower, still works). JustEmails uses Rspamd with ClamAV for malware scanning. Understanding how scoring works lets you tune intelligently instead of blindly.

Rspamd assigns every message a spam score. Higher score = more spam-like. Simple enough. The score comes from hundreds of rules, each contributing positive or negative points:

  • Header analysis. Malformed headers, missing Message-ID, weird character encoding. Legitimate mail rarely has these issues. Spam constantly does.
  • Content rules. Known spam phrases, suspicious URLs, obfuscated text, excessive caps and punctuation. "URGENT: Your account has been compromised!!!" scores high.
  • RBL checks. Real-time blocklists like Spamhaus, Barracuda, SORBS. If the sending IP is on a blocklist, the score goes up. A lot.
  • SPF/DKIM/DMARC results. Failing authentication adds points. Passing doesn't remove points — it just avoids the penalty.
  • Bayesian filtering. Trained on your specific corpus of spam and ham. This is where user feedback actually matters.
  • Greylisting. Not a score — a delay tactic. Rspamd can defer mail from unknown senders temporarily. Legitimate servers retry. Botnets often don't.

What happens at each threshold:

ScoreTypical action
0-4Delivered to inbox
4-6Greylisted (if enabled)
6-15Delivered with spam header, client moves to junk
15+Rejected at SMTP level, sender gets bounce

These are defaults. You can (and should) adjust them for your domain. The people who don't? They're the ones writing angry forum posts about how "custom domain email is unusable."

Step 1: Check Your Current Settings

Before changing anything, know where you're starting. In JustEmails, go to Domain Settings > Spam Filtering and look at:

  • Reject threshold — mail above this score is bounced
  • Add header threshold — mail above this gets X-Spam: Yes header
  • Greylist threshold — mail above this from unknown senders gets delayed
  • RBLs enabled — which blocklists you're checking

Write these down. If your changes make things worse, you'll want to revert.

Also pull the last 7 days of Rspamd history. You're looking for:

  • What score range are the spam messages landing at?
  • Are legitimate messages scoring above 4?
  • Any patterns in the rules that triggered?

Step 2: Tighten the Catch-All (Or Kill It)

Look, I get it. Catch-alls are convenient. You can give out invoices@, billing@, whatever, without creating mailboxes. But if you're drowning in spam, the catch-all is usually why.

I'm biased here — I think catch-alls are overrated for 90% of use cases.

Option A: Kill it entirely. Only mail to addresses you've explicitly created gets delivered. Everything else bounces. Most aggressive, most effective. If you don't need info@ to work, delete the catch-all route.

Option B: Route to a spam-tolerant mailbox. Keep the catch-all but send it to a separate mailbox you check weekly for lost mail, not your primary inbox. Treat it as a spam trap with occasional signal.

Option C: Catch-all with auto-discard scoring. Some setups let you apply a higher spam threshold specifically to catch-all matches. If the address doesn't exist and the score is above, say, 4, discard immediately instead of 15. Aggressive, but it works.

We recommend Option A for most people. Full stop. If you've published 30 different addresses across the web over the years, Option B is the pragmatic middle ground — but you'll probably regret not cleaning that up sooner.

Step 3: Tune Your Rspamd Thresholds

Default thresholds are conservative. They're set to avoid false positives at the cost of letting some spam through. For a new domain getting hammered, tighter settings help.

Recommended starting point for aggressive filtering:

  • Reject: 12 (down from 15)
  • Add header: 5 (down from 6)
  • Greylist: 3 (down from 4)

In JustEmails, you can set these in Domain Settings > Spam Filtering > Thresholds. Save, and test by sending yourself mail from an outside account. If legitimate mail starts bouncing or landing in junk, raise the thresholds by 1-2 points.

Be cautious with the reject threshold. Mail rejected at SMTP level is gone — the sender gets a bounce, you never see it. If you set this too low, you'll silently lose legitimate mail from senders whose servers happen to be on a blocklist for unrelated reasons. 12 is aggressive but defensible.

Going below 10? You're asking for trouble. I've seen people set it to 8 and then wonder why they never heard back from that recruiter.

Step 4: Enable Greylisting (With Caveats)

Greylisting works. It's simple: when an unknown sender connects, return a "try again later" response. Real mail servers retry automatically (usually within 5-15 minutes). Spam botnets are stateless — they fire once and move on. No retry, no delivery.

The trade-off: time-sensitive mail from new senders arrives late on first contact. Password resets, order confirmations, authentication codes from new services. If your workflow depends on immediate delivery from unfamiliar senders, greylisting will frustrate you.

Practical approach:

  1. Enable greylisting with a 5-minute deferral
  2. Whitelist your known critical senders (banks, SaaS tools, payment processors)
  3. Monitor for complaints about delayed mail
  4. If delay complaints outweigh spam reduction, disable it — no shame in that

JustEmails has greylisting in Domain Settings > Spam Filtering > Greylisting. The whitelist is per-domain.

Step 5: User-Level Rules (Where Training Matters)

Server-side filtering catches the bulk. User-level rules finish the job.

Mark spam as spam. This sounds obvious, but most people just delete junk without marking it. (Guilty.) When you flag a message as spam (or move it to the Spam folder), Rspamd learns. One flagged message doesn't change much. Consistent flagging over 30-60 days trains the Bayesian filter on your specific traffic.

Mark ham as ham. When legitimate mail lands in spam — and it will, especially in the first weeks — pull it back to inbox and mark it as "not spam." This is equally important. False positives are training data too.

Subject-line filters for repeat offenders. If you're seeing the same patterns repeatedly (subject lines with "URGENT" and cryptocurrency, From addresses with random character strings), set up user-level rules. In most mail clients: Settings > Filters > New Rule > If Subject contains X, move to Trash.

Sender blocklists. Direct blocking by From address is less useful than it sounds — spammers rotate addresses constantly. But if you're getting mail from a specific persistent domain (marketing spam from a company that won't honor unsubscribe), blocking the domain works. For the alias vs. forwarding distinction when setting up these rules, see our alias vs. forwarding explainer.

Common Mistakes That Make Spam Worse

I've made most of these. Sharing so you don't have to.

Responding to spam. Even to "unsubscribe." This confirms your address is active. Real companies honor unsubscribe. Spam operations sell your confirmed-active address to the next buyer.

Publishing your real address everywhere. If you need a contact form, use a role address (contact@) that you can abandon if it gets burnt. Keep your personal address off the public web.

Not enabling DMARC. Wait — DMARC is outbound, not inbound. True. But here's the trick: if you're receiving spoofed mail that claims to be from your own domain, your DMARC policy helps recipients reject it. And if senders you receive mail from have good DMARC policies, your filters can weight that positively. Our DMARC enforcement guide covers ramping from p=none to p=reject safely.

Setting reject threshold too low. Again: rejected mail is invisible. You don't get a copy. You don't know you missed it. If a client sends you a legitimate message and it bounces, they might not tell you — they'll just assume you're ignoring them.

Keep the reject threshold above 10. Trust me.

The 30-Day Tuning Cycle

Don't touch settings daily. Check weekly, adjust once, wait another week.

Week 1: Baseline. Note how many spam messages land in inbox vs. spam folder vs. rejected.

Week 2: Tighten thresholds by 1-2 points if spam is winning. Train Bayesian filter aggressively — mark every spam message, rescue every false positive.

Week 3: Review Rspamd history. Look for rules triggering incorrectly. Whitelist legitimate senders that keep getting greylisted.

Week 4: Stabilize. If false positives are minimal and spam is manageable, stop touching settings. Let the filter train.

After 30 days, your domain has some reputation, your filter has training data, and the defaults start working better.

The first month is the hard part. It gets better. Promise.

For background on the DNS setup that feeds into all this, our custom domain email setup guide covers the MX, SPF, DKIM, and DMARC records that make filtering work. If you're migrating from a per-seat provider, our Microsoft 365 migration guide walks through the mailbox export process. For teams weighing cost trade-offs, the flat-fee vs. per-mailbox pricing breakdown shows where each model wins.

Frequently Asked Questions

Why does my custom domain get more spam than Gmail?

Gmail has 15+ years of sender reputation data, billions of training examples, and aggressive pre-filtering at the network edge. Your custom domain is new to spam filters — it doesn't have that reputation history, so borderline mail gets through. Add public WHOIS records, scraped contact pages, and catch-all addresses, and spammers have a verified target list. The fix isn't switching back to Gmail — it's tuning your filters and letting reputation build over 2-3 months of consistent usage.

What's a good Rspamd spam threshold for a small domain?

Most small domains do well with reject at 15, add header at 6, greylist at 4. If you're seeing too many false positives (legitimate mail marked spam), raise the add-header threshold to 7-8. If spam is slipping through, lower the reject threshold to 12. Check your Rspamd history tab weekly for the first month and adjust based on what you actually see — every domain's traffic is different.

Should I enable greylisting on my custom domain?

Yes, but with caveats. Greylisting delays first-time senders by 5-15 minutes while their server retries. Legitimate mail servers retry automatically. Spam botnets often don't. The trade-off: time-sensitive mail from new senders (password resets, order confirmations from new vendors) arrives late on first contact. If that's a problem for your workflow, enable greylisting but whitelist critical sender domains manually.

How do I train my spam filter on a new domain?

Mark spam as spam, mark ham as ham — consistently. Most filters (Rspamd, SpamAssassin) learn from your corrections. When a spam message lands in your inbox, move it to spam or use the 'report spam' function. When a legitimate message lands in spam, move it to inbox and mark as 'not spam'. Do this for 30-60 days and the filter learns your traffic patterns. There's no shortcut — training data is everything.


Try JustEmails

Unlimited custom domain email hosting for $49/year flat — unlimited domains, unlimited mailboxes, 10 GB storage, full IMAP/SMTP. Built for agencies, freelancers, and anyone managing email across more than one domain.

Start your 7-day free trial → · How it compares

spam-filteringrspamdcustom-domain-emailemail-securityinbound-emailbuildinpublicsaasstudioaiworkforcebuildwithclaude

Related posts