You might continue to see unwanted email after you begin using SpamStopsHere, especially during the first day or so as your MX record changes propagate throughout the Internet. To help optimize your configuration, this page explains how to prevent unwanted email from getting through or bypassing our spam filters.

Don't hesitate to contact us. As a customer, you can call, chat or email us anytime. We're here 24/7/365 to help you eliminate your spam problems.

Background and Terminology

If you're familiar with "MX records", "A records" and "Time to Live", you can probably skip to the next section. If you're new to email administration, you might also want to read about how email works.

MX Records

Your DNS Mail Exchanger (MX) records tell sending servers where to deliver mail for users in your domain. It's like a street address for a family's snail mail. If you don't use a hosted spam filter, your MX records probably specify the address of your mail server or service.

Use our Wiki how to change your MX Record article to configure your MX record correctly based on DNS provider.

You can specify multiple MX records, each pointing to a different server in case one is down. Each record must include a priority; with lower numbers meaning higher priority. Simple Mail Transfer Protocol (SMTP) clients are supposed to look up your MX records and try to deliver to the highest priority server (lowest number) first. Only if that fails should they try the next priority server in the list.

The syntax for each record is:

<your domain> MX <priority> <your inbound mail server's domain>

Example (two MX records for one domain):

example.com  MX  10  relay1.example.com
example.com  MX  20  relay2.example.com


For us to filter your incoming mail, our server clusters become your "address". That's how hosted antispam services work. You simply modify your MX records so they point to us. It's like doing a change of address. SpamStopsHere then receives your incoming mail, filters it and delivers it to you. The entire process only takes a few seconds, so you're unlikely to notice any delay.

After changing your MX records, SpamStopsHere receives your incoming mail, filters it and delivers it to you

When you first signed up for SpamStopsHere, you received an email with instructions on how to change your records in order to activate our service. Generally, you change your MX records in the control panel for your mail hosting service. It's the one step we cannot do for you, but it's usually easy. Our support team might even be able to help walk you through it.

"A" Record

Your "A" record resolves your mail domain (e.g., mail.example.com) to an IP address. Do not change your "A" record for SpamStopsHere if you are using your mail domain to connect to your email server to send or receive mail, or if you have us sending your email there. Leave it as is.

Time To Live

After changing your MX records, there is a time period during which email may be sent either to your old records or through our service, as the change propagates through the Internet. This is caused by the Time To Live (TTL) of your MX records, once the TTL expires all mail should go through our service. This usually takes 24-72 hours after switching your MX records.

MX Record Switch Takes Time to Propagate Across the Internet

Preventing Email from Bypassing our Spam Filters

Although SpamStopsHere is very easy to set up, sometimes you'll need to take a few extra steps to make sure incoming email does not continue to bypass our servers after the TTL expires. Some domains get more bypasses than others, as everyone's spam problem is a little different. You can determine if an email message bypassed our service by reviewing the full email headers. If you still see a lot of spam bypassing our service, you can take a few additional steps, like optimizing your MX records, implementing a firewall and minimizing whitelisting (always a good idea).

Determine if an email message bypassed our service by reviewing the email headers.

Confirm Your MX Records are Correct

If your MX records are not changed correctly, some or all of your email could bypass our spam filtering or not get to you at all. Here's an example:

Not Correct (the customer left their server in the list)

example.com  MX  10  example-com.relay1a.spamh.com
example.com  MX  20  example-com.relay1b.spamh.com
example.com  MX  25  mail.example.com
example.com  MX  30  example-com.relay1c.spamh.com

Correct (customer's server is not in the list)

example.com  MX  10  example-com.relay1a.spamh.com. 
example.com  MX  20  example-com.relay1b.spamh.com.
example.com  MX  30  example-com.relay1c.spamh.com.
The actual numbers listed in the priorities are irrelevant, only relevant thing is the numerical order of the numbers. It is conventional to use 10, 20, 30, etc.

In the example above, the presence of the customer's server in the list might cause spam to bypass our filters. Professional spammers look up all of the MX records for your domain, and instead of starting with the highest priority one, they'll either select one at random, or select one that isn't a known anti-spam service. This can result in spam being sent directly to your email server instead of through us. Some spammers target the lowest priority MX record because these are often just "store and forward" email servers that queue email for the primary mail server and normally don't have any anti-spam system in place.

To be safe, we recommend that you completely remove your email server or service from your DNS MX records.

Also note that we do not look at your DNS MX records to determine where to deliver your email. We use the Customer Mail Servers setting in the SpamStopsHere Control Panel for your domain name to determine the mail server that handles your email.

Remove Backup Mail Exchangers

When using SpamStopsHere, our redundant mail exchangers act as your backups, so you should remove any backup mail exchangers from your MX records. This step is very important and is mentioned in the Domain Activation email that you receive when you first sign up. We recommend that you do this a few days after making the first DNS MX record changes.

A few days after you make this change, check to see if it has been done correctly.

Minimize Whitelisting

Whitelisting is how you tell an antispam service to let email from specific addresses, servers or entire domains bypass spam filtering and go directly to the recipients' inboxes. SpamStopsHere has a very low false positive rate, so whitelisting is generally not needed as a preventative measure. Nonetheless, we make whitelisting available and recommend using it only for specific needs

For example, some customers who use optional or custom filters to enforce policies need to identify specific senders whose email needs to be delivered even if they send what would otherwise be considered spam. They can identify such senders in their whitelist.

We don't recommend whitelisting your entire domain (e.g., @example.com). That's a dangerous practice and generally not necessary. Spammers commonly forge the sender's address to make it look like an email is coming from your domain. If you have whitelisted your domain, such email can more easily bypass spam filtering. Also, most of your intra-domain email is not going to go through our filters anyway, so you probably don't need to do it.

If you need to add whitelist entries, we recommend that you define each one as narrowly as possible. These guidelines can help you do that:

  1. Whitelist only the IP address of the sender's mail server;
  2. If you can't do that, then whitelist by email address;
  3. Otherwise, whitelist by domain.

Implement a Firewall

Using a firewall forces all senders to honor your MX records. Otherwise, spammers can get around them and send you dangerous email. Here are some examples:

The spammer has your IP address
Spammers that have your email address in their mailing list might also have the IP address of your email server cached in their mailing list database. If so, they don't need to perform a DNS query (look up your MX records) when sending you email. It actually saves them a few seconds and lets them send spam about three times faster.
The spammer is correctly guessing your IP address
Spammers try to guess your IP address of your mail server (e.g., mail.example.com) by sending mail to the IP address for your domain (e.g., example.com). To help prevent this, make sure the two do not resolve to the same IP address. Try setting your domain's IP address to the same address as your web server instead.
The spammers is correctly guessing the name of your mail server.
To help prevent this, use a more unique name for your mail server (e.g., inh2946.example.com) and making sure that common names that spammers are likely to try (smtp.example.com, mail.example.com, etc.) do not resolve to the IP address of your mail server.

To avoid that, configure a firewall so your email server accept connections only from our servers. Emails that don't honor your MX records (if they point only to our servers) will almost never be able to bypass our service. It will prevent anyone other than us from connecting directly to your mail server, so all mail coming to your server or service will be relayed from us.

We recommend that you wait until your MX Time To Live (TTL) has expired before setting up a firewall

Preventing Spam from Getting Through

SpamStopsHere is designed to stop virtually all spam, viruses, trojan horses and other malware without much user interaction, especially after optimizing your setup. Sometimes, users still see a small amount of what they consider to be spam. Here are some of the most likely reasons and what you can do.

Viruses, Trojans and Other Malware

Unwanted email could actually be a virus problem, not a spam problem. All editions of SpamStopsHere include our proprietary zero-hour protection against email-based viruses, trojans, and other malware (like Cryptolocker and Locky). We identify and block such threats by examining the entire delivery system. As a hosted service, we also have a global view of email traffic, which helps us detect spammy patterns.

In addition to our zero-hour protection, the Business, Professional and Enterprise editions also include a more traditional third-party virus scanner. If you're using the Standard edition and you continue to see some viruses getting through, you might consider upgrading.

Bounce Messages aka Non-Delivery Reports

If an email you send can't be delivered, a non-delivery report is mailed ("bounced back") to your inbox with information about the failed attempt. You might find yourself receiving these bouncebacks for email that you never sent. That's because spammers can forge ("spoof") the address of the sender, adding legitimacy to the email. For every such message that can't be delivered, the bounceback might be sent to the spoofed address.

If you're getting these, it probably means someone is sending spam with your addressed forged. It doesn't necessarily mean the spammer hacked into your account or email server, but they at least know your email address.

This is often just an annoyance, but we can't block all bounce messages to an address because we can't determine which ones are in reply to emails you actually sent. It's usually not a good idea to block these important diagnostic messages anyway. However, you can create your own content filters to block the spammy ones. Contact us anytime if you need help doing so.

Unique or Highly Targeted Spam

An important (but not the only) weapon in our arsenal are spam traps, also know as "honeypots". These are very old email addresses that, because of their age and other factors, receive a lot of spam. This helps us accurately profile many campaigns so we can block them going to any of our customers.

Recently, we've seen a rise in more targeted campaigns like ["CEO spam" like money-transfer requests] that are sent to a few specific people, like employees in various businesses with access to corporate funds. Such addresses are not in our spam traps, so we can't block the campaign until we see it, which can be delayed a little if the recipients are not reporting to our Threat Analysis.

If you can, please report such spam immediately to spam@spamstopshere.com We can investigate and take proactive measures to make sure that you no longer receive spam from these spammers.

Multiple Copies of Spam

You may be getting multiple copies of the same spam that is not yet in our database. That usually occurs when a customer has a "catch all" email alias that forwards email sent to multiple addresses to one inbox. Disabling your catchall email alias can help eliminate it.

Forgotten or Unwanted Subscriptions

Users sometimes get email they don't want (like a newsletter) from companies known to have good subscription policies or otherwise known to be legitimate. This can happen when a user has forgotten they subscribed, think it's unsafe to unsubscribe, or was subscribed maliciously. The easiest way to get rid of such mail may simply be to unsubscribe. Contact us if you feel uncomfortable doing so.

Filter Action Setting

You may be receiving spam that SpamStopsHere correctly identified as such if you've set the filter catching it to FORWARD or MODIFY SUBJECT. If you don't want to see such spam anymore, change the filter setting to REJECT or DELETE. If available, you can send it to your quarantine.

Other Resources